From: Simon Veith <sveith@amazon.de>
To: qemu-devel@nongnu.org, qemu-arm@nongnu.org
Cc: Simon Veith <sveith@amazon.de>, Eric Auger <eric.auger@redhat.com>
Subject: [PATCH v2 3/6] hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE
Date: Wed, 11 Dec 2019 16:07:37 +0100 [thread overview]
Message-ID: <1576076860-24820-1-git-send-email-sveith@amazon.de> (raw)
In-Reply-To: <1576076260-18659-1-git-send-email-sveith@amazon.de>
When checking whether a stream ID is in range of the stream table, we
have so far been only checking it against our implementation limit
(SMMU_IDR1_SIDSIZE). However, the guest can program the
STRTAB_BASE_CFG.LOG2SIZE field to a size that is smaller than this
limit.
Check the stream ID against this limit as well to match the hardware
behavior of raising C_BAD_STREAMID events in case the limit is exceeded.
Also, ensure that we do not go one entry beyond the end of the table by
checking that its index is strictly smaller than the table size.
ref. ARM IHI 0070C, section 6.3.24.
Signed-off-by: Simon Veith <sveith@amazon.de>
Cc: Eric Auger <eric.auger@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
---
Changed in v2:
* Also check that stream ID is strictly lower than the table size
hw/arm/smmuv3.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index eef9a18..727558b 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -377,11 +377,15 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
SMMUEventInfo *event)
{
dma_addr_t addr;
+ uint32_t log2size;
int ret;
trace_smmuv3_find_ste(sid, s->features, s->sid_split);
- /* Check SID range */
- if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
+ log2size = FIELD_EX32(s->strtab_base_cfg, STRTAB_BASE_CFG, LOG2SIZE);
+ /*
+ * Check SID range against both guest-configured and implementation limits
+ */
+ if (sid >= (1 << MIN(log2size, SMMU_IDR1_SIDSIZE))) {
event->type = SMMU_EVT_C_BAD_STREAMID;
return -EINVAL;
}
--
2.7.4
next prev parent reply other threads:[~2019-12-11 15:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-11 14:57 [PATCH v2 0/6] hw/arm/smmuv3: Correct stream ID and event address handling Simon Veith
2019-12-11 14:57 ` [PATCH v2 1/6] hw/arm/smmuv3: Apply address mask to linear strtab base address Simon Veith
2019-12-11 15:05 ` [PATCH v2 2/6] hw/arm/smmuv3: Correct SMMU_BASE_ADDR_MASK value Simon Veith
2019-12-11 15:07 ` Simon Veith [this message]
2019-12-11 15:07 ` [PATCH v2 4/6] hw/arm/smmuv3: Align stream table base address to table size Simon Veith
2019-12-11 15:07 ` [PATCH v2 5/6] hw/arm/smmuv3: Use correct bit positions in EVT_SET_ADDR2 macro Simon Veith
2019-12-11 15:07 ` [PATCH v2 6/6] hw/arm/smmuv3: Report F_STE_FETCH fault address in correct word position Simon Veith
2019-12-16 14:45 ` [PATCH v2 0/6] hw/arm/smmuv3: Correct stream ID and event address handling Peter Maydell
2019-12-16 14:56 ` Veith, Simon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1576076860-24820-1-git-send-email-sveith@amazon.de \
--to=sveith@amazon.de \
--cc=eric.auger@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).