diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2017-01-09 11:56:49 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2017-01-09 11:56:49 +0000 |
| commit | 8305f9bdf7ca41ee5cabe018fb37b73472c1162d (patch) | |
| tree | 72a6405226f7e5dfe46e6ceaec16b4eeb61c9169 /hw/block/m25p80.c | |
| parent | ffe22bf51065dd33022cf91f77a821d1f11c250d (diff) | |
| parent | 556899fc1965d82f5c4a3ba6a0be3b1193e2c4b2 (diff) | |
| download | qemu-8305f9bdf7ca41ee5cabe018fb37b73472c1162d.zip qemu-8305f9bdf7ca41ee5cabe018fb37b73472c1162d.tar.gz qemu-8305f9bdf7ca41ee5cabe018fb37b73472c1162d.tar.bz2 | |
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20170109' into staging
target-arm queue:
* i2c: Allow I2C devices to NAK start events
* hw/char: QOM'ify exynos4210_uart.c
* clean up and refactor virt-acpi-build.c
* virt-acpi-build: Don't incorrectly claim architectural timer
to be edge-triggered
* m25p80: Don't let rogue SPI controllers cause buffer overruns
* imx_spi: Remove broken MSGDATA register support
# gpg: Signature made Mon 09 Jan 2017 11:52:49 GMT
# gpg: using RSA key 0x3C2525ED14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg: aka "Peter Maydell <pmaydell@gmail.com>"
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* remotes/pmaydell/tags/pull-target-arm-20170109: (21 commits)
hw/ssi/imx_spi.c: Remove MSGDATA register support
m25p80: don't let rogue SPI controllers cause buffer overruns
hw/arm/virt-acpi-build: Don't incorrectly claim architectural timer to be edge-triggered
hw/arm/virt: remove VirtGuestInfo
hw/arm/virt-acpi-build: don't save VirtGuestInfo on AcpiBuildState
hw/arm/virt-acpi-build: remove redundant members from VirtGuestInfo
hw/arm/virt: pass VirtMachineState instead of VirtGuestInfo
hw/arm/virt: move VirtMachineState/Class to virt.h
hw/arm/virt: remove include/hw/arm/virt-acpi-build.h
hw/arm/virt: eliminate struct VirtGuestInfoState
hw/arm/virt: use VirtMachineState.gic_version
hw/arm/virt: parameter passing cleanups
hw/arm/virt-acpi-build: fadt: improve flag naming
hw/arm/virt-acpi-build: gtdt: improve flag naming
hw/arm/virt-acpi-build: name GIC CPU Interface Structure appropriately
hw/arm/virt-acpi-build: add all missing cpu_to_le's
hw/arm/virt: Don't incorrectly claim architectural timer to be edge-triggered
hw/arm/virt: Rename 'vbi' variables to 'vms'
hw/arm/virt: Merge VirtBoardInfo and VirtMachineState
hw/char: QOM'ify exynos4210_uart.c
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/block/m25p80.c')
| -rw-r--r-- | hw/block/m25p80.c | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index e3c1166..4c5f8c3 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -28,6 +28,7 @@ #include "hw/ssi/ssi.h" #include "qemu/bitops.h" #include "qemu/log.h" +#include "qemu/error-report.h" #include "qapi/error.h" #ifndef M25P80_ERR_DEBUG @@ -377,6 +378,8 @@ typedef enum { MAN_GENERIC, } Manufacturer; +#define M25P80_INTERNAL_DATA_BUFFER_SZ 16 + typedef struct Flash { SSISlave parent_obj; @@ -387,7 +390,7 @@ typedef struct Flash { int page_size; uint8_t state; - uint8_t data[16]; + uint8_t data[M25P80_INTERNAL_DATA_BUFFER_SZ]; uint32_t len; uint32_t pos; uint8_t needed_bytes; @@ -1115,6 +1118,17 @@ static uint32_t m25p80_transfer8(SSISlave *ss, uint32_t tx) case STATE_COLLECTING_DATA: case STATE_COLLECTING_VAR_LEN_DATA: + + if (s->len >= M25P80_INTERNAL_DATA_BUFFER_SZ) { + qemu_log_mask(LOG_GUEST_ERROR, + "M25P80: Write overrun internal data buffer. " + "SPI controller (QEMU emulator or guest driver) " + "is misbehaving\n"); + s->len = s->pos = 0; + s->state = STATE_IDLE; + break; + } + s->data[s->len] = (uint8_t)tx; s->len++; @@ -1124,6 +1138,17 @@ static uint32_t m25p80_transfer8(SSISlave *ss, uint32_t tx) break; case STATE_READING_DATA: + + if (s->pos >= M25P80_INTERNAL_DATA_BUFFER_SZ) { + qemu_log_mask(LOG_GUEST_ERROR, + "M25P80: Read overrun internal data buffer. " + "SPI controller (QEMU emulator or guest driver) " + "is misbehaving\n"); + s->len = s->pos = 0; + s->state = STATE_IDLE; + break; + } + r = s->data[s->pos]; s->pos++; if (s->pos == s->len) { @@ -1196,7 +1221,7 @@ static const VMStateDescription vmstate_m25p80 = { .pre_save = m25p80_pre_save, .fields = (VMStateField[]) { VMSTATE_UINT8(state, Flash), - VMSTATE_UINT8_ARRAY(data, Flash, 16), + VMSTATE_UINT8_ARRAY(data, Flash, M25P80_INTERNAL_DATA_BUFFER_SZ), VMSTATE_UINT32(len, Flash), VMSTATE_UINT32(pos, Flash), VMSTATE_UINT8(needed_bytes, Flash), |