[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.2.3 25/87] hw/audio/virtio-sound: return correct command respo
From: |
Michael Tokarev |
Subject: |
[Stable-8.2.3 25/87] hw/audio/virtio-sound: return correct command response size |
Date: |
Wed, 10 Apr 2024 10:21:58 +0300 |
From: Volker Rümelin <vr_qemu@t-online.de>
The payload size returned by command VIRTIO_SND_R_PCM_INFO is
wrong. The code in process_cmd() assumes that all commands
return only a virtio_snd_hdr payload, but some commands like
VIRTIO_SND_R_PCM_INFO may return an additional payload.
Add a zero initialized payload_size variable to struct
virtio_snd_ctrl_command to allow for additional payloads.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20240218083351.8524-1-vr_qemu@t-online.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 633487df8d303b37a88584d5a57a39dbcd91c7bf)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 137fa77a01..cfb12ba78a 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -243,12 +243,13 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s,
memset(&pcm_info[i].padding, 0, 5);
}
+ cmd->payload_size = sizeof(virtio_snd_pcm_info) * count;
cmd->resp.code = cpu_to_le32(VIRTIO_SND_S_OK);
iov_from_buf(cmd->elem->in_sg,
cmd->elem->in_num,
sizeof(virtio_snd_hdr),
pcm_info,
- sizeof(virtio_snd_pcm_info) * count);
+ cmd->payload_size);
}
/*
@@ -749,7 +750,8 @@ process_cmd(VirtIOSound *s, virtio_snd_ctrl_command *cmd)
0,
&cmd->resp,
sizeof(virtio_snd_hdr));
- virtqueue_push(cmd->vq, cmd->elem, sizeof(virtio_snd_hdr));
+ virtqueue_push(cmd->vq, cmd->elem,
+ sizeof(virtio_snd_hdr) + cmd->payload_size);
virtio_notify(VIRTIO_DEVICE(s), cmd->vq);
}
@@ -808,6 +810,7 @@ static void virtio_snd_handle_ctrl(VirtIODevice *vdev,
VirtQueue *vq)
cmd->elem = elem;
cmd->vq = vq;
cmd->resp.code = cpu_to_le32(VIRTIO_SND_S_OK);
+ /* implicit cmd->payload_size = 0; */
QTAILQ_INSERT_TAIL(&s->cmdq, cmd, next);
elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
}
diff --git a/include/hw/audio/virtio-snd.h b/include/hw/audio/virtio-snd.h
index c3767f442b..3d79181364 100644
--- a/include/hw/audio/virtio-snd.h
+++ b/include/hw/audio/virtio-snd.h
@@ -230,6 +230,7 @@ struct virtio_snd_ctrl_command {
VirtQueue *vq;
virtio_snd_hdr ctrl;
virtio_snd_hdr resp;
+ size_t payload_size;
QTAILQ_ENTRY(virtio_snd_ctrl_command) next;
};
#endif
--
2.39.2
- [Stable-8.2.3 13/87] migration/rdma: Fix a memory issue for migration, (continued)
- [Stable-8.2.3 13/87] migration/rdma: Fix a memory issue for migration, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 15/87] e1000e: fix link state on resume, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 12/87] make-release: switch to .xz format by default, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 14/87] igb: fix link state on resume, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 16/87] Avoid unaligned fetch in ladr_match(), Michael Tokarev, 2024/04/10
- [Stable-8.2.3 19/87] hw/nvme: fix invalid check on mcl, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 17/87] xen: Drop out of coroutine context xen_invalidate_map_cache_entry, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 20/87] hw/nvme: generalize the mbar size helper, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 18/87] hw/nvme: separate 'serial' property for VFs, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 22/87] hw/nvme: Use pcie_sriov_num_vfs(), Michael Tokarev, 2024/04/10
- [Stable-8.2.3 25/87] hw/audio/virtio-sound: return correct command response size,
Michael Tokarev <=
- [Stable-8.2.3 21/87] hw/nvme: add machine compatibility parameter to enable msix exclusive bar, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 23/87] pcie_sriov: Validate NumVFs, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 24/87] hmat acpi: Fix out of bounds access due to missing use of indirection, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 26/87] migration: Skip only empty block devices, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 30/87] nbd/server: Fix race in draining the export, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 29/87] nbd/server: introduce NBDClient->lock to protect fields, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 31/87] iotests: Add test for reset/AioContext switches with NBD exports, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 27/87] mirror: Don't call job_pause_point() under graph lock, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 28/87] nbd/server: only traverse NBDExport->clients from main loop thread, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 37/87] target/i386: fix direction of "32-bit MMU" test, Michael Tokarev, 2024/04/10