From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:32795) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGkLA-0003AP-6s for qemu-devel@nongnu.org; Fri, 21 Feb 2014 02:16:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WGkL1-00086E-W0 for qemu-devel@nongnu.org; Fri, 21 Feb 2014 02:16:08 -0500 Received: from mout.web.de ([212.227.17.11]:57301) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGkL1-00085w-Nh for qemu-devel@nongnu.org; Fri, 21 Feb 2014 02:15:59 -0500 Received: from mchn199C.mchp.siemens.de ([95.157.58.223]) by smtp.web.de (mrweb004) with ESMTPSA (Nemesis) id 0LcUIo-1Wwv6Y3oOc-00jsAL for ; Fri, 21 Feb 2014 08:15:57 +0100 Message-ID: <5306FD28.8000104@web.de> Date: Fri, 21 Feb 2014 08:15:52 +0100 From: Jan Kiszka MIME-Version: 1.0 References: <1392737293-10073-1-git-send-email-peter.maydell@linaro.org> In-Reply-To: <1392737293-10073-1-git-send-email-peter.maydell@linaro.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="aU609up8TFaMFCHSdueWWPpQMPfRhDppa" Subject: Re: [Qemu-devel] [PATCH] hw/arm/musicpal: Remove nonexistent CDTP2, CDTP3 registers List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Maydell , qemu-devel@nongnu.org Cc: patches@linaro.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --aU609up8TFaMFCHSdueWWPpQMPfRhDppa Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable On 2014-02-18 16:28, Peter Maydell wrote: > The ethernet device in the musicpal only has two tx queues, > but we modelled it with four CTDP registers, presumably a > cut and paste from the rx queue registers. Since the tx_queue[] > array is only 2 entries long this allowed a guest to overrun > this buffer. Remove the nonexistent registers. >=20 > Signed-off-by: Peter Maydell Acked-by: Jan Kiszka > --- > There's no readily available documentation for this SoC, > but I'm told the BSP for it indicates that there are > indeed only two tx queues. >=20 > hw/arm/musicpal.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) >=20 > diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c > index 023e875..a8d0086 100644 > --- a/hw/arm/musicpal.c > +++ b/hw/arm/musicpal.c > @@ -92,8 +92,6 @@ > #define MP_ETH_CRDP3 0x4AC > #define MP_ETH_CTDP0 0x4E0 > #define MP_ETH_CTDP1 0x4E4 > -#define MP_ETH_CTDP2 0x4E8 > -#define MP_ETH_CTDP3 0x4EC > =20 > /* MII PHY access */ > #define MP_ETH_SMIR_DATA 0x0000FFFF > @@ -308,7 +306,7 @@ static uint64_t mv88w8618_eth_read(void *opaque, hw= addr offset, > case MP_ETH_CRDP0 ... MP_ETH_CRDP3: > return s->rx_queue[(offset - MP_ETH_CRDP0)/4]; > =20 > - case MP_ETH_CTDP0 ... MP_ETH_CTDP3: > + case MP_ETH_CTDP0 ... MP_ETH_CTDP1: > return s->tx_queue[(offset - MP_ETH_CTDP0)/4]; > =20 > default: > @@ -362,7 +360,7 @@ static void mv88w8618_eth_write(void *opaque, hwadd= r offset, > s->cur_rx[(offset - MP_ETH_CRDP0)/4] =3D value; > break; > =20 > - case MP_ETH_CTDP0 ... MP_ETH_CTDP3: > + case MP_ETH_CTDP0 ... MP_ETH_CTDP1: > s->tx_queue[(offset - MP_ETH_CTDP0)/4] =3D value; > break; > } >=20 --aU609up8TFaMFCHSdueWWPpQMPfRhDppa Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMG/SsACgkQitSsb3rl5xQHdACgyImN16y5JcgceOc5hffM895H SR8AnAu9b1t7tEXUt+i55/BWPA8cHjSH =VjJv -----END PGP SIGNATURE----- --aU609up8TFaMFCHSdueWWPpQMPfRhDppa--