From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55889)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aurelien@aurel32.net>) id 1ZJSGK-0007au-T2
	for qemu-devel@nongnu.org; Sun, 26 Jul 2015 16:11:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <aurelien@aurel32.net>) id 1ZJSGJ-00044M-Le
	for qemu-devel@nongnu.org; Sun, 26 Jul 2015 16:11:08 -0400
Received: from hall.aurel32.net ([2001:bc8:30d7:100::1]:39287)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aurelien@aurel32.net>) id 1ZJSGJ-00043a-FT
	for qemu-devel@nongnu.org; Sun, 26 Jul 2015 16:11:07 -0400
Date: Sun, 26 Jul 2015 22:11:05 +0200
From: Aurelien Jarno <aurelien@aurel32.net>
Message-ID: <20150726201105.GA13016@aurel32.net>
References: <1437763343-7980-1-git-send-email-hpoussin@reactos.org>
	<1437763343-7980-3-git-send-email-hpoussin@reactos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <1437763343-7980-3-git-send-email-hpoussin@reactos.org>
Subject: Re: [Qemu-devel] [PATCH for 2.4 2/3] net/dp8393x: specify memory
 operations for PROM PROM
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: =?iso-8859-15?Q?Herv=E9?= Poussineau <hpoussin@reactos.org>
Cc: Leon Alrae <leon.alrae@imgtec.com>, qemu-devel@nongnu.org

On 2015-07-24 20:42, Herv=E9 Poussineau wrote:
> This fixes a guest-triggerable QEMU crash when guest tries to write to PR=
OM.
>=20
> Signed-off-by: Herv=E9 Poussineau <hpoussin@reactos.org>
> ---
>  hw/net/dp8393x.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
>=20
> diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
> index 8fafdb0..55168b5 100644
> --- a/hw/net/dp8393x.c
> +++ b/hw/net/dp8393x.c
> @@ -601,6 +601,16 @@ static const MemoryRegionOps dp8393x_ops =3D {
>      .endianness =3D DEVICE_NATIVE_ENDIAN,
>  };
> =20
> +static bool dp8393x_rom_accepts(void *opaque, hwaddr addr, unsigned int =
size,
> +                                bool is_write)
> +{
> +    return !is_write;
> +}
> +
> +static const MemoryRegionOps dp8393x_rom_ops =3D {
> +    .valid.accepts =3D dp8393x_rom_accepts,
> +};
> +
>  static void dp8393x_watchdog(void *opaque)
>  {
>      dp8393xState *s =3D opaque;
> @@ -840,7 +850,7 @@ static void dp8393x_realize(DeviceState *dev, Error *=
*errp)
>      s->watchdog =3D timer_new_ns(QEMU_CLOCK_VIRTUAL, dp8393x_watchdog, s=
);
>      s->regs[SONIC_SR] =3D 0x0004; /* only revision recognized by Linux */
> =20
> -    memory_region_init_rom_device(&s->prom, OBJECT(dev), NULL, NULL,
> +    memory_region_init_rom_device(&s->prom, OBJECT(dev), &dp8393x_rom_op=
s, NULL,
>                                    "dp8393x-prom", SONIC_PROM_SIZE, NULL);
>      prom =3D memory_region_get_ram_ptr(&s->prom);
>      checksum =3D 0;

How does it crashes in that case? I would have guess that write access
to ROM are ignored by default. Looking at other code, it seems they call
memory_region_set_readonly() instead of providing an accepts function.
Maybe readonly should be the default for a rom device?

--=20
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net