From: Jan Kiszka <jan.kiszka@siemens.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Isaku Yamahata <yamahata@valinux.co.jp>,
qemu-devel <qemu-devel@nongnu.org>
Subject: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
Date: Fri, 22 Jul 2011 11:05:01 +0200 [thread overview]
Message-ID: <4E293D3D.8070904@siemens.com> (raw)
In-Reply-To: <20110722052707.GA8241@redhat.com>
On 2011-07-22 07:32, Michael S. Tsirkin wrote:
>> diff --git a/hw/pcie_host.c b/hw/pcie_host.c
>> index b749865..ed6656b 100644
>> --- a/hw/pcie_host.c
>> +++ b/hw/pcie_host.c
>> @@ -57,22 +57,22 @@ static void pcie_mmcfg_data_write(PCIBus *s,
>> {
>> PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
>>
>> - if (!pci_dev)
>> + if (!pci_dev) {
>> return;
>> -
>> - pci_dev->config_write(pci_dev,
>> - PCIE_MMCFG_CONFOFFSET(mmcfg_addr), val, len);
>> + }
>> + pci_config_write_common(pci_dev, PCIE_MMCFG_CONFOFFSET(mmcfg_addr),
>> + PCIE_CONFIG_SPACE_SIZE, val, len);
>> }
>>
>> static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t addr, int len)
>> {
>> PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, addr);
>>
>> - assert(len == 1 || len == 2 || len == 4);
>> if (!pci_dev) {
>> return ~0x0;
>> }
>> - return pci_dev->config_read(pci_dev, PCIE_MMCFG_CONFOFFSET(addr), len);
>> + return pci_config_read_common(pci_dev, PCIE_MMCFG_CONFOFFSET(addr),
>> + PCIE_CONFIG_SPACE_SIZE, len);
>
> Doesn't this one need to be pci_config_size(pci_dev)?
> We can have pci devices on an express root complex
> or behind an express to pci bridge.
Yep, right.
Thanks,
Jan
------8<------
Introduce pci_config_read/write_common helpers to prevent passing
accesses down the callback chain that go beyond the config space limits.
Adjust length assertions as they are no longer correct (cutting may
generate valid 3 byte accesses).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
hw/pci.c | 6 ++----
hw/pci_host.c | 24 ++++++++++++++++++++----
hw/pci_host.h | 6 ++++++
hw/pcie_host.c | 12 ++++++------
4 files changed, 34 insertions(+), 14 deletions(-)
diff --git a/hw/pci.c b/hw/pci.c
index b904a4e..ef94739 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1108,8 +1108,7 @@ uint32_t pci_default_read_config(PCIDevice *d,
uint32_t address, int len)
{
uint32_t val = 0;
- assert(len == 1 || len == 2 || len == 4);
- len = MIN(len, pci_config_size(d) - address);
+
memcpy(&val, d->config + address, len);
return le32_to_cpu(val);
}
@@ -1117,9 +1116,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val, int l)
{
int i, was_irq_disabled = pci_irq_disabled(d);
- uint32_t config_size = pci_config_size(d);
- for (i = 0; i < l && addr + i < config_size; val >>= 8, ++i) {
+ for (i = 0; i < l; val >>= 8, ++i) {
uint8_t wmask = d->wmask[addr + i];
uint8_t w1cmask = d->w1cmask[addr + i];
assert(!(wmask & w1cmask));
diff --git a/hw/pci_host.c b/hw/pci_host.c
index 728e2d4..bfdc321 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -47,17 +47,33 @@ static inline PCIDevice *pci_dev_find_by_addr(PCIBus *bus, uint32_t addr)
return pci_find_device(bus, bus_num, devfn);
}
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t limit, uint32_t val, uint32_t len)
+{
+ assert(len <= 4);
+ pci_dev->config_write(pci_dev, addr, val, MIN(len, limit - addr));
+}
+
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t limit, uint32_t len)
+{
+ assert(len <= 4);
+ return pci_dev->config_read(pci_dev, addr, MIN(len, limit - addr));
+}
+
void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len)
{
PCIDevice *pci_dev = pci_dev_find_by_addr(s, addr);
uint32_t config_addr = addr & (PCI_CONFIG_SPACE_SIZE - 1);
- if (!pci_dev)
+ if (!pci_dev) {
return;
+ }
PCI_DPRINTF("%s: %s: addr=%02" PRIx32 " val=%08" PRIx32 " len=%d\n",
__func__, pci_dev->name, config_addr, val, len);
- pci_dev->config_write(pci_dev, config_addr, val, len);
+ pci_config_write_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE, val,
+ len);
}
uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
@@ -66,12 +82,12 @@ uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
uint32_t config_addr = addr & (PCI_CONFIG_SPACE_SIZE - 1);
uint32_t val;
- assert(len == 1 || len == 2 || len == 4);
if (!pci_dev) {
return ~0x0;
}
- val = pci_dev->config_read(pci_dev, config_addr, len);
+ val = pci_config_read_common(pci_dev, config_addr, PCI_CONFIG_SPACE_SIZE,
+ len);
PCI_DPRINTF("%s: %s: addr=%02"PRIx32" val=%08"PRIx32" len=%d\n",
__func__, pci_dev->name, config_addr, val, len);
diff --git a/hw/pci_host.h b/hw/pci_host.h
index 0a58595..e95db6c 100644
--- a/hw/pci_host.h
+++ b/hw/pci_host.h
@@ -39,6 +39,12 @@ struct PCIHostState {
PCIBus *bus;
};
+/* common internal helpers for PCI/PCIe hosts, cut off overflows */
+void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t addr_mask, uint32_t val, uint32_t len);
+uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
+ uint32_t addr_mask, uint32_t len);
+
void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len);
uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len);
diff --git a/hw/pcie_host.c b/hw/pcie_host.c
index b749865..699a53a 100644
--- a/hw/pcie_host.c
+++ b/hw/pcie_host.c
@@ -57,22 +57,22 @@ static void pcie_mmcfg_data_write(PCIBus *s,
{
PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
- if (!pci_dev)
+ if (!pci_dev) {
return;
-
- pci_dev->config_write(pci_dev,
- PCIE_MMCFG_CONFOFFSET(mmcfg_addr), val, len);
+ }
+ pci_config_write_common(pci_dev, PCIE_MMCFG_CONFOFFSET(mmcfg_addr),
+ pci_config_size(pci_dev), val, len);
}
static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t addr, int len)
{
PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, addr);
- assert(len == 1 || len == 2 || len == 4);
if (!pci_dev) {
return ~0x0;
}
- return pci_dev->config_read(pci_dev, PCIE_MMCFG_CONFOFFSET(addr), len);
+ return pci_config_read_common(pci_dev, PCIE_MMCFG_CONFOFFSET(addr),
+ pci_config_size(pci_dev), len);
}
static void pcie_mmcfg_data_writeb(void *opaque,
--
1.7.3.4
next prev parent reply other threads:[~2011-07-22 9:05 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-21 16:50 [Qemu-devel] [PATCH] pci: Common overflow prevention Jan Kiszka
2011-07-22 5:32 ` Michael S. Tsirkin
2011-07-22 9:05 ` Jan Kiszka [this message]
2011-07-25 15:12 ` [Qemu-devel] [PATCH v2] " Michael S. Tsirkin
2011-07-25 15:17 ` Michael S. Tsirkin
2011-07-25 15:18 ` Jan Kiszka
2011-07-28 7:23 ` Isaku Yamahata
2011-07-28 8:40 ` Michael S. Tsirkin
2011-07-28 12:50 ` Isaku Yamahata
2011-07-29 1:01 ` Isaku Yamahata
2011-07-29 5:03 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E293D3D.8070904@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=yamahata@valinux.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).