BTW, Anthony, I think this is also stable-0.11 material.
Patch seems to apply without changes there.
--->
Fixes a couple of issues with msix table access:
- With misbehaving guests, misaligned 4 byte access could overflow
msix table and cause qemu to segfault. Since PCI spec requires
host to only issue dword-aligned accesses, as a fix,
it's enough to mask the address low bits.
- Tables use pci format, not native format, and so
we must use pci_[sg]et_long on read/write.
Reported-by: Juan Quintela <quint...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
---
Tested with x86 guest.
hw/msix.c | 11 ++++-------
1 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/hw/msix.c b/hw/msix.c
index b0dea91..3d67c4e 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -128,13 +128,10 @@ void msix_write_config(PCIDevice *dev, uint32_t addr,
static uint32_t msix_mmio_readl(void *opaque, target_phys_addr_t addr)
{
PCIDevice *dev = opaque;
- unsigned int offset = addr & (MSIX_PAGE_SIZE - 1);
+ unsigned int offset = addr & (MSIX_PAGE_SIZE - 1) & ~0x3;
void *page = dev->msix_table_page;
- uint32_t val = 0;
- memcpy(&val, (void *)((char *)page + offset), 4);
-
- return val;
+ return pci_get_long(page + offset);
}
static uint32_t msix_mmio_read_unallowed(void *opaque, target_phys_addr_t addr)
@@ -178,9 +175,9 @@ static void msix_mmio_writel(void *opaque,
target_phys_addr_t addr,
uint32_t val)
{
PCIDevice *dev = opaque;
- unsigned int offset = addr & (MSIX_PAGE_SIZE - 1);
+ unsigned int offset = addr & (MSIX_PAGE_SIZE - 1) & ~0x3;
int vector = offset / MSIX_ENTRY_SIZE;
- memcpy(dev->msix_table_page + offset, &val, 4);
+ pci_set_long(dev->msix_table_page + offset, val);
if (!msix_is_masked(dev, vector) && msix_is_pending(dev, vector)) {
msix_clr_pending(dev, vector);
msix_notify(dev, vector);
--
1.6.5.rc2
