From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:49642) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RSXA8-0005ma-6g for qemu-devel@nongnu.org; Mon, 21 Nov 2011 11:56:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RSXA3-0003Se-F8 for qemu-devel@nongnu.org; Mon, 21 Nov 2011 11:56:07 -0500 Received: from mx1.redhat.com ([209.132.183.28]:35701) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RSXA3-0003SO-6Z for qemu-devel@nongnu.org; Mon, 21 Nov 2011 11:56:03 -0500 Date: Mon, 21 Nov 2011 18:57:31 +0200 From: "Michael S. Tsirkin" Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: [Qemu-devel] [PATCH for v1.0 2/3] msix: Prevent bogus mask updates on MMIO accesses List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Blue Swirl , Jan Kiszka , Anthony Liguori , Alexander Graf , "Michael S. Tsirkin" >From: Jan Kiszka Only accesses to the MSI-X table must trigger a call to msix_handle_mask_update, otherwise the vector value might be out of range. Signed-off-by: Jan Kiszka Signed-off-by: Michael S. Tsirkin --- hw/msix.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/hw/msix.c b/hw/msix.c index 63b41b9..2969601 100644 --- a/hw/msix.c +++ b/hw/msix.c @@ -176,6 +176,12 @@ static void msix_mmio_write(void *opaque, target_phys_addr_t addr, PCIDevice *dev = opaque; unsigned int offset = addr & (MSIX_PAGE_SIZE - 1) & ~0x3; int vector = offset / PCI_MSIX_ENTRY_SIZE; + + /* MSI-X page includes a read-only PBA and a writeable Vector Control. */ + if (vector >= dev->msix_entries_nr) { + return; + } + pci_set_long(dev->msix_table_page + offset, val); msix_handle_mask_update(dev, vector); } -- 1.7.5.53.gc233e