[PATCH] hw/riscv/riscv-iommu: Fix MSI table size limit

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] hw/riscv/riscv-iommu: Fix MSI table size limit
@ 2025-09-04 13:27 Andrew Jones
  2025-09-04 18:25 ` Daniel Henrique Barboza
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Andrew Jones @ 2025-09-04 13:27 UTC (permalink / raw)
  To: qemu-devel, qemu-riscv
  Cc: alistair.francis, liwei1518, dbarboza, zhiwei_liu, tjeznach

The MSI table is not limited to 4k. The only constraint the table has
is that its base address must be aligned to its size, ensuring no
offsets of the table size will overrun when added to the base address
(see "8.5. MSI page tables" of the AIA spec).

Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
---
 hw/riscv/riscv-iommu.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/hw/riscv/riscv-iommu.c b/hw/riscv/riscv-iommu.c
index 96a7fbdefcf3..155190d032dd 100644
--- a/hw/riscv/riscv-iommu.c
+++ b/hw/riscv/riscv-iommu.c
@@ -558,6 +558,7 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
     MemTxResult res;
     dma_addr_t addr;
     uint64_t intn;
+    size_t offset;
     uint32_t n190;
     uint64_t pte[2];
     int fault_type = RISCV_IOMMU_FQ_TTYPE_UADDR_WR;
@@ -565,16 +566,18 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
 
     /* Interrupt File Number */
     intn = riscv_iommu_pext_u64(PPN_DOWN(gpa), ctx->msi_addr_mask);
-    if (intn >= 256) {
-        /* Interrupt file number out of range */
-        res = MEMTX_ACCESS_ERROR;
-        cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
-        goto err;
-    }
+    offset = intn * sizeof(pte);
 
     /* fetch MSI PTE */
     addr = PPN_PHYS(get_field(ctx->msiptp, RISCV_IOMMU_DC_MSIPTP_PPN));
-    addr = addr | (intn * sizeof(pte));
+    if (addr & offset) {
+        /* Interrupt file number out of range */
+        res = MEMTX_ACCESS_ERROR;
+        cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
+        goto err;
+    }
+
+    addr |= offset;
     res = dma_memory_read(s->target_as, addr, &pte, sizeof(pte),
             MEMTXATTRS_UNSPECIFIED);
     if (res != MEMTX_OK) {
-- 
2.49.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] hw/riscv/riscv-iommu: Fix MSI table size limit
  2025-09-04 13:27 [PATCH] hw/riscv/riscv-iommu: Fix MSI table size limit Andrew Jones
@ 2025-09-04 18:25 ` Daniel Henrique Barboza
  2025-09-15  1:54 ` Alistair Francis
  2025-10-04  6:55 ` Michael Tokarev
  2 siblings, 0 replies; 4+ messages in thread
From: Daniel Henrique Barboza @ 2025-09-04 18:25 UTC (permalink / raw)
  To: Andrew Jones, qemu-devel, qemu-riscv
  Cc: alistair.francis, liwei1518, zhiwei_liu, tjeznach



On 9/4/25 10:27 AM, Andrew Jones wrote:
> The MSI table is not limited to 4k. The only constraint the table has
> is that its base address must be aligned to its size, ensuring no
> offsets of the table size will overrun when added to the base address
> (see "8.5. MSI page tables" of the AIA spec).
> 
> Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
> Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
> ---

Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>

>   hw/riscv/riscv-iommu.c | 17 ++++++++++-------
>   1 file changed, 10 insertions(+), 7 deletions(-)
> 
> diff --git a/hw/riscv/riscv-iommu.c b/hw/riscv/riscv-iommu.c
> index 96a7fbdefcf3..155190d032dd 100644
> --- a/hw/riscv/riscv-iommu.c
> +++ b/hw/riscv/riscv-iommu.c
> @@ -558,6 +558,7 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
>       MemTxResult res;
>       dma_addr_t addr;
>       uint64_t intn;
> +    size_t offset;
>       uint32_t n190;
>       uint64_t pte[2];
>       int fault_type = RISCV_IOMMU_FQ_TTYPE_UADDR_WR;
> @@ -565,16 +566,18 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
>   
>       /* Interrupt File Number */
>       intn = riscv_iommu_pext_u64(PPN_DOWN(gpa), ctx->msi_addr_mask);
> -    if (intn >= 256) {
> -        /* Interrupt file number out of range */
> -        res = MEMTX_ACCESS_ERROR;
> -        cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
> -        goto err;
> -    }
> +    offset = intn * sizeof(pte);
>   
>       /* fetch MSI PTE */
>       addr = PPN_PHYS(get_field(ctx->msiptp, RISCV_IOMMU_DC_MSIPTP_PPN));
> -    addr = addr | (intn * sizeof(pte));
> +    if (addr & offset) {
> +        /* Interrupt file number out of range */
> +        res = MEMTX_ACCESS_ERROR;
> +        cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
> +        goto err;
> +    }
> +
> +    addr |= offset;
>       res = dma_memory_read(s->target_as, addr, &pte, sizeof(pte),
>               MEMTXATTRS_UNSPECIFIED);
>       if (res != MEMTX_OK) {



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] hw/riscv/riscv-iommu: Fix MSI table size limit
  2025-09-04 13:27 [PATCH] hw/riscv/riscv-iommu: Fix MSI table size limit Andrew Jones
  2025-09-04 18:25 ` Daniel Henrique Barboza
@ 2025-09-15  1:54 ` Alistair Francis
  2025-10-04  6:55 ` Michael Tokarev
  2 siblings, 0 replies; 4+ messages in thread
From: Alistair Francis @ 2025-09-15  1:54 UTC (permalink / raw)
  To: Andrew Jones
  Cc: qemu-devel, qemu-riscv, alistair.francis, liwei1518, dbarboza,
	zhiwei_liu, tjeznach

On Thu, Sep 4, 2025 at 11:29 PM Andrew Jones <ajones@ventanamicro.com> wrote:
>
> The MSI table is not limited to 4k. The only constraint the table has
> is that its base address must be aligned to its size, ensuring no
> offsets of the table size will overrun when added to the base address
> (see "8.5. MSI page tables" of the AIA spec).
>
> Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
> Signed-off-by: Andrew Jones <ajones@ventanamicro.com>

Thanks!

Applied to riscv-to-apply.next

Alistair

> ---
>  hw/riscv/riscv-iommu.c | 17 ++++++++++-------
>  1 file changed, 10 insertions(+), 7 deletions(-)
>
> diff --git a/hw/riscv/riscv-iommu.c b/hw/riscv/riscv-iommu.c
> index 96a7fbdefcf3..155190d032dd 100644
> --- a/hw/riscv/riscv-iommu.c
> +++ b/hw/riscv/riscv-iommu.c
> @@ -558,6 +558,7 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
>      MemTxResult res;
>      dma_addr_t addr;
>      uint64_t intn;
> +    size_t offset;
>      uint32_t n190;
>      uint64_t pte[2];
>      int fault_type = RISCV_IOMMU_FQ_TTYPE_UADDR_WR;
> @@ -565,16 +566,18 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
>
>      /* Interrupt File Number */
>      intn = riscv_iommu_pext_u64(PPN_DOWN(gpa), ctx->msi_addr_mask);
> -    if (intn >= 256) {
> -        /* Interrupt file number out of range */
> -        res = MEMTX_ACCESS_ERROR;
> -        cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
> -        goto err;
> -    }
> +    offset = intn * sizeof(pte);
>
>      /* fetch MSI PTE */
>      addr = PPN_PHYS(get_field(ctx->msiptp, RISCV_IOMMU_DC_MSIPTP_PPN));
> -    addr = addr | (intn * sizeof(pte));
> +    if (addr & offset) {
> +        /* Interrupt file number out of range */
> +        res = MEMTX_ACCESS_ERROR;
> +        cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
> +        goto err;
> +    }
> +
> +    addr |= offset;
>      res = dma_memory_read(s->target_as, addr, &pte, sizeof(pte),
>              MEMTXATTRS_UNSPECIFIED);
>      if (res != MEMTX_OK) {
> --
> 2.49.0
>
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] hw/riscv/riscv-iommu: Fix MSI table size limit
  2025-09-04 13:27 [PATCH] hw/riscv/riscv-iommu: Fix MSI table size limit Andrew Jones
  2025-09-04 18:25 ` Daniel Henrique Barboza
  2025-09-15  1:54 ` Alistair Francis
@ 2025-10-04  6:55 ` Michael Tokarev
  2 siblings, 0 replies; 4+ messages in thread
From: Michael Tokarev @ 2025-10-04  6:55 UTC (permalink / raw)
  To: Andrew Jones, qemu-devel, qemu-riscv
  Cc: alistair.francis, liwei1518, dbarboza, zhiwei_liu, tjeznach,
	qemu-stable

On 9/4/25 16:27, Andrew Jones wrote:
> The MSI table is not limited to 4k. The only constraint the table has
> is that its base address must be aligned to its size, ensuring no
> offsets of the table size will overrun when added to the base address
> (see "8.5. MSI page tables" of the AIA spec).
> 
> Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
> Signed-off-by: Andrew Jones <ajones@ventanamicro.com>

This one looks like a qemu-stable material.
Please let me know if it is not.

Thanks,

/mjt


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-10-04  6:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-04 13:27 [PATCH] hw/riscv/riscv-iommu: Fix MSI table size limit Andrew Jones
2025-09-04 18:25 ` Daniel Henrique Barboza
2025-09-15  1:54 ` Alistair Francis
2025-10-04  6:55 ` Michael Tokarev

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.