* [Qemu-devel] [PATCH] dma: omap: check dma channel data_type
@ 2017-01-27 12:05 P J P
2017-01-27 15:08 ` Peter Maydell
0 siblings, 1 reply; 2+ messages in thread
From: P J P @ 2017-01-27 12:05 UTC (permalink / raw)
To: Qemu Developers; +Cc: Peter Maydell, Jiang Xin, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
When setting dma channel 'data_type', if (value & 3) == 3,
the set 'data_type' is said to be bad. This also leads to an
OOB access in 'omap_dma_transfer_generic', while doing
cpu_physical_memory_r/w operations. Add check to avoid it.
Reported-by: Jiang Xin <jiangxin1@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/dma/omap_dma.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/dma/omap_dma.c b/hw/dma/omap_dma.c
index f6f86f9..45dfe7a 100644
--- a/hw/dma/omap_dma.c
+++ b/hw/dma/omap_dma.c
@@ -878,15 +878,17 @@ static int omap_dma_ch_reg_write(struct omap_dma_s *s,
ch->burst[0] = (value & 0x0180) >> 7;
ch->pack[0] = (value & 0x0040) >> 6;
ch->port[0] = (enum omap_dma_port) ((value & 0x003c) >> 2);
- ch->data_type = 1 << (value & 3);
if (ch->port[0] >= __omap_dma_port_last)
printf("%s: invalid DMA port %i\n", __FUNCTION__,
ch->port[0]);
if (ch->port[1] >= __omap_dma_port_last)
printf("%s: invalid DMA port %i\n", __FUNCTION__,
ch->port[1]);
- if ((value & 3) == 3)
+ ch->data_type = 1 << (value & 3);
+ if ((value & 3) == 3) {
printf("%s: bad data_type for DMA channel\n", __FUNCTION__);
+ ch->data_type >>= 1;
+ }
break;
case 0x02: /* SYS_DMA_CCR_CH0 */
@@ -1988,8 +1990,10 @@ static void omap_dma4_write(void *opaque, hwaddr addr,
fprintf(stderr, "%s: bad MReqAddressTranslate sideband signal\n",
__FUNCTION__);
ch->data_type = 1 << (value & 3);
- if ((value & 3) == 3)
+ if ((value & 3) == 3) {
printf("%s: bad data_type for DMA channel\n", __FUNCTION__);
+ ch->data_type >>= 1;
+ }
break;
case 0x14: /* DMA4_CEN */
--
2.9.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Qemu-devel] [PATCH] dma: omap: check dma channel data_type
2017-01-27 12:05 [Qemu-devel] [PATCH] dma: omap: check dma channel data_type P J P
@ 2017-01-27 15:08 ` Peter Maydell
0 siblings, 0 replies; 2+ messages in thread
From: Peter Maydell @ 2017-01-27 15:08 UTC (permalink / raw)
To: P J P; +Cc: Qemu Developers, Jiang Xin, Prasad J Pandit
On 27 January 2017 at 12:05, P J P <ppandit@redhat.com> wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When setting dma channel 'data_type', if (value & 3) == 3,
> the set 'data_type' is said to be bad. This also leads to an
> OOB access in 'omap_dma_transfer_generic', while doing
> cpu_physical_memory_r/w operations. Add check to avoid it.
>
> Reported-by: Jiang Xin <jiangxin1@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
The data sheet just says the behaviour with value == 3
is "undefined", so I guess this is as good a way as
any other to handle it.
Applied to target-arm.next, thanks.
-- PMM
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-01-27 15:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-27 12:05 [Qemu-devel] [PATCH] dma: omap: check dma channel data_type P J P
2017-01-27 15:08 ` Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.