aboutsummaryrefslogtreecommitdiff
path: root/hw/ssi/xilinx_spips.c
diff options
context:
space:
mode:
authorPhilippe Mathieu-Daudé <philmd@redhat.com>2019-07-15 14:17:03 +0100
committerPeter Maydell <peter.maydell@linaro.org>2019-07-15 14:17:03 +0100
commit936a236c4e4b1068ade99220260cd04f68eb0212 (patch)
treec18d2e5e53e3de4ad62b3fd12748dee982d5f7f3 /hw/ssi/xilinx_spips.c
parent5937bd50d3841b6ab2592c1ff4233448762a8483 (diff)
downloadqemu-936a236c4e4b1068ade99220260cd04f68eb0212.zip
qemu-936a236c4e4b1068ade99220260cd04f68eb0212.tar.gz
qemu-936a236c4e4b1068ade99220260cd04f68eb0212.tar.bz2
hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
Lei Sun found while auditing the code that a CPU write would trigger a NULL pointer dereference. >From UG1085 datasheet [*] AXI writes in this region are ignored and generates an AXI Slave Error (SLVERR). Fix by implementing the write_with_attrs() handler. Return MEMTX_ERROR when the region is accessed (this error maps to an AXI slave error). [*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf Reported-by: Lei Sun <slei.casper@gmail.com> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/ssi/xilinx_spips.c')
-rw-r--r--hw/ssi/xilinx_spips.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index b7c7275..3c4e836 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1220,8 +1220,24 @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
return lqspi_read(opaque, addr, value, size, attrs);
}
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+ unsigned size, MemTxAttrs attrs)
+{
+ /*
+ * From UG1085, Chapter 24 (Quad-SPI controllers):
+ * - Writes are ignored
+ * - AXI writes generate an external AXI slave error (SLVERR)
+ */
+ qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
+ " (value: 0x%" PRIx64 "\n",
+ __func__, size << 3, offset, value);
+
+ return MEMTX_ERROR;
+}
+
static const MemoryRegionOps lqspi_ops = {
.read_with_attrs = lqspi_read,
+ .write_with_attrs = lqspi_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.valid = {
.min_access_size = 1,