[PATCH] edu: fix DMA range upper bound check

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Max Erenberg <merenber@uwaterloo.ca>
To: qemu-devel@nongnu.org
Cc: qemu-trivial@nongnu.org, jslaby@suse.cz
Subject: [PATCH] edu: fix DMA range upper bound check
Date: Mon, 25 Dec 2023 18:44:32 -0500	[thread overview]
Message-ID: <ZYoT4OGEuikUup59@max-HP-NOTEBOOK> (raw)

The edu_check_range function checks that start <= end1 < end2, where
end1 is the upper bound (exclusive) of the guest-supplied DMA range and
end2 is the upper bound (exclusive) of the device's allowed DMA range.
When the guest tries to transfer exactly DMA_SIZE (4096) bytes, end1
will be equal to end2, so the check fails and QEMU aborts with this
puzzling error message (newlines added for formatting):

  qemu: hardware error: EDU: DMA range
    0x0000000000040000-0x0000000000040fff out of bounds
   (0x0000000000040000-0x0000000000040fff)!

By checking end1 <= end2 instead, guests will be allowed to transfer
exactly 4096 bytes. It is not necessary to explicitly check for
start <= end1 because the previous two checks (within(addr, start, end2)
and end1 > addr) imply start < end1.

Signed-off-by: Max Erenberg <merenber@uwaterloo.ca>
---
 hw/misc/edu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/misc/edu.c b/hw/misc/edu.c
index a1f8bc7..e64a246 100644
--- a/hw/misc/edu.c
+++ b/hw/misc/edu.c
@@ -115,7 +115,7 @@ static void edu_check_range(uint64_t addr, uint64_t size1, uint64_t start,
     uint64_t end2 = start + size2;

     if (within(addr, start, end2) &&
-            end1 > addr && within(end1, start, end2)) {
+            end1 > addr && end1 <= end2) {
         return;
     }

-- 
2.39.2

next             reply	other threads:[~2023-12-26  0:53 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-25 23:44 Max Erenberg [this message]
2024-01-03 11:51 ` [PATCH] edu: fix DMA range upper bound check Michael Tokarev

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a1f8bc7 dfblob:e64a246 )
 OR (
bs:"[PATCH] edu: fix DMA range upper bound check" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZYoT4OGEuikUup59@max-HP-NOTEBOOK \
    --to=merenber@uwaterloo.ca \
    --cc=jslaby@suse.cz \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-trivial@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.