diff options
author | Philippe Mathieu-Daudé <philmd@redhat.com> | 2019-07-15 14:17:03 +0100 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2019-07-15 14:17:03 +0100 |
commit | 936a236c4e4b1068ade99220260cd04f68eb0212 (patch) | |
tree | c18d2e5e53e3de4ad62b3fd12748dee982d5f7f3 /hw/ssi/xilinx_spips.c | |
parent | 5937bd50d3841b6ab2592c1ff4233448762a8483 (diff) | |
download | qemu-936a236c4e4b1068ade99220260cd04f68eb0212.zip qemu-936a236c4e4b1068ade99220260cd04f68eb0212.tar.gz qemu-936a236c4e4b1068ade99220260cd04f68eb0212.tar.bz2 |
hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
Lei Sun found while auditing the code that a CPU write would
trigger a NULL pointer dereference.
>From UG1085 datasheet [*] AXI writes in this region are ignored
and generates an AXI Slave Error (SLVERR).
Fix by implementing the write_with_attrs() handler.
Return MEMTX_ERROR when the region is accessed (this error maps
to an AXI slave error).
[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
Reported-by: Lei Sun <slei.casper@gmail.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/ssi/xilinx_spips.c')
-rw-r--r-- | hw/ssi/xilinx_spips.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index b7c7275..3c4e836 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -1220,8 +1220,24 @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value, return lqspi_read(opaque, addr, value, size, attrs); } +static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value, + unsigned size, MemTxAttrs attrs) +{ + /* + * From UG1085, Chapter 24 (Quad-SPI controllers): + * - Writes are ignored + * - AXI writes generate an external AXI slave error (SLVERR) + */ + qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64 + " (value: 0x%" PRIx64 "\n", + __func__, size << 3, offset, value); + + return MEMTX_ERROR; +} + static const MemoryRegionOps lqspi_ops = { .read_with_attrs = lqspi_read, + .write_with_attrs = lqspi_write, .endianness = DEVICE_NATIVE_ENDIAN, .valid = { .min_access_size = 1, |