You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Akihiko Odaki cad9aa6fbd pcie_sriov: Fix configuration and state synchronization ... Fix issues in PCIe SR-IOV configuration register handling that caused inconsistent internal state due to improper write mask handling and incorrect migration behavior. Two main problems were identified: 1. VF Enable bit write mask handling: pcie_sriov_config_write() incorrectly assumed that its val parameter was already masked, causing it to ignore the actual write mask. This led to the VF Enable bit being processed even when masked, resulting in incorrect VF registration/unregistration. It is identified as CVE-2025-54567. 2. Migration state inconsistency: pcie_sriov_pf_post_load() unconditionally called register_vfs() regardless of the VF Enable bit state, creating inconsistent internal state when VFs should not be enabled. Additionally, it failed to properly update the NumVFs write mask based on the current configuration. It is identified as CVE-2025-54566. Root cause analysis revealed that both functions relied on incorrect special-case assumptions instead of properly reading and consuming the actual configuration values. This change introduces a unified consume_config() function that reads actual configuration values and synchronize the internal state without special-case assumptions. The solution only adds register read overhead in non-hot-path code while ensuring correct SR-IOV state management across configuration writes and migration scenarios. Fixes: 5e7dd17e43 ("pcie_sriov: Remove num_vfs from PCIESriovPF") Fixes: f9efcd4711 ("pcie_sriov: Register VFs after migration") Fixes: CVE-2025-54566 Fixes: CVE-2025-54567 Cc: qemu-stable@nongnu.org Reported-by: Corentin BAYET <corentin.bayet@reversetactics.com> Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Message-Id: <20250727-wmask-v2-1-394910b1c0b6@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>		1 week ago
..
Kconfig	kconfig: Add PCIe devices to s390x machines	2 years ago
meson.build	meson: remove CONFIG_ALL	2 years ago
msi.c	include: Rename sysemu/ -> system/	8 months ago
msix.c	pci: export msix_is_pending	2 months ago
pci-hmp-cmds.c	qapi: Move include/qapi/qmp/ to include/qobject/	6 months ago
pci-internal.h	hw/pci/aer: Make PCIE AER error injection facility available for other emulation to use.	2 years ago
pci-qmp-cmds.c	pci: Move QMP commands to new hw/pci/pci-qmp-cmds.c	3 years ago
pci-stub.c	hw/pci: remove return after g_assert_not_reached()	11 months ago
pci.c	pci: skip reset during cpr	2 months ago
pci_bridge.c	qom: Make InterfaceInfo[] uses const	4 months ago
pci_host.c	hw/pci-host: Remove unused pci_host_data_be_ops	3 months ago
pcie.c	pcie: Helper functions to check to check if PRI is enabled	2 months ago
pcie_aer.c	hw/pci: Constify VMState	2 years ago
pcie_doe.c	hw/pci: PCIe Data Object Exchange emulation	3 years ago
pcie_host.c	include/hw/pci: Split pci_device.h off pci.h	3 years ago
pcie_port.c	hw/pci/pcie_port: Fix pcie_slot_is_hotpluggbale_bus typo	3 months ago
pcie_sriov.c	pcie_sriov: Fix configuration and state synchronization	1 week ago
shpc.c	hw/pci: add some convenient trace-events for pcie and shpc hotplug	1 year ago
slotid_cap.c	include/hw/pci: Split pci_device.h off pci.h	3 years ago
trace-events	hw/pci/pci.c: Turn DPRINTF into trace events	3 months ago
trace.h	trace: switch position of headers to what Meson requires	5 years ago