06c7333dfc
- Add stable patches from upstream: block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch hw-net-can-sja1000-fix-buff2frame_bas-an.patch hw-pci-host-q35-Ignore-write-of-reserved.patch OBS-URL: https://build.opensuse.org/request/show/910154 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=663
72 lines
2.4 KiB
Diff
72 lines
2.4 KiB
Diff
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
|
|
Date: Wed, 26 May 2021 16:24:38 +0200
|
|
Subject: hw/pci-host/q35: Ignore write of reserved PCIEXBAR LENGTH field
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Git-commit: 9b0ca75e0196a72523232063db1e07ae36a5077a
|
|
|
|
libFuzzer triggered the following assertion:
|
|
|
|
cat << EOF | qemu-system-i386 -M pc-q35-5.0 \
|
|
-nographic -monitor none -serial none \
|
|
-qtest stdio -d guest_errors -trace pci\*
|
|
outl 0xcf8 0xf2000060
|
|
outl 0xcfc 0x8400056e
|
|
EOF
|
|
pci_cfg_write mch 00:0 @0x60 <- 0x8400056e
|
|
Aborted (core dumped)
|
|
|
|
This is because guest wrote MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_RVD
|
|
(reserved value) to the PCIE XBAR register.
|
|
|
|
There is no indication on the datasheet about what occurs when
|
|
this value is written. Simply ignore it on QEMU (and report an
|
|
guest error):
|
|
|
|
pci_cfg_write mch 00:0 @0x60 <- 0x8400056e
|
|
Q35: Reserved PCIEXBAR LENGTH
|
|
pci_cfg_read mch 00:0 @0x0 -> 0x8086
|
|
pci_cfg_read mch 00:0 @0x0 -> 0x29c08086
|
|
...
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Reported-by: Alexander Bulekov <alxndr@bu.edu>
|
|
BugLink: https://bugs.launchpad.net/qemu/+bug/1878641
|
|
Fixes: df2d8b3ed4 ("q35: Introduce q35 pc based chipset emulator")
|
|
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
|
Message-Id: <20210526142438.281477-1-f4bug@amsat.org>
|
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
|
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
|
|
---
|
|
hw/pci-host/q35.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
|
|
index 2eb729dff5854aff586d9ac813f9..0f37cf056a9af4081f2350400ab2 100644
|
|
--- a/hw/pci-host/q35.c
|
|
+++ b/hw/pci-host/q35.c
|
|
@@ -29,6 +29,7 @@
|
|
*/
|
|
|
|
#include "qemu/osdep.h"
|
|
+#include "qemu/log.h"
|
|
#include "hw/i386/pc.h"
|
|
#include "hw/pci-host/q35.h"
|
|
#include "hw/qdev-properties.h"
|
|
@@ -318,6 +319,8 @@ static void mch_update_pciexbar(MCHPCIState *mch)
|
|
addr_mask |= MCH_HOST_BRIDGE_PCIEXBAR_64ADMSK;
|
|
break;
|
|
case MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_RVD:
|
|
+ qemu_log_mask(LOG_GUEST_ERROR, "Q35: Reserved PCIEXBAR LENGTH\n");
|
|
+ return;
|
|
default:
|
|
abort();
|
|
}
|