From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 25/27] cadence_gem: Fix priority queue out of bounds access
Date: Tue, 4 Oct 2016 13:42:53 +0100 [thread overview]
Message-ID: <1475584975-25099-26-git-send-email-peter.maydell@linaro.org> (raw)
In-Reply-To: <1475584975-25099-1-git-send-email-peter.maydell@linaro.org>
From: Alistair Francis <alistair.francis@xilinx.com>
There was an error with some of the register implementation assuming
there are 16 priority queues supported when the IP only supports 8. This
patch corrects the registers to only support 8 queues.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 33bf2d28326d22875602234b8b15cf56fb678333.1474911607.git.alistair.francis@xilinx.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/net/cadence_gem.c | 22 ++++------------------
1 file changed, 4 insertions(+), 18 deletions(-)
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index 8618e7a..7915732 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -147,25 +147,19 @@
#define GEM_INT_Q1_MASK (0x00000640 / 4)
#define GEM_TRANSMIT_Q1_PTR (0x00000440 / 4)
-#define GEM_TRANSMIT_Q15_PTR (GEM_TRANSMIT_Q1_PTR + 14)
+#define GEM_TRANSMIT_Q7_PTR (GEM_TRANSMIT_Q1_PTR + 6)
#define GEM_RECEIVE_Q1_PTR (0x00000480 / 4)
-#define GEM_RECEIVE_Q15_PTR (GEM_RECEIVE_Q1_PTR + 14)
+#define GEM_RECEIVE_Q7_PTR (GEM_RECEIVE_Q1_PTR + 6)
#define GEM_INT_Q1_ENABLE (0x00000600 / 4)
#define GEM_INT_Q7_ENABLE (GEM_INT_Q1_ENABLE + 6)
-#define GEM_INT_Q8_ENABLE (0x00000660 / 4)
-#define GEM_INT_Q15_ENABLE (GEM_INT_Q8_ENABLE + 7)
#define GEM_INT_Q1_DISABLE (0x00000620 / 4)
#define GEM_INT_Q7_DISABLE (GEM_INT_Q1_DISABLE + 6)
-#define GEM_INT_Q8_DISABLE (0x00000680 / 4)
-#define GEM_INT_Q15_DISABLE (GEM_INT_Q8_DISABLE + 7)
#define GEM_INT_Q1_MASK (0x00000640 / 4)
#define GEM_INT_Q7_MASK (GEM_INT_Q1_MASK + 6)
-#define GEM_INT_Q8_MASK (0x000006A0 / 4)
-#define GEM_INT_Q15_MASK (GEM_INT_Q8_MASK + 7)
#define GEM_SCREENING_TYPE1_REGISTER_0 (0x00000500 / 4)
@@ -1372,13 +1366,13 @@ static void gem_write(void *opaque, hwaddr offset, uint64_t val,
case GEM_RXQBASE:
s->rx_desc_addr[0] = val;
break;
- case GEM_RECEIVE_Q1_PTR ... GEM_RECEIVE_Q15_PTR:
+ case GEM_RECEIVE_Q1_PTR ... GEM_RECEIVE_Q7_PTR:
s->rx_desc_addr[offset - GEM_RECEIVE_Q1_PTR + 1] = val;
break;
case GEM_TXQBASE:
s->tx_desc_addr[0] = val;
break;
- case GEM_TRANSMIT_Q1_PTR ... GEM_TRANSMIT_Q15_PTR:
+ case GEM_TRANSMIT_Q1_PTR ... GEM_TRANSMIT_Q7_PTR:
s->tx_desc_addr[offset - GEM_TRANSMIT_Q1_PTR + 1] = val;
break;
case GEM_RXSTATUS:
@@ -1392,10 +1386,6 @@ static void gem_write(void *opaque, hwaddr offset, uint64_t val,
s->regs[GEM_INT_Q1_MASK + offset - GEM_INT_Q1_ENABLE] &= ~val;
gem_update_int_status(s);
break;
- case GEM_INT_Q8_ENABLE ... GEM_INT_Q15_ENABLE:
- s->regs[GEM_INT_Q8_MASK + offset - GEM_INT_Q8_ENABLE] &= ~val;
- gem_update_int_status(s);
- break;
case GEM_IDR:
s->regs[GEM_IMR] |= val;
gem_update_int_status(s);
@@ -1404,10 +1394,6 @@ static void gem_write(void *opaque, hwaddr offset, uint64_t val,
s->regs[GEM_INT_Q1_MASK + offset - GEM_INT_Q1_DISABLE] |= val;
gem_update_int_status(s);
break;
- case GEM_INT_Q8_DISABLE ... GEM_INT_Q15_DISABLE:
- s->regs[GEM_INT_Q8_MASK + offset - GEM_INT_Q8_DISABLE] |= val;
- gem_update_int_status(s);
- break;
case GEM_SPADDR1LO:
case GEM_SPADDR2LO:
case GEM_SPADDR3LO:
--
2.7.4
next prev parent reply other threads:[~2016-10-04 12:43 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-04 12:42 [Qemu-devel] [PULL 00/27] target-arm queue Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 01/27] STM32F205: Remove the individual device variables Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 02/27] STM32F2xx: Display PWM duty cycle from timer Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 03/27] STM32F2xx: Add the ADC device Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 04/27] STM32F2xx: Add the SPI device Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 05/27] irq: Add a new irq device that allows the ORing of lines Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 06/27] STM32F205: Connect the ADC devices Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 07/27] STM32F205: Connect the SPI devices Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 08/27] MAINTAINERS: Add Alistair to the maintainers list Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 09/27] mainstone: Fix incorrect key mapping for Enter key Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 10/27] mainstone: Add mapping for dot, slash and backspace Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 11/27] hw/arm: Fix Integrator/CM initialization Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 12/27] vmstateify tsc2005 Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 13/27] vmstateify tsc210x Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 14/27] hw/arm/virt: add 2.8 machine type Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 15/27] hw/intc/arm_gic(v3)_kvm: Initialize gsi routing Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 16/27] hw/intc/arm_gicv3_its: Implement ITS base class Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 17/27] target-arm: move gicv3_class_name from machine to kvm_arm.h Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 18/27] kvm-all: Pass requester ID to MSI routing functions Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 19/27] hw/intc/arm_gicv3_its: Implement support for in-kernel ITS emulation Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 20/27] arm/virt: Add ITS to the virt board Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 21/27] ACPI: Add GIC Interrupt Translation Service Structure definition Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 22/27] ARM: Virt: ACPI: Add GIC ITS description in ACPI MADT table Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 23/27] generic-loader: Add a generic loader Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 24/27] docs: Add a generic loader explanation document Peter Maydell
2016-10-04 12:42 ` Peter Maydell [this message]
2016-10-04 12:42 ` [Qemu-devel] [PULL 26/27] target-arm: A64: Fix decoding of iss_sf in disas_ld_lit Peter Maydell
2016-10-04 12:42 ` [Qemu-devel] [PULL 27/27] target-arm: Correctly handle 'sub pc, pc, 1' for ARMv6 Peter Maydell
2016-10-14 6:44 ` Alex Bennée
2016-10-14 17:35 ` Peter Maydell
2016-10-04 13:19 ` [Qemu-devel] [PULL 00/27] target-arm queue no-reply
2016-10-04 13:24 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1475584975-25099-26-git-send-email-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.