From: Don Slutz <dslutz@verizon.com>
To: Alex Williamson <alex.williamson@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] vfio-pci: Fix BAR size overflow
Date: Tue, 06 Jan 2015 22:06:16 -0500 [thread overview]
Message-ID: <54ACA2A8.50102@terremark.com> (raw)
In-Reply-To: <20150107000121.13777.54926.stgit@gimli.home>
On 01/06/15 19:03, Alex Williamson wrote:
> We use an unsigned int when working with the PCI BAR size, which can
> obviously overflow if the BAR is 4GB or larger. This needs to change
> to an unsigned long. A similar issue is possible, though even more
> unlikely, when mapping the region above an MSI-X table. The start of
> the table must be below 4GB, but the end, and therefore the start of
> the next mapping region, could still land at 4GB.
>
> Suggested-by: Nishank Trivedi <nishank.trivedi@netapp.com>
> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> ---
>
> hw/vfio/pci.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index b4e73d1..03790a8 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -2301,7 +2301,7 @@ static void vfio_unmap_bar(VFIOPCIDevice *vdev, int nr)
> static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
> {
> VFIOBAR *bar = &vdev->bars[nr];
> - unsigned size = bar->region.size;
> + unsigned long size = bar->region.size;
On a 32bit build, this does not fix the issue.
-Don Slutz
> char name[64];
> uint32_t pci_bar;
> uint8_t type;
> @@ -2351,7 +2351,7 @@ static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
> }
>
> if (vdev->msix && vdev->msix->table_bar == nr) {
> - unsigned start;
> + unsigned long start;
>
> start = HOST_PAGE_ALIGN(vdev->msix->table_offset +
> (vdev->msix->entries * PCI_MSIX_ENTRY_SIZE));
>
>
next prev parent reply other threads:[~2015-01-07 3:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-07 0:03 [Qemu-devel] [PATCH] vfio-pci: Fix BAR size overflow Alex Williamson
2015-01-07 3:06 ` Don Slutz [this message]
2015-01-07 3:39 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54ACA2A8.50102@terremark.com \
--to=dslutz@verizon.com \
--cc=alex.williamson@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.