[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-arm] [Qemu-devel] [PATCH RFC] bcm2835_dma: add emulation of Ra
|
From: |
Gerd Hoffmann |
|
Subject: |
Re: [Qemu-arm] [Qemu-devel] [PATCH RFC] bcm2835_dma: add emulation of Raspberry Pi DMA controller |
|
Date: |
Thu, 03 Mar 2016 17:16:08 +0100 |
Hi,
> > + ch->cs |= BCM2708_DMA_END;
> > + if (ch->ti & BCM2708_DMA_INT_EN) {
> > + ch->cs |= BCM2708_DMA_INT;
> > + s->int_status |= (1 << c);
> > + qemu_set_irq(ch->irq, 1);
> > + }
> > +
> > + /* Process next CB */
> > + ch->conblk_ad = ch->nextconbk;
> > + }
>
> This loop allows a guest to make QEMU lock up (stop responding to monitor
> commands, etc) if it feeds the device a circular loop of CBs. On the other
> hand I don't think we have a good approach to avoiding this problem,
> so never mind.
usb emulation has this problem too.
uhci queue heads can go in circles. The emulation code keeps a linked
list of active queue heads, which is (among other bookkeeping things)
used to detect when we run in circles. It's a legal thing to do for a
guest btw, so you can see that happening in practice.
until recently ehci could be tricked into running in loops too, by
creating a circular chain of IDTs. Which is not legal according to
specs, so this went unnoticed for a while. But a malicious guest can do
it nevertheless. That one was fixed by stopping IDT processing in case
no data was transfered. This is possible because the ehci controller
writes back the status to the IDT, so we can figure there is nothing to
do (because we already processed that IDT) without additional
bookkeeping, by simply checking the status.
From a brief look at the patch it seems you can not use the later for
the bcm2835 dma controller, I can't spot a place where the some status
is written back to the dma contol block ...
cheers,
Gerd