From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 04/10] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
Date: Mon, 15 Jul 2019 14:42:05 +0100 [thread overview]
Message-ID: <20190715134211.23063-5-peter.maydell@linaro.org> (raw)
In-Reply-To: <20190715134211.23063-1-peter.maydell@linaro.org>
From: Philippe Mathieu-Daudé <philmd@redhat.com>
Both lqspi_read() and lqspi_load_cache() expect a 32-bit
aligned address.
>From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':
Transfer Size Limitations
Because of the 32-bit wide TX, RX, and generic FIFO, all
APB/AXI transfers must be an integer multiple of 4-bytes.
Shorter transfers are not possible.
Set MemoryRegionOps.impl values to force 32-bit accesses,
this way we are sure we do not access the lqspi_buf[] array
out of bound.
[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/ssi/xilinx_spips.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 3c4e8365ee1..b29e0a4a89e 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1239,6 +1239,10 @@ static const MemoryRegionOps lqspi_ops = {
.read_with_attrs = lqspi_read,
.write_with_attrs = lqspi_write,
.endianness = DEVICE_NATIVE_ENDIAN,
+ .impl = {
+ .min_access_size = 4,
+ .max_access_size = 4,
+ },
.valid = {
.min_access_size = 1,
.max_access_size = 4
--
2.20.1
next prev parent reply other threads:[~2019-07-15 13:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-15 13:42 [Qemu-devel] [PULL 00/10] target-arm queue Peter Maydell
2019-07-15 13:42 ` [Qemu-devel] [PULL 01/10] target/arm: report ARMv8-A FP support for AArch32 -cpu max Peter Maydell
2019-07-15 13:42 ` [Qemu-devel] [PULL 02/10] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs Peter Maydell
2019-07-15 13:42 ` [Qemu-devel] [PULL 03/10] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory Peter Maydell
2019-07-15 13:42 ` Peter Maydell [this message]
2019-07-15 13:42 ` [Qemu-devel] [PULL 05/10] hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO Peter Maydell
2019-07-15 13:42 ` [Qemu-devel] [PULL 06/10] hw/display/xlnx_dp: " Peter Maydell
2019-07-15 13:42 ` [Qemu-devel] [PULL 07/10] hw/arm/virt: Fix non-secure flash mode Peter Maydell
2019-07-15 13:42 ` [Qemu-devel] [PULL 08/10] pl031: Correctly migrate state when using -rtc clock=host Peter Maydell
2019-07-15 13:42 ` [Qemu-devel] [PULL 09/10] target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026 Peter Maydell
2019-07-15 13:42 ` [Qemu-devel] [PULL 10/10] target/arm: NS BusFault on vector table fetch escalates to NS HardFault Peter Maydell
2019-07-15 14:18 ` [Qemu-devel] [PULL 00/10] target-arm queue Peter Maydell
2019-07-15 17:03 ` no-reply
2019-07-16 8:55 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190715134211.23063-5-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.