On Tue, Jul 21, 2015 at 5:03 PM, Marc Marí <mar...@redhat.com> wrote: > @@ -338,6 +340,10 @@ static void fw_cfg_dma_transfer(FWCfgState *s) > return; > } > > + for (i = 0; i < s->dma_off; ++i) { > + fw_cfg_read(s); > + } > + > for (i = 0; i < len; i++) { > ptr[i] = fw_cfg_read(s); > }
Please consume s->dma_off bytes outside the while loop so we don't repeat this multiple times if the memory map is smaller than expected. It would also be useful to set s->dma_off to 0 after consuming the bytes. That way the next request doesn't need to write to the register (unless it wants to use an offset). This should be documented in docs/specs/fw_cfg.txt. Please limit dma_off to a maximum of e->len so that an out-of-bounds value doesn't burn CPU needlessly.