From: Gerd Hoffmann <kraxel@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: "Peter Crosthwaite" <crosthwaite.peter@gmail.com>,
"Stefan Weil" <sw@weilnetz.de>,
"Grégory ESTRADE" <gregory.estrade@gmail.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Andrew Baumann" <Andrew.Baumann@microsoft.com>,
qemu-arm <qemu-arm@nongnu.org>,
"Paolo Bonzini" <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC] bcm2835_dma: add emulation of Raspberry Pi DMA controller
Date: Thu, 03 Mar 2016 17:16:08 +0100 [thread overview]
Message-ID: <1457021768.3574.58.camel@redhat.com> (raw)
In-Reply-To: <CAFEAcA8G92yYdFAa6P0fdK1KLULAD6rxNc=ENG5=Qp8Lxf8g2w@mail.gmail.com>
Hi,
> > + ch->cs |= BCM2708_DMA_END;
> > + if (ch->ti & BCM2708_DMA_INT_EN) {
> > + ch->cs |= BCM2708_DMA_INT;
> > + s->int_status |= (1 << c);
> > + qemu_set_irq(ch->irq, 1);
> > + }
> > +
> > + /* Process next CB */
> > + ch->conblk_ad = ch->nextconbk;
> > + }
>
> This loop allows a guest to make QEMU lock up (stop responding to monitor
> commands, etc) if it feeds the device a circular loop of CBs. On the other
> hand I don't think we have a good approach to avoiding this problem,
> so never mind.
usb emulation has this problem too.
uhci queue heads can go in circles. The emulation code keeps a linked
list of active queue heads, which is (among other bookkeeping things)
used to detect when we run in circles. It's a legal thing to do for a
guest btw, so you can see that happening in practice.
until recently ehci could be tricked into running in loops too, by
creating a circular chain of IDTs. Which is not legal according to
specs, so this went unnoticed for a while. But a malicious guest can do
it nevertheless. That one was fixed by stopping IDT processing in case
no data was transfered. This is possible because the ehci controller
writes back the status to the IDT, so we can figure there is nothing to
do (because we already processed that IDT) without additional
bookkeeping, by simply checking the status.
From a brief look at the patch it seems you can not use the later for
the bcm2835 dma controller, I can't spot a place where the some status
is written back to the dma contol block ...
cheers,
Gerd
next prev parent reply other threads:[~2016-03-03 16:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-29 23:11 [Qemu-devel] [PATCH RFC] bcm2835_dma: add emulation of Raspberry Pi DMA controller Andrew Baumann
2016-03-03 14:24 ` Peter Maydell
2016-03-03 14:56 ` Grégory ESTRADE
2016-03-03 16:16 ` Gerd Hoffmann [this message]
2016-03-03 16:21 ` Peter Maydell
2016-03-03 17:09 ` Andrew Baumann
2016-03-04 8:02 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1457021768.3574.58.camel@redhat.com \
--to=kraxel@redhat.com \
--cc=Andrew.Baumann@microsoft.com \
--cc=crosthwaite.peter@gmail.com \
--cc=gregory.estrade@gmail.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=sw@weilnetz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).