From: "Michael S. Tsirkin" <mst@redhat.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Alex Williamson <alex.williamson@redhat.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
Avi Kivity <avi@redhat.com>,
kvm@vger.kernel.org, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses
Date: Mon, 17 Oct 2011 13:10:45 +0200 [thread overview]
Message-ID: <20111017111045.GB4537@redhat.com> (raw)
In-Reply-To: <57386830befff359aa6eac1610816eb9c853a05d.1318843693.git.jan.kiszka@siemens.com>
On Mon, Oct 17, 2011 at 11:27:40AM +0200, Jan Kiszka wrote:
> Only accesses to the MSI-X table must trigger a call to
> msix_handle_mask_update or a notifier invocation.
>
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Why would msix_mmio_write be called on an access
outside the table?
> ---
> hw/msix.c | 16 ++++++++++------
> 1 files changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/hw/msix.c b/hw/msix.c
> index 2c4de21..33cb716 100644
> --- a/hw/msix.c
> +++ b/hw/msix.c
> @@ -264,18 +264,22 @@ static void msix_mmio_write(void *opaque, target_phys_addr_t addr,
> {
> PCIDevice *dev = opaque;
> unsigned int offset = addr & (MSIX_PAGE_SIZE - 1) & ~0x3;
> - int vector = offset / PCI_MSIX_ENTRY_SIZE;
> + unsigned int vector = offset / PCI_MSIX_ENTRY_SIZE;
Why the int/unsigned change? this has no chance to overflow, and using
unsigned causes signed/unsigned comparison below,
and unsigned/signed conversion on calls such as msix_is_masked.
> int was_masked = msix_is_masked(dev, vector);
> pci_set_long(dev->msix_table_page + offset, val);
> if (kvm_enabled() && kvm_irqchip_in_kernel()) {
> kvm_msix_update(dev, vector, was_masked, msix_is_masked(dev, vector));
> }
I would say if we need to check the address, check it first thing
and return if the address is out of a sensible range.
For example, are you worried about kvm_msix_update calls with
a sensible mask?
> - if (was_masked != msix_is_masked(dev, vector) && dev->msix_mask_notifier) {
> - int r = dev->msix_mask_notifier(dev, vector,
> - msix_is_masked(dev, vector));
> - assert(r >= 0);
> +
> + if (vector < dev->msix_entries_nr) {
> + if (was_masked != msix_is_masked(dev, vector) &&
> + dev->msix_mask_notifier) {
> + int r = dev->msix_mask_notifier(dev, vector,
> + msix_is_masked(dev, vector));
> + assert(r >= 0);
> + }
> + msix_handle_mask_update(dev, vector);
> }
> - msix_handle_mask_update(dev, vector);
> }
>
> static const MemoryRegionOps msix_mmio_ops = {
> --
> 1.7.3.4
next prev parent reply other threads:[~2011-10-17 11:09 UTC|newest]
Thread overview: 144+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-17 9:27 [Qemu-devel] [RFC][PATCH 00/45] qemu-kvm: MSI layer rework for in-kernel irqchip support Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 01/45] msi: Guard msi/msix_write_config with msi_present Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 02/45] msi: Guard msi_reset " Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 03/45] msi: Use msi/msix_present more consistently Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 04/45] msi: Invoke msi/msix_reset from PCI core Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 05/45] msi: Invoke msi/msix_write_config " Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses Jan Kiszka
2011-10-17 11:10 ` Michael S. Tsirkin [this message]
2011-10-17 11:23 ` Jan Kiszka
2011-10-17 11:57 ` Michael S. Tsirkin
2011-10-17 12:07 ` Jan Kiszka
2011-10-17 12:50 ` Michael S. Tsirkin
2011-10-17 19:11 ` Jan Kiszka
2011-10-17 19:43 ` Michael S. Tsirkin
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 07/45] msi: Generalize msix_supported to msi_supported Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 08/45] Introduce MSIMessage structure Jan Kiszka
2011-10-17 11:46 ` Michael S. Tsirkin
2011-10-17 11:51 ` Jan Kiszka
2011-10-17 12:04 ` Michael S. Tsirkin
2011-10-17 12:09 ` Jan Kiszka
2011-10-17 13:01 ` Michael S. Tsirkin
2011-10-17 19:14 ` Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 09/45] msi: Factor out msi_message_from_vector Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 10/45] msix: Factor out msix_message_from_vector Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 11/45] msi: Factor out delivery hook Jan Kiszka
2011-10-17 10:56 ` Avi Kivity
2011-10-17 11:15 ` Jan Kiszka
2011-10-17 11:22 ` Avi Kivity
2011-10-17 11:29 ` Jan Kiszka
2011-10-17 12:14 ` Avi Kivity
2011-10-17 18:59 ` Jan Kiszka
2011-10-17 13:41 ` Michael S. Tsirkin
2011-10-17 13:41 ` Avi Kivity
2011-10-17 13:48 ` Michael S. Tsirkin
2011-10-17 19:18 ` Jan Kiszka
2011-10-17 13:43 ` Michael S. Tsirkin
2011-10-17 19:15 ` Jan Kiszka
2011-10-18 12:05 ` Michael S. Tsirkin
2011-10-18 12:23 ` Jan Kiszka
2011-10-18 12:38 ` Michael S. Tsirkin
2011-10-18 12:41 ` Jan Kiszka
2011-10-18 12:44 ` malc
2011-10-18 12:49 ` Michael S. Tsirkin
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 12/45] msi: Introduce MSIRoutingCache Jan Kiszka
2011-10-17 11:06 ` Avi Kivity
2011-10-17 11:19 ` Jan Kiszka
2011-10-17 11:25 ` Avi Kivity
2011-10-17 11:31 ` Jan Kiszka
2011-10-17 12:17 ` Avi Kivity
2011-10-17 15:37 ` Michael S. Tsirkin
2011-10-17 19:19 ` Jan Kiszka
2011-10-18 12:17 ` Michael S. Tsirkin
2011-10-18 12:26 ` Jan Kiszka
2011-10-17 15:43 ` Michael S. Tsirkin
2011-10-17 19:23 ` Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 13/45] hpet: Use msi_deliver Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 14/45] qemu-kvm: Drop useless kvm_clear_gsi_routes Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 15/45] qemu-kvm: Drop unused kvm_del_irq_route Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 16/45] qemu-kvm: Use MSIMessage and MSIRoutingCache Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 17/45] qemu-kvm: Track MSIRoutingCache in KVM routing table Jan Kiszka
2011-10-17 11:13 ` Avi Kivity
2011-10-17 11:25 ` Jan Kiszka
2011-10-17 12:15 ` Avi Kivity
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 18/45] qemu-kvm: Hook into MSI delivery at APIC level Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 19/45] qemu-kvm: Factor out kvm_msi_irqfd_set Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 20/45] qemu-kvm: msix: Only invoke msix_handle_mask_update on changes Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 21/45] qemu-kvm: msix: Don't fire notifier spuriously on set/unset Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 22/45] qemu-kvm: msix: Fire mask notifier on global mask changes Jan Kiszka
2011-10-17 12:16 ` Michael S. Tsirkin
2011-10-17 19:00 ` Jan Kiszka
2011-10-18 12:40 ` Michael S. Tsirkin
2011-10-18 12:45 ` Jan Kiszka
2011-10-18 12:57 ` Michael S. Tsirkin
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 23/45] qemu-kvm: Rework MSI-X mask notifier to generic MSI config notifiers Jan Kiszka
2011-10-17 11:40 ` Michael S. Tsirkin
2011-10-17 11:45 ` Jan Kiszka
2011-10-17 12:39 ` Michael S. Tsirkin
2011-10-17 19:08 ` Jan Kiszka
2011-10-18 13:46 ` Michael S. Tsirkin
2011-10-18 13:49 ` Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 24/45] qemu-kvm: msix: Don't handle mask updated while disabled Jan Kiszka
2011-10-17 9:27 ` [Qemu-devel] [RFC][PATCH 25/45] qemu-kvm: Update MSI cache on kvm_msi_irqfd_set Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 26/45] qemu-kvm: Use g_realloc for irq_routes extension Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 27/45] qemu-kvm: Lazily update MSI caches Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 28/45] qemu-kvm: msix: Drop tracking of used vectors Jan Kiszka
2011-10-17 15:48 ` Michael S. Tsirkin
2011-10-17 19:28 ` Jan Kiszka
2011-10-18 11:58 ` Michael S. Tsirkin
2011-10-18 12:08 ` Jan Kiszka
2011-10-18 12:33 ` Michael S. Tsirkin
2011-10-18 12:38 ` Jan Kiszka
2011-10-18 12:48 ` Michael S. Tsirkin
2011-10-18 13:00 ` Jan Kiszka
2011-10-18 13:37 ` Michael S. Tsirkin
2011-10-18 13:46 ` Jan Kiszka
2011-10-18 14:01 ` Michael S. Tsirkin
2011-10-18 14:08 ` Jan Kiszka
2011-10-18 15:08 ` Michael S. Tsirkin
2011-10-18 15:22 ` Jan Kiszka
2011-10-18 15:55 ` Jan Kiszka
2011-10-18 17:06 ` Michael S. Tsirkin
2011-10-18 18:24 ` Jan Kiszka
2011-10-18 18:40 ` Michael S. Tsirkin
2011-10-18 19:37 ` Jan Kiszka
2011-10-18 21:40 ` Michael S. Tsirkin
2011-10-18 22:13 ` Jan Kiszka
2011-10-19 0:56 ` Michael S. Tsirkin
2011-10-19 6:41 ` Jan Kiszka
2011-10-19 9:03 ` Michael S. Tsirkin
2011-10-19 11:17 ` Jan Kiszka
2011-10-20 22:02 ` Michael S. Tsirkin
2011-10-21 7:09 ` Jan Kiszka
2011-10-21 7:54 ` Michael S. Tsirkin
2011-10-21 9:27 ` Jan Kiszka
2011-10-21 10:57 ` Michael S. Tsirkin
2011-10-18 18:26 ` Jan Kiszka
2011-10-18 15:56 ` Michael S. Tsirkin
2011-10-18 15:58 ` Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 29/45] pci-assign: Drop kvm_assigned_irq::host_irq initialization Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 30/45] pci-assign: Rename assign_irq to assign_intx Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 31/45] qemu-kvm: Refactor kvm_deassign_irq to kvm_device_irq_deassign Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 32/45] pci-assign: Factor out deassign_irq Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 33/45] qemu-kvm: Factor out kvm_device_intx_assign Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 34/45] qemu-kvm: Factor out kvm_device_msi_assign Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 35/45] pci-assign: Polish assigned_dev_update_msix_mmio Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 36/45] qemu-kvm: Factor out kvm_device_msix_* services Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 37/45] qemu-kvm: Clean up irqrouting API Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 38/45] msi: Implement config notifiers for legacy MSI Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 39/45] pci-assign: Use generic MSI support Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 40/45] qemu-kvm: msix: Drop check for preexisting cap from msix_add_config Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 41/45] msix: Drop unused msix_bar_size Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 42/45] msix: Introduce msix_init_simple Jan Kiszka
2011-10-17 11:22 ` Michael S. Tsirkin
2011-10-17 11:27 ` Jan Kiszka
2011-10-17 14:28 ` Michael S. Tsirkin
2011-10-17 19:21 ` Jan Kiszka
2011-10-18 10:52 ` Michael S. Tsirkin
2011-10-18 11:02 ` Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 43/45] msix: Allow to customize capability on init Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 44/45] pci-assign: Use generic MSI-X support Jan Kiszka
2011-10-17 9:28 ` [Qemu-devel] [RFC][PATCH 45/45] pci-assign: Fix coding style issues Jan Kiszka
2011-10-17 12:18 ` [Qemu-devel] [RFC][PATCH 00/45] qemu-kvm: MSI layer rework for in-kernel irqchip support Avi Kivity
2011-10-17 15:57 ` Michael S. Tsirkin
2011-10-17 19:35 ` Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111017111045.GB4537@redhat.com \
--to=mst@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=avi@redhat.com \
--cc=jan.kiszka@siemens.com \
--cc=kvm@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).