aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2011-11-21 18:57:31 +0200
committerAnthony Liguori <aliguori@us.ibm.com>2011-11-21 15:05:59 -0600
commit9a93b61730e3b46ef1c01ca522c6abe80ec13832 (patch)
tree980eadcaf28fc5e87f359e032d5b1ce6076fad73
parent50322249fdfa3fb8bc6a67c50aebb0f9c36bafb6 (diff)
downloadqemu-9a93b61730e3b46ef1c01ca522c6abe80ec13832.zip
qemu-9a93b61730e3b46ef1c01ca522c6abe80ec13832.tar.gz
qemu-9a93b61730e3b46ef1c01ca522c6abe80ec13832.tar.bz2
msix: Prevent bogus mask updates on MMIO accesses
>From: Jan Kiszka <jan.kiszka@siemens.com> Only accesses to the MSI-X table must trigger a call to msix_handle_mask_update, otherwise the vector value might be out of range. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
-rw-r--r--hw/msix.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/msix.c b/hw/msix.c
index 63b41b9..2969601 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -176,6 +176,12 @@ static void msix_mmio_write(void *opaque, target_phys_addr_t addr,
PCIDevice *dev = opaque;
unsigned int offset = addr & (MSIX_PAGE_SIZE - 1) & ~0x3;
int vector = offset / PCI_MSIX_ENTRY_SIZE;
+
+ /* MSI-X page includes a read-only PBA and a writeable Vector Control. */
+ if (vector >= dev->msix_entries_nr) {
+ return;
+ }
+
pci_set_long(dev->msix_table_page + offset, val);
msix_handle_mask_update(dev, vector);
}