An 8-byte guest access to a 32-bit-only VT-d register hits assert(size == 4) and aborts QEMU. Found by generic-fuzz.
v1: https://lore.kernel.org/all/[email protected]/ v2: https://lore.kernel.org/all/[email protected]/ v3: https://lore.kernel.org/all/[email protected]/ Changes in v4: - Switch the guest-error log from error_report_once() to qemu_log_mask(LOG_GUEST_ERROR, ...) so it is surfaced only under -d guest_errors (Zhenzhong). - Add a block comment at each of the 4 reachable sites (FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0) explaining why the check must stay, so future readers do not delete it as "harmless" (Yi). - No functional change beyond the logging-API swap. Changes in v3: - Drop v2's min_access_size=8 approach: per Zhenzhong, it silently zero-extends 4-byte guest writes, wiping upper wmask bits of 64-bit registers and firing triggers gated on size==8. - Keep min_access_size=4. Remove the 25 assert(size == 4) sites: 21 are unreachable (non-8-aligned), the 4 reachable (FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0) fall through to vtd_set_long() and log a guest error. Junjie Cao (2): intel_iommu: fix guest-triggerable abort on oversized MMIO access tests/qtest: add 8-byte MMIO access sweep for intel-iommu hw/i386/intel_iommu.c | 74 ++++++++++++++++++++++------------ tests/qtest/intel-iommu-test.c | 30 ++++++++++++++ 2 files changed, 79 insertions(+), 25 deletions(-) base-commit: 5e61afe211e82a9af15a8794a0bd29bb574e953b -- 2.43.0
