[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 43/97] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear
From: |
Michael Roth |
Subject: |
[PATCH 43/97] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory |
Date: |
Tue, 1 Oct 2019 18:45:22 -0500 |
From: Philippe Mathieu-Daudé <address@hidden>
Lei Sun found while auditing the code that a CPU write would
trigger a NULL pointer dereference.
>From UG1085 datasheet [*] AXI writes in this region are ignored
and generates an AXI Slave Error (SLVERR).
Fix by implementing the write_with_attrs() handler.
Return MEMTX_ERROR when the region is accessed (this error maps
to an AXI slave error).
[*]
https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
Reported-by: Lei Sun <address@hidden>
Reviewed-by: Francisco Iglesias <address@hidden>
Tested-by: Francisco Iglesias <address@hidden>
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 936a236c4e4b1068ade99220260cd04f68eb0212)
Signed-off-by: Michael Roth <address@hidden>
---
hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 9c5dd93b21..83ed5ab1e0 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1217,8 +1217,24 @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr,
uint64_t *value,
return lqspi_read(opaque, addr, value, size, attrs);
}
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+ unsigned size, MemTxAttrs attrs)
+{
+ /*
+ * From UG1085, Chapter 24 (Quad-SPI controllers):
+ * - Writes are ignored
+ * - AXI writes generate an external AXI slave error (SLVERR)
+ */
+ qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
+ " (value: 0x%" PRIx64 "\n",
+ __func__, size << 3, offset, value);
+
+ return MEMTX_ERROR;
+}
+
static const MemoryRegionOps lqspi_ops = {
.read_with_attrs = lqspi_read,
+ .write_with_attrs = lqspi_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.valid = {
.min_access_size = 1,
--
2.17.1
- [PATCH 46/97] i386/acpi: show PCI Express bus on pxb-pcie expanders, (continued)
- [PATCH 46/97] i386/acpi: show PCI Express bus on pxb-pcie expanders, Michael Roth, 2019/10/01
- [PATCH 03/97] qcow2: Fix full preallocation with external data file, Michael Roth, 2019/10/01
- [PATCH 32/97] vl: Fix -drive / -blockdev persistent reservation management, Michael Roth, 2019/10/01
- [PATCH 38/97] virtio-balloon: fix QEMU 4.0 config size migration incompatibility, Michael Roth, 2019/10/01
- [PATCH 49/97] virtio-balloon: Simplify deflate with pbp, Michael Roth, 2019/10/01
- [PATCH 42/97] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs, Michael Roth, 2019/10/01
- [PATCH 45/97] ioapic: kvm: Skip route updates for masked pins, Michael Roth, 2019/10/01
- [PATCH 44/97] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[], Michael Roth, 2019/10/01
- [PATCH 50/97] virtio-balloon: Better names for offset variables in inflate/deflate code, Michael Roth, 2019/10/01
- [PATCH 35/97] docs: recommend use of md-clear feature on all Intel CPUs, Michael Roth, 2019/10/01
- [PATCH 43/97] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory,
Michael Roth <=
- [PATCH 36/97] virtio-pci: fix missing device properties, Michael Roth, 2019/10/01
- [PATCH 47/97] virtio-balloon: Fix wrong sign extension of PFNs, Michael Roth, 2019/10/01
- [PATCH 26/97] target/ppc: Fix xvabs[sd]p, xvnabs[sd]p, xvneg[sd]p, xvcpsgn[sd]p, Michael Roth, 2019/10/01
- [PATCH 27/97] target/ppc: Fix xvxsigdp, Michael Roth, 2019/10/01
- [PATCH 53/97] virtio-balloon: don't track subpages for the PBP, Michael Roth, 2019/10/01
- [PATCH 48/97] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE, Michael Roth, 2019/10/01
- [PATCH 51/97] virtio-balloon: Rework pbp tracking data, Michael Roth, 2019/10/01
- [PATCH 55/97] i386/acpi: fix gint overflow in crs_range_compare, Michael Roth, 2019/10/01
- [PATCH 64/97] iotests: Test backup job with two guest writes, Michael Roth, 2019/10/01
- [PATCH 68/97] iotests: Test unaligned blocking mirror write, Michael Roth, 2019/10/01