On 5/15/26 02:07, Junjie Cao wrote:
An 8-byte guest access to a 32-bit-only VT-d register hits
assert(size == 4) and aborts QEMU. Found by generic-fuzz.
v1: https://lore.kernel.org/all/[email protected]/
v2: https://lore.kernel.org/all/[email protected]/
v3: https://lore.kernel.org/all/[email protected]/
Changes in v4:
- Switch the guest-error log from error_report_once() to
qemu_log_mask(LOG_GUEST_ERROR, ...) so it is surfaced only
under -d guest_errors (Zhenzhong).
- Add a block comment at each of the 4 reachable sites
(FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0)
explaining why the check must stay, so future readers do
not delete it as "harmless" (Yi).
- No functional change beyond the logging-API swap.
Changes in v3:
- Drop v2's min_access_size=8 approach: per Zhenzhong, it
silently zero-extends 4-byte guest writes, wiping upper
wmask bits of 64-bit registers and firing triggers gated
on size==8.
- Keep min_access_size=4. Remove the 25 assert(size == 4)
sites: 21 are unreachable (non-8-aligned), the 4 reachable
(FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0) fall
through to vtd_set_long() and log a guest error.
Junjie Cao (2):
intel_iommu: fix guest-triggerable abort on oversized MMIO access
tests/qtest: add 8-byte MMIO access sweep for intel-iommu
hw/i386/intel_iommu.c | 74 ++++++++++++++++++++++------------
tests/qtest/intel-iommu-test.c | 30 ++++++++++++++
2 files changed, 79 insertions(+), 25 deletions(-)
base-commit: 5e61afe211e82a9af15a8794a0bd29bb574e953b
LGTM. Thanks.
Reviewed-by: Yi Liu <[email protected]>
