[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.2.1 13/38] edu: fix DMA range upper bound check
|
From: |
Michael Tokarev |
|
Subject: |
[Stable-8.2.1 13/38] edu: fix DMA range upper bound check |
|
Date: |
Thu, 18 Jan 2024 10:52:40 +0300 |
From: Max Erenberg <merenber@uwaterloo.ca>
The edu_check_range function checks that start <= end1 < end2, where
end1 is the upper bound (exclusive) of the guest-supplied DMA range and
end2 is the upper bound (exclusive) of the device's allowed DMA range.
When the guest tries to transfer exactly DMA_SIZE (4096) bytes, end1
will be equal to end2, so the check fails and QEMU aborts with this
puzzling error message (newlines added for formatting):
qemu: hardware error: EDU: DMA range
0x0000000000040000-0x0000000000040fff out of bounds
(0x0000000000040000-0x0000000000040fff)!
By checking end1 <= end2 instead, guests will be allowed to transfer
exactly 4096 bytes. It is not necessary to explicitly check for
start <= end1 because the previous two checks (within(addr, start, end2)
and end1 > addr) imply start < end1.
Fixes: b30934cb52a7 ("hw: misc, add educational driver", 2015-01-21)
Signed-off-by: Max Erenberg <merenber@uwaterloo.ca>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 2c5107e1b455d4a157124f021826ead4e04b4aea)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/misc/edu.c b/hw/misc/edu.c
index a1f8bc77e7..e64a246d3f 100644
--- a/hw/misc/edu.c
+++ b/hw/misc/edu.c
@@ -115,7 +115,7 @@ static void edu_check_range(uint64_t addr, uint64_t size1,
uint64_t start,
uint64_t end2 = start + size2;
if (within(addr, start, end2) &&
- end1 > addr && within(end1, start, end2)) {
+ end1 > addr && end1 <= end2) {
return;
}
--
2.39.2
- [Stable-8.2.1 03/38] iotests: Basic tests for internal snapshots, (continued)
- [Stable-8.2.1 03/38] iotests: Basic tests for internal snapshots, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 04/38] target/riscv/kvm: do not use non-portable strerrorname_np(), Michael Tokarev, 2024/01/18
- [Stable-8.2.1 05/38] include/ui/rect.h: fix qemu_rect_init() mis-assignment, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 06/38] configure: use a native non-cross compiler for linux-user, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 07/38] target/i386: the sgx_epc_get_section stub is reachable, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 08/38] hw/net/can/sja1000: fix bug for single acceptance filter and standard frame, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 09/38] target/riscv: Fix mcycle/minstret increment behavior, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 10/38] chardev/char.c: fix "abstract device type" error message, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 11/38] audio/audio.c: remove trailing newline in error_setg, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 12/38] hw/net: cadence_gem: Fix MDIO_OP_xxx values, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 13/38] edu: fix DMA range upper bound check,
Michael Tokarev <=
- [Stable-8.2.1 14/38] vfio/container: Replace basename with g_path_get_basename, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 15/38] hw/vfio: fix iteration over global VFIODevice list, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 16/38] hw/intc/arm_gicv3_cpuif: handle LPIs in in the list registers, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 17/38] tcg/ppc: Use new registers for LQ destination, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 18/38] util: fix build with musl libc on ppc64le, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 19/38] tests/acpi: allow tests/data/acpi/virt/SSDT.memhp changes, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 20/38] edk2: update to git snapshot, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 21/38] edk2: update build config, set PcdUninstallMemAttrProtocol = TRUE., Michael Tokarev, 2024/01/18
- [Stable-8.2.1 22/38] edk2: update binaries to git snapshot, Michael Tokarev, 2024/01/18
- [Stable-8.2.1 23/38] tests/acpi: update expected data files, Michael Tokarev, 2024/01/18