From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50087)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1YcY8T-0005tc-Ip
	for qemu-devel@nongnu.org; Mon, 30 Mar 2015 07:45:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1YcY8O-0001wh-7X
	for qemu-devel@nongnu.org; Mon, 30 Mar 2015 07:45:41 -0400
Received: from mx1.redhat.com ([209.132.183.28]:53750)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1YcY8N-0001wZ-Pm
	for qemu-devel@nongnu.org; Mon, 30 Mar 2015 07:45:36 -0400
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 30 Mar 2015 13:45:18 +0200
Message-Id: <1427715918-25768-7-git-send-email-pbonzini@redhat.com>
In-Reply-To: <1427715918-25768-1-git-send-email-pbonzini@redhat.com>
References: <1427715918-25768-1-git-send-email-pbonzini@redhat.com>
Subject: [Qemu-devel] [PATCH for-2.3 6/6] ioport: reserve the whole range of
	an I/O port in the AddressSpace
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org, Mark Cave-Ayland <mark.cave-ayland@ilade.co.uk>

When an I/O port is more than 1 byte long, ioport.c is currently
creating "short" regions, for example 0x1ce-0x1ce for the 16-bit
Bochs index port.  When I/O ports are memory mapped, and thus
accessed via a subpage_ops memory region, subpage_accepts gets
confused because it finds a hole at 0x1cf and rejects the access.

In order to fix this, modify registration of the region to cover
the whole size of the I/O port.  Attempts to access an invalid
port will be blocked by find_portio returning NULL.

This only affects the VBE DISPI regions.  For all other cases,
the MemoryRegionPortio entries for 2- or 4-byte accesses overlap
an entry for 1-byte accesses, thus the size of the memory region
is not affected.

Reported-by: Zoltan Balaton <balaton@eik.bme.hu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 ioport.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ioport.c b/ioport.c
index 090c262..304d5d6 100644
--- a/ioport.c
+++ b/ioport.c
@@ -269,7 +269,7 @@ void portio_list_add(PortioList *piolist,
 
     /* Handle the first entry specially.  */
     off_last = off_low = pio_start->offset;
-    off_high = off_low + pio_start->len;
+    off_high = off_low + pio_start->len + pio_start->size - 1;
     count = 1;
 
     for (pio = pio_start + 1; pio->size != 0; pio++, count++) {
@@ -284,10 +284,10 @@ void portio_list_add(PortioList *piolist,
             /* ... and start collecting anew.  */
             pio_start = pio;
             off_low = off_last;
-            off_high = off_low + pio->len;
+            off_high = off_low + pio->len + pio_start->size - 1;
             count = 0;
         } else if (off_last + pio->len > off_high) {
-            off_high = off_last + pio->len;
+            off_high = off_last + pio->len + pio_start->size - 1;
         }
     }
 
-- 
2.3.4