diff mbox series

[v2,07/11] chardev: Let IOReadHandler use unsigned type

Message ID 20181012002217.2864-8-philmd@redhat.com (mailing list archive)
State New, archived
Headers show
Series chardev: Convert IO handlers to use unsigned type | expand

Commit Message

Philippe Mathieu-Daudé Oct. 12, 2018, 12:22 a.m. UTC
The number of bytes can not be negative nor zero.

Fixed 2 format string:
- hw/char/spapr_vty.c
- hw/usb/ccid-card-passthru.c

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Alberto Garcia <berto@igalia.com>
---
 backends/rng-egd.c          | 2 +-
 chardev/char-mux.c          | 2 +-
 gdbstub.c                   | 2 +-
 hw/arm/pxa2xx.c             | 2 +-
 hw/arm/strongarm.c          | 3 ++-
 hw/char/bcm2835_aux.c       | 2 +-
 hw/char/cadence_uart.c      | 2 +-
 hw/char/cmsdk-apb-uart.c    | 2 +-
 hw/char/digic-uart.c        | 2 +-
 hw/char/escc.c              | 2 +-
 hw/char/etraxfs_ser.c       | 2 +-
 hw/char/exynos4210_uart.c   | 3 ++-
 hw/char/grlib_apbuart.c     | 2 +-
 hw/char/imx_serial.c        | 2 +-
 hw/char/ipoctal232.c        | 2 +-
 hw/char/lm32_juart.c        | 2 +-
 hw/char/lm32_uart.c         | 2 +-
 hw/char/mcf_uart.c          | 2 +-
 hw/char/milkymist-uart.c    | 2 +-
 hw/char/pl011.c             | 2 +-
 hw/char/sclpconsole-lm.c    | 2 +-
 hw/char/sclpconsole.c       | 2 +-
 hw/char/serial.c            | 4 ++--
 hw/char/sh_serial.c         | 2 +-
 hw/char/spapr_vty.c         | 4 ++--
 hw/char/stm32f2xx_usart.c   | 3 ++-
 hw/char/terminal3270.c      | 2 +-
 hw/char/virtio-console.c    | 2 +-
 hw/char/xen_console.c       | 2 +-
 hw/char/xilinx_uartlite.c   | 2 +-
 hw/ipmi/ipmi_bmc_extern.c   | 2 +-
 hw/misc/ivshmem.c           | 4 ++--
 hw/riscv/riscv_htif.c       | 2 +-
 hw/riscv/sifive_uart.c      | 2 +-
 hw/usb/ccid-card-passthru.c | 4 ++--
 hw/usb/dev-serial.c         | 2 +-
 hw/usb/redirect.c           | 2 +-
 include/qemu/main-loop.h    | 2 +-
 monitor.c                   | 4 ++--
 net/colo-compare.c          | 4 ++--
 net/filter-mirror.c         | 2 +-
 net/slirp.c                 | 2 +-
 qtest.c                     | 2 +-
 target/xtensa/xtensa-semi.c | 2 +-
 44 files changed, 53 insertions(+), 50 deletions(-)

Comments

Richard Purdie Jan. 22, 2021, 11:26 a.m. UTC | #1
On Fri, 2018-10-12 at 02:22 +0200, Philippe Mathieu-Daudé wrote:
> The number of bytes can not be negative nor zero.
> 
> Fixed 2 format string:
> - hw/char/spapr_vty.c
> - hw/usb/ccid-card-passthru.c
> 
> Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> Acked-by: Alberto Garcia <berto@igalia.com>

Sorry to drag up an old patch series. As far as I can see this series
was never applied. I suspect a better way of solving the issue may have
been found? If so can anyone point me at that change?

I ask since CVE-2018-18438 is marked as affecting all qemu versions
(https://nvd.nist.gov/vuln/detail/CVE-2018-18438).

If it was fixed, the version mask could be updated. If the fix wasn't
deemed worthwhile for some reason that is also fine and I can mark this
one as such in our system. I'm being told we only need one of the
patches in this series which I also don't believe as I suspect we
either need the set or none of them!

Any info would be most welcome.

Cheers,

Richard
Prasad Pandit Jan. 22, 2021, 11:52 a.m. UTC | #2
+-- On Fri, 22 Jan 2021, Richard Purdie wrote --+
| If so can anyone point me at that change?
| 
| I ask since CVE-2018-18438 is marked as affecting all qemu versions
| (https://nvd.nist.gov/vuln/detail/CVE-2018-18438).
| 
| If it was fixed, the version mask could be updated. If the fix wasn't deemed 
| worthwhile for some reason that is also fine and I can mark this one as such 
| in our system. I'm being told we only need one of the patches in this series 
| which I also don't believe as I suspect we either need the set or none of 
| them!
| 
| Any info would be most welcome.

  -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02239.html
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02231.html

* Yes, the type change fix had come up during patch reviews above, and this 
  series implemented the change.

* Series is required IIUC, didn't realise it's not merged.


Thank you. 
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
Philippe Mathieu-Daudé Jan. 22, 2021, 1:55 p.m. UTC | #3
Hi Prasad, Richard.

On 1/22/21 12:52 PM, P J P wrote:
> +-- On Fri, 22 Jan 2021, Richard Purdie wrote --+
> | If so can anyone point me at that change?
> | 
> | I ask since CVE-2018-18438 is marked as affecting all qemu versions
> | (https://nvd.nist.gov/vuln/detail/CVE-2018-18438).
> | 
> | If it was fixed, the version mask could be updated. If the fix wasn't deemed 
> | worthwhile for some reason that is also fine and I can mark this one as such 
> | in our system. I'm being told we only need one of the patches in this series 
> | which I also don't believe as I suspect we either need the set or none of 
> | them!
> | 
> | Any info would be most welcome.
> 
>   -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02239.html
>   -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02231.html
> 
> * Yes, the type change fix had come up during patch reviews above, and this 
>   series implemented the change.
> 
> * Series is required IIUC, didn't realise it's not merged.

Audit from Marc-André pointed that this is unlikely, we asked the
reporter for a reproducer and got not news, and eventually closed
this as NOTABUG (not even WONTFIX):
https://bugzilla.redhat.com/show_bug.cgi?id=1609015

Regards,

Phil.
Richard Purdie Jan. 22, 2021, 3:25 p.m. UTC | #4
On Fri, 2021-01-22 at 14:55 +0100, Philippe Mathieu-Daudé wrote:
> Hi Prasad, Richard.
> 
> On 1/22/21 12:52 PM, P J P wrote:
> > +-- On Fri, 22 Jan 2021, Richard Purdie wrote --+
> > > If so can anyone point me at that change?
> > > 
> > > I ask since CVE-2018-18438 is marked as affecting all qemu versions
> > > (https://nvd.nist.gov/vuln/detail/CVE-2018-18438).
> > > 
> > > If it was fixed, the version mask could be updated. If the fix wasn't deemed 
> > > worthwhile for some reason that is also fine and I can mark this one as such 
> > > in our system. I'm being told we only need one of the patches in this series 
> > > which I also don't believe as I suspect we either need the set or none of 
> > > them!
> > > 
> > > Any info would be most welcome.
> > 
> >   -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02239.html
> >   -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02231.html
> > 
> > * Yes, the type change fix had come up during patch reviews above, and this 
> >   series implemented the change.
> > 
> > * Series is required IIUC, didn't realise it's not merged.
> 
> Audit from Marc-André pointed that this is unlikely, we asked the
> reporter for a reproducer and got not news, and eventually closed
> this as NOTABUG (not even WONTFIX):
> https://bugzilla.redhat.com/show_bug.cgi?id=1609015

I guessed there some resolution like this but couldn't find it thanks
for the pointer. It's now clear in the archives and I can handle
appropriately rejecting carrying those patches, thanks!

Cheers,

Richard
diff mbox series

Patch

diff --git a/backends/rng-egd.c b/backends/rng-egd.c
index d2b9ce6cbf..b51c01f664 100644
--- a/backends/rng-egd.c
+++ b/backends/rng-egd.c
@@ -61,7 +61,7 @@  static int rng_egd_chr_can_read(void *opaque)
     return size;
 }
 
-static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+static void rng_egd_chr_read(void *opaque, const uint8_t *buf, size_t size)
 {
     RngEgd *s = RNG_EGD(opaque);
     size_t buf_offset = 0;
diff --git a/chardev/char-mux.c b/chardev/char-mux.c
index 3ca732d3a8..d8d6eaa646 100644
--- a/chardev/char-mux.c
+++ b/chardev/char-mux.c
@@ -209,7 +209,7 @@  static int mux_chr_can_read(void *opaque)
     return 0;
 }
 
-static void mux_chr_read(void *opaque, const uint8_t *buf, int size)
+static void mux_chr_read(void *opaque, const uint8_t *buf, size_t size)
 {
     Chardev *chr = CHARDEV(opaque);
     MuxChardev *d = MUX_CHARDEV(opaque);
diff --git a/gdbstub.c b/gdbstub.c
index bbbb1cfcc1..a2fc3682ce 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -1923,7 +1923,7 @@  static int gdb_chr_can_receive(void *opaque)
   return MAX_PACKET_LENGTH;
 }
 
-static void gdb_chr_receive(void *opaque, const uint8_t *buf, int size)
+static void gdb_chr_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     int i;
 
diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index f598a1c053..75b6aa2772 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -1929,7 +1929,7 @@  static int pxa2xx_fir_is_empty(void *opaque)
     return (s->rx_len < 64);
 }
 
-static void pxa2xx_fir_rx(void *opaque, const uint8_t *buf, int size)
+static void pxa2xx_fir_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     PXA2xxFIrState *s = (PXA2xxFIrState *) opaque;
     if (!(s->control[0] & (1 << 4)))			/* RXE */
diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
index ec2627374d..40db4e5e0a 100644
--- a/hw/arm/strongarm.c
+++ b/hw/arm/strongarm.c
@@ -1072,7 +1072,8 @@  static int strongarm_uart_can_receive(void *opaque)
     return 1;
 }
 
-static void strongarm_uart_receive(void *opaque, const uint8_t *buf, int size)
+static void strongarm_uart_receive(void *opaque, const uint8_t *buf,
+                                   size_t size)
 {
     StrongARMUARTState *s = opaque;
     int i;
diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c
index 0364596c55..cb26df40f8 100644
--- a/hw/char/bcm2835_aux.c
+++ b/hw/char/bcm2835_aux.c
@@ -235,7 +235,7 @@  static void bcm2835_aux_put_fifo(void *opaque, uint8_t value)
     bcm2835_aux_update(s);
 }
 
-static void bcm2835_aux_receive(void *opaque, const uint8_t *buf, int size)
+static void bcm2835_aux_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     bcm2835_aux_put_fifo(opaque, *buf);
 }
diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index fbdbd463bb..eb5cc974a1 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -332,7 +332,7 @@  static void uart_write_tx_fifo(CadenceUARTState *s, const uint8_t *buf,
     cadence_uart_xmit(NULL, G_IO_OUT, s);
 }
 
-static void uart_receive(void *opaque, const uint8_t *buf, int size)
+static void uart_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     CadenceUARTState *s = opaque;
     uint32_t ch_mode = s->r[R_MR] & UART_MR_CHMODE;
diff --git a/hw/char/cmsdk-apb-uart.c b/hw/char/cmsdk-apb-uart.c
index ddfbb25c24..774986d88d 100644
--- a/hw/char/cmsdk-apb-uart.c
+++ b/hw/char/cmsdk-apb-uart.c
@@ -119,7 +119,7 @@  static int uart_can_receive(void *opaque)
     return 0;
 }
 
-static void uart_receive(void *opaque, const uint8_t *buf, int size)
+static void uart_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     CMSDKAPBUART *s = CMSDK_APB_UART(opaque);
 
diff --git a/hw/char/digic-uart.c b/hw/char/digic-uart.c
index ccc75eaa4d..0f41a23b54 100644
--- a/hw/char/digic-uart.c
+++ b/hw/char/digic-uart.c
@@ -119,7 +119,7 @@  static int uart_can_rx(void *opaque)
     return !(s->reg_st & ST_RX_RDY);
 }
 
-static void uart_rx(void *opaque, const uint8_t *buf, int size)
+static void uart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     DigicUartState *s = opaque;
 
diff --git a/hw/char/escc.c b/hw/char/escc.c
index 628f5f81f7..e655b86273 100644
--- a/hw/char/escc.c
+++ b/hw/char/escc.c
@@ -601,7 +601,7 @@  static void serial_receive_break(ESCCChannelState *s)
     escc_update_irq(s);
 }
 
-static void serial_receive1(void *opaque, const uint8_t *buf, int size)
+static void serial_receive1(void *opaque, const uint8_t *buf, size_t size)
 {
     ESCCChannelState *s = opaque;
     serial_receive_byte(s, buf[0]);
diff --git a/hw/char/etraxfs_ser.c b/hw/char/etraxfs_ser.c
index a184026410..79cd8d2dc1 100644
--- a/hw/char/etraxfs_ser.c
+++ b/hw/char/etraxfs_ser.c
@@ -166,7 +166,7 @@  static Property etraxfs_ser_properties[] = {
     DEFINE_PROP_END_OF_LIST(),
 };
 
-static void serial_receive(void *opaque, const uint8_t *buf, int size)
+static void serial_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     ETRAXSerial *s = opaque;
     int i;
diff --git a/hw/char/exynos4210_uart.c b/hw/char/exynos4210_uart.c
index a5a285655f..5fdf5b1f37 100644
--- a/hw/char/exynos4210_uart.c
+++ b/hw/char/exynos4210_uart.c
@@ -495,7 +495,8 @@  static int exynos4210_uart_can_receive(void *opaque)
 }
 
 
-static void exynos4210_uart_receive(void *opaque, const uint8_t *buf, int size)
+static void exynos4210_uart_receive(void *opaque, const uint8_t *buf,
+                                    size_t size)
 {
     Exynos4210UartState *s = (Exynos4210UartState *)opaque;
     int i;
diff --git a/hw/char/grlib_apbuart.c b/hw/char/grlib_apbuart.c
index bac11bec58..d370609a52 100644
--- a/hw/char/grlib_apbuart.c
+++ b/hw/char/grlib_apbuart.c
@@ -137,7 +137,7 @@  static int grlib_apbuart_can_receive(void *opaque)
     return FIFO_LENGTH - uart->len;
 }
 
-static void grlib_apbuart_receive(void *opaque, const uint8_t *buf, int size)
+static void grlib_apbuart_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     UART *uart = opaque;
 
diff --git a/hw/char/imx_serial.c b/hw/char/imx_serial.c
index 1e363190e3..b9fdfaeb38 100644
--- a/hw/char/imx_serial.c
+++ b/hw/char/imx_serial.c
@@ -315,7 +315,7 @@  static void imx_put_data(void *opaque, uint32_t value)
     imx_update(s);
 }
 
-static void imx_receive(void *opaque, const uint8_t *buf, int size)
+static void imx_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     imx_put_data(opaque, *buf);
 }
diff --git a/hw/char/ipoctal232.c b/hw/char/ipoctal232.c
index 5e09caf851..08e3f9e45f 100644
--- a/hw/char/ipoctal232.c
+++ b/hw/char/ipoctal232.c
@@ -468,7 +468,7 @@  static int hostdev_can_receive(void *opaque)
     return ch->rx_enabled ? available_bytes : 0;
 }
 
-static void hostdev_receive(void *opaque, const uint8_t *buf, int size)
+static void hostdev_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     SCC2698Channel *ch = opaque;
     IPOctalState *dev = ch->ipoctal;
diff --git a/hw/char/lm32_juart.c b/hw/char/lm32_juart.c
index d75c835ad2..ecb61ee086 100644
--- a/hw/char/lm32_juart.c
+++ b/hw/char/lm32_juart.c
@@ -88,7 +88,7 @@  void lm32_juart_set_jrx(DeviceState *d, uint32_t jtx)
     s->jrx &= ~JRX_FULL;
 }
 
-static void juart_rx(void *opaque, const uint8_t *buf, int size)
+static void juart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     LM32JuartState *s = opaque;
 
diff --git a/hw/char/lm32_uart.c b/hw/char/lm32_uart.c
index c4a3b9b275..ee0bf8e117 100644
--- a/hw/char/lm32_uart.c
+++ b/hw/char/lm32_uart.c
@@ -211,7 +211,7 @@  static const MemoryRegionOps uart_ops = {
     },
 };
 
-static void uart_rx(void *opaque, const uint8_t *buf, int size)
+static void uart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     LM32UartState *s = opaque;
 
diff --git a/hw/char/mcf_uart.c b/hw/char/mcf_uart.c
index 787f985db6..e126860b46 100644
--- a/hw/char/mcf_uart.c
+++ b/hw/char/mcf_uart.c
@@ -274,7 +274,7 @@  static int mcf_uart_can_receive(void *opaque)
     return s->rx_enabled && (s->sr & MCF_UART_FFULL) == 0;
 }
 
-static void mcf_uart_receive(void *opaque, const uint8_t *buf, int size)
+static void mcf_uart_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     mcf_uart_state *s = (mcf_uart_state *)opaque;
 
diff --git a/hw/char/milkymist-uart.c b/hw/char/milkymist-uart.c
index 548ee27bca..a10c0957ff 100644
--- a/hw/char/milkymist-uart.c
+++ b/hw/char/milkymist-uart.c
@@ -158,7 +158,7 @@  static const MemoryRegionOps uart_mmio_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static void uart_rx(void *opaque, const uint8_t *buf, int size)
+static void uart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     MilkymistUartState *s = opaque;
 
diff --git a/hw/char/pl011.c b/hw/char/pl011.c
index 2aa277fc4f..37973c32ce 100644
--- a/hw/char/pl011.c
+++ b/hw/char/pl011.c
@@ -260,7 +260,7 @@  static void pl011_put_fifo(void *opaque, uint32_t value)
     }
 }
 
-static void pl011_receive(void *opaque, const uint8_t *buf, int size)
+static void pl011_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     pl011_put_fifo(opaque, *buf);
 }
diff --git a/hw/char/sclpconsole-lm.c b/hw/char/sclpconsole-lm.c
index dbc91a1e5b..a04a2a9d80 100644
--- a/hw/char/sclpconsole-lm.c
+++ b/hw/char/sclpconsole-lm.c
@@ -71,7 +71,7 @@  static int chr_can_read(void *opaque)
     return 1;
 }
 
-static void chr_read(void *opaque, const uint8_t *buf, int size)
+static void chr_read(void *opaque, const uint8_t *buf, size_t size)
 {
     SCLPConsoleLM *scon = opaque;
 
diff --git a/hw/char/sclpconsole.c b/hw/char/sclpconsole.c
index 1fa16e9055..62395c19f4 100644
--- a/hw/char/sclpconsole.c
+++ b/hw/char/sclpconsole.c
@@ -59,7 +59,7 @@  static int chr_can_read(void *opaque)
 }
 
 /* Send data from a char device over to the guest */
-static void chr_read(void *opaque, const uint8_t *buf, int size)
+static void chr_read(void *opaque, const uint8_t *buf, size_t size)
 {
     SCLPConsole *scon = opaque;
 
diff --git a/hw/char/serial.c b/hw/char/serial.c
index 02463e3388..69baed105b 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -105,7 +105,7 @@  do { fprintf(stderr, "serial: " fmt , ## __VA_ARGS__); } while (0)
 do {} while (0)
 #endif
 
-static void serial_receive1(void *opaque, const uint8_t *buf, int size);
+static void serial_receive1(void *opaque, const uint8_t *buf, size_t size);
 static void serial_xmit(SerialState *s);
 
 static inline void recv_fifo_put(SerialState *s, uint8_t chr)
@@ -606,7 +606,7 @@  static int serial_can_receive1(void *opaque)
     return serial_can_receive(s);
 }
 
-static void serial_receive1(void *opaque, const uint8_t *buf, int size)
+static void serial_receive1(void *opaque, const uint8_t *buf, size_t size)
 {
     SerialState *s = opaque;
 
diff --git a/hw/char/sh_serial.c b/hw/char/sh_serial.c
index 12831561a6..04fdcee328 100644
--- a/hw/char/sh_serial.c
+++ b/hw/char/sh_serial.c
@@ -327,7 +327,7 @@  static void sh_serial_timeout_int(void *opaque)
     }
 }
 
-static void sh_serial_receive1(void *opaque, const uint8_t *buf, int size)
+static void sh_serial_receive1(void *opaque, const uint8_t *buf, size_t size)
 {
     sh_serial_state *s = opaque;
 
diff --git a/hw/char/spapr_vty.c b/hw/char/spapr_vty.c
index 6748334ded..42b4b61cce 100644
--- a/hw/char/spapr_vty.c
+++ b/hw/char/spapr_vty.c
@@ -28,7 +28,7 @@  static int vty_can_receive(void *opaque)
     return VTERM_BUFSIZE - (dev->in - dev->out);
 }
 
-static void vty_receive(void *opaque, const uint8_t *buf, int size)
+static void vty_receive(void *opaque, const uint8_t *buf, size_t size)
 {
     VIOsPAPRVTYDevice *dev = VIO_SPAPR_VTY_DEVICE(opaque);
     int i;
@@ -42,7 +42,7 @@  static void vty_receive(void *opaque, const uint8_t *buf, int size)
             static bool reported;
             if (!reported) {
                 error_report("VTY input buffer exhausted - characters dropped."
-                             " (input size = %i)", size);
+                             " (input size = %zu)", size);
                 reported = true;
             }
             break;
diff --git a/hw/char/stm32f2xx_usart.c b/hw/char/stm32f2xx_usart.c
index 032b5fda13..78bf142678 100644
--- a/hw/char/stm32f2xx_usart.c
+++ b/hw/char/stm32f2xx_usart.c
@@ -49,7 +49,8 @@  static int stm32f2xx_usart_can_receive(void *opaque)
     return 0;
 }
 
-static void stm32f2xx_usart_receive(void *opaque, const uint8_t *buf, int size)
+static void stm32f2xx_usart_receive(void *opaque, const uint8_t *buf,
+                                    size_t size)
 {
     STM32F2XXUsartState *s = opaque;
 
diff --git a/hw/char/terminal3270.c b/hw/char/terminal3270.c
index e9c45e55b1..076516991e 100644
--- a/hw/char/terminal3270.c
+++ b/hw/char/terminal3270.c
@@ -90,7 +90,7 @@  static gboolean send_timing_mark_cb(gpointer opaque)
  * As of now, for such case, we simply terminate the connection,
  * and we should come back here later with a better solution.
  */
-static void terminal_read(void *opaque, const uint8_t *buf, int size)
+static void terminal_read(void *opaque, const uint8_t *buf, size_t size)
 {
     Terminal3270 *t = opaque;
     CcwDevice *ccw_dev = CCW_DEVICE(t);
diff --git a/hw/char/virtio-console.c b/hw/char/virtio-console.c
index 2cbe1d4ed5..e3d368b976 100644
--- a/hw/char/virtio-console.c
+++ b/hw/char/virtio-console.c
@@ -134,7 +134,7 @@  static int chr_can_read(void *opaque)
 }
 
 /* Send data from a char device over to the guest */
-static void chr_read(void *opaque, const uint8_t *buf, int size)
+static void chr_read(void *opaque, const uint8_t *buf, size_t size)
 {
     VirtConsole *vcon = opaque;
     VirtIOSerialPort *port = VIRTIO_SERIAL_PORT(vcon);
diff --git a/hw/char/xen_console.c b/hw/char/xen_console.c
index 44f7236382..ca90c5c17e 100644
--- a/hw/char/xen_console.c
+++ b/hw/char/xen_console.c
@@ -122,7 +122,7 @@  static int xencons_can_receive(void *opaque)
     return ring_free_bytes(con);
 }
 
-static void xencons_receive(void *opaque, const uint8_t *buf, int len)
+static void xencons_receive(void *opaque, const uint8_t *buf, size_t len)
 {
     struct XenConsole *con = opaque;
     struct xencons_interface *intf = con->sring;
diff --git a/hw/char/xilinx_uartlite.c b/hw/char/xilinx_uartlite.c
index 2a8bc1e497..b1abf8b604 100644
--- a/hw/char/xilinx_uartlite.c
+++ b/hw/char/xilinx_uartlite.c
@@ -177,7 +177,7 @@  static Property xilinx_uartlite_properties[] = {
     DEFINE_PROP_END_OF_LIST(),
 };
 
-static void uart_rx(void *opaque, const uint8_t *buf, int size)
+static void uart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     XilinxUARTLite *s = opaque;
 
diff --git a/hw/ipmi/ipmi_bmc_extern.c b/hw/ipmi/ipmi_bmc_extern.c
index 8c78b9804b..c52f80f771 100644
--- a/hw/ipmi/ipmi_bmc_extern.c
+++ b/hw/ipmi/ipmi_bmc_extern.c
@@ -312,7 +312,7 @@  static int can_receive(void *opaque)
     return 1;
 }
 
-static void receive(void *opaque, const uint8_t *buf, int size)
+static void receive(void *opaque, const uint8_t *buf, size_t size)
 {
     IPMIBmcExtern *ibe = opaque;
     int i;
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 8cb17b9dd4..f506479845 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -628,14 +628,14 @@  static int ivshmem_can_receive(void *opaque)
     return sizeof(s->msg_buf) - s->msg_buffered_bytes;
 }
 
-static void ivshmem_read(void *opaque, const uint8_t *buf, int size)
+static void ivshmem_read(void *opaque, const uint8_t *buf, size_t size)
 {
     IVShmemState *s = opaque;
     Error *err = NULL;
     int fd;
     int64_t msg;
 
-    assert(size >= 0 && s->msg_buffered_bytes + size <= sizeof(s->msg_buf));
+    assert(s->msg_buffered_bytes + size <= sizeof(s->msg_buf));
     memcpy((unsigned char *)&s->msg_buf + s->msg_buffered_bytes, buf, size);
     s->msg_buffered_bytes += size;
     if (s->msg_buffered_bytes < sizeof(s->msg_buf)) {
diff --git a/hw/riscv/riscv_htif.c b/hw/riscv/riscv_htif.c
index 4f7b11dc37..2625f5e9e8 100644
--- a/hw/riscv/riscv_htif.c
+++ b/hw/riscv/riscv_htif.c
@@ -74,7 +74,7 @@  static int htif_can_recv(void *opaque)
  * Called by the char dev to supply input to HTIF console.
  * We assume that we will receive one character at a time.
  */
-static void htif_recv(void *opaque, const uint8_t *buf, int size)
+static void htif_recv(void *opaque, const uint8_t *buf, size_t size)
 {
     HTIFState *htifstate = opaque;
 
diff --git a/hw/riscv/sifive_uart.c b/hw/riscv/sifive_uart.c
index b0c3798cf2..d4cbf91b9f 100644
--- a/hw/riscv/sifive_uart.c
+++ b/hw/riscv/sifive_uart.c
@@ -123,7 +123,7 @@  static const MemoryRegionOps uart_ops = {
     }
 };
 
-static void uart_rx(void *opaque, const uint8_t *buf, int size)
+static void uart_rx(void *opaque, const uint8_t *buf, size_t size)
 {
     SiFiveUARTState *s = opaque;
 
diff --git a/hw/usb/ccid-card-passthru.c b/hw/usb/ccid-card-passthru.c
index 0a6c657228..b6fa35a4b4 100644
--- a/hw/usb/ccid-card-passthru.c
+++ b/hw/usb/ccid-card-passthru.c
@@ -270,13 +270,13 @@  static void ccid_card_vscard_drop_connection(PassthruState *card)
     card->vscard_in_pos = card->vscard_in_hdr = 0;
 }
 
-static void ccid_card_vscard_read(void *opaque, const uint8_t *buf, int size)
+static void ccid_card_vscard_read(void *opaque, const uint8_t *buf, size_t size)
 {
     PassthruState *card = opaque;
     VSCMsgHeader *hdr;
 
     if (card->vscard_in_pos + size > VSCARD_IN_SIZE) {
-        error_report("no room for data: pos %u +  size %d > %" PRId64 "."
+        error_report("no room for data: pos %u +  size %zu > %" PRId64 "."
                      " dropping connection.",
                      card->vscard_in_pos, size, VSCARD_IN_SIZE);
         ccid_card_vscard_drop_connection(card);
diff --git a/hw/usb/dev-serial.c b/hw/usb/dev-serial.c
index 98d1ca3c91..efaeab484d 100644
--- a/hw/usb/dev-serial.c
+++ b/hw/usb/dev-serial.c
@@ -431,7 +431,7 @@  static int usb_serial_can_read(void *opaque)
     return RECV_BUF - s->recv_used;
 }
 
-static void usb_serial_read(void *opaque, const uint8_t *buf, int size)
+static void usb_serial_read(void *opaque, const uint8_t *buf, size_t size)
 {
     USBSerialState *s = opaque;
     int first_size, start;
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 99094a721e..a73076ba78 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -1302,7 +1302,7 @@  static int usbredir_chardev_can_read(void *opaque)
     return 1 * MiB;
 }
 
-static void usbredir_chardev_read(void *opaque, const uint8_t *buf, int size)
+static void usbredir_chardev_read(void *opaque, const uint8_t *buf, size_t size)
 {
     USBRedirDevice *dev = opaque;
 
diff --git a/include/qemu/main-loop.h b/include/qemu/main-loop.h
index e59f9ae1e9..c5a7299266 100644
--- a/include/qemu/main-loop.h
+++ b/include/qemu/main-loop.h
@@ -167,7 +167,7 @@  void qemu_del_wait_object(HANDLE handle, WaitObjectFunc *func, void *opaque);
 
 /* async I/O support */
 
-typedef void IOReadHandler(void *opaque, const uint8_t *buf, int size);
+typedef void IOReadHandler(void *opaque, const uint8_t *buf, size_t size);
 
 /**
  * IOCanReadHandler: Return the number of bytes that #IOReadHandler can accept
diff --git a/monitor.c b/monitor.c
index b9258a7438..12401ec60b 100644
--- a/monitor.c
+++ b/monitor.c
@@ -4240,14 +4240,14 @@  static void handle_qmp_command(void *opaque, QObject *req, Error *err)
     qemu_bh_schedule(qmp_dispatcher_bh);
 }
 
-static void monitor_qmp_read(void *opaque, const uint8_t *buf, int size)
+static void monitor_qmp_read(void *opaque, const uint8_t *buf, size_t size)
 {
     Monitor *mon = opaque;
 
     json_message_parser_feed(&mon->qmp.parser, (const char *) buf, size);
 }
 
-static void monitor_read(void *opaque, const uint8_t *buf, int size)
+static void monitor_read(void *opaque, const uint8_t *buf, size_t size)
 {
     Monitor *old_mon = cur_mon;
     int i;
diff --git a/net/colo-compare.c b/net/colo-compare.c
index dd745a491b..433e9ba287 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -692,7 +692,7 @@  static int compare_chr_can_read(void *opaque)
  * Called from the main thread on the primary for packets
  * arriving over the socket from the primary.
  */
-static void compare_pri_chr_in(void *opaque, const uint8_t *buf, int size)
+static void compare_pri_chr_in(void *opaque, const uint8_t *buf, size_t size)
 {
     CompareState *s = COLO_COMPARE(opaque);
     int ret;
@@ -709,7 +709,7 @@  static void compare_pri_chr_in(void *opaque, const uint8_t *buf, int size)
  * Called from the main thread on the primary for packets
  * arriving over the socket from the secondary.
  */
-static void compare_sec_chr_in(void *opaque, const uint8_t *buf, int size)
+static void compare_sec_chr_in(void *opaque, const uint8_t *buf, size_t size)
 {
     CompareState *s = COLO_COMPARE(opaque);
     int ret;
diff --git a/net/filter-mirror.c b/net/filter-mirror.c
index 3a61cf21e8..27b6e52a1d 100644
--- a/net/filter-mirror.c
+++ b/net/filter-mirror.c
@@ -119,7 +119,7 @@  static int redirector_chr_can_read(void *opaque)
     return REDIRECTOR_MAX_LEN;
 }
 
-static void redirector_chr_read(void *opaque, const uint8_t *buf, int size)
+static void redirector_chr_read(void *opaque, const uint8_t *buf, size_t size)
 {
     NetFilterState *nf = opaque;
     MirrorState *s = FILTER_REDIRECTOR(nf);
diff --git a/net/slirp.c b/net/slirp.c
index 99884de204..5e864f4a4f 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -718,7 +718,7 @@  static int guestfwd_can_read(void *opaque)
     return slirp_socket_can_recv(fwd->slirp, fwd->server, fwd->port);
 }
 
-static void guestfwd_read(void *opaque, const uint8_t *buf, int size)
+static void guestfwd_read(void *opaque, const uint8_t *buf, size_t size)
 {
     struct GuestFwd *fwd = opaque;
     slirp_socket_recv(fwd->slirp, fwd->server, fwd->port, buf, size);
diff --git a/qtest.c b/qtest.c
index 69b9e9962b..0494afdfb3 100644
--- a/qtest.c
+++ b/qtest.c
@@ -657,7 +657,7 @@  static void qtest_process_inbuf(CharBackend *chr, GString *inbuf)
     }
 }
 
-static void qtest_read(void *opaque, const uint8_t *buf, int size)
+static void qtest_read(void *opaque, const uint8_t *buf, size_t size)
 {
     CharBackend *chr = opaque;
 
diff --git a/target/xtensa/xtensa-semi.c b/target/xtensa/xtensa-semi.c
index e389069f0b..241874ea4e 100644
--- a/target/xtensa/xtensa-semi.c
+++ b/target/xtensa/xtensa-semi.c
@@ -168,7 +168,7 @@  static int sim_console_can_read(void *opaque)
     return sizeof(p->input.buffer) - p->input.offset;
 }
 
-static void sim_console_read(void *opaque, const uint8_t *buf, int size)
+static void sim_console_read(void *opaque, const uint8_t *buf, size_t size)
 {
     XtensaSimConsole *p = opaque;
     size_t copy = sizeof(p->input.buffer) - p->input.offset;