[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 03/10] hw/ssi/xilinx_spips: Avoid AXI writes to the L
From: |
Peter Maydell |
Subject: |
[Qemu-devel] [PULL 03/10] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory |
Date: |
Mon, 15 Jul 2019 14:42:04 +0100 |
From: Philippe Mathieu-Daudé <address@hidden>
Lei Sun found while auditing the code that a CPU write would
trigger a NULL pointer dereference.
>From UG1085 datasheet [*] AXI writes in this region are ignored
and generates an AXI Slave Error (SLVERR).
Fix by implementing the write_with_attrs() handler.
Return MEMTX_ERROR when the region is accessed (this error maps
to an AXI slave error).
[*]
https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
Reported-by: Lei Sun <address@hidden>
Reviewed-by: Francisco Iglesias <address@hidden>
Tested-by: Francisco Iglesias <address@hidden>
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
---
hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index b7c7275dbe4..3c4e8365ee1 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1220,8 +1220,24 @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr,
uint64_t *value,
return lqspi_read(opaque, addr, value, size, attrs);
}
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+ unsigned size, MemTxAttrs attrs)
+{
+ /*
+ * From UG1085, Chapter 24 (Quad-SPI controllers):
+ * - Writes are ignored
+ * - AXI writes generate an external AXI slave error (SLVERR)
+ */
+ qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
+ " (value: 0x%" PRIx64 "\n",
+ __func__, size << 3, offset, value);
+
+ return MEMTX_ERROR;
+}
+
static const MemoryRegionOps lqspi_ops = {
.read_with_attrs = lqspi_read,
+ .write_with_attrs = lqspi_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.valid = {
.min_access_size = 1,
--
2.20.1
- [Qemu-devel] [PULL 00/10] target-arm queue, Peter Maydell, 2019/07/15
- [Qemu-devel] [PULL 02/10] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs, Peter Maydell, 2019/07/15
- [Qemu-devel] [PULL 01/10] target/arm: report ARMv8-A FP support for AArch32 -cpu max, Peter Maydell, 2019/07/15
- [Qemu-devel] [PULL 03/10] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory,
Peter Maydell <=
- [Qemu-devel] [PULL 07/10] hw/arm/virt: Fix non-secure flash mode, Peter Maydell, 2019/07/15
- [Qemu-devel] [PULL 05/10] hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO, Peter Maydell, 2019/07/15
- [Qemu-devel] [PULL 04/10] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[], Peter Maydell, 2019/07/15
- [Qemu-devel] [PULL 06/10] hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO, Peter Maydell, 2019/07/15
- [Qemu-devel] [PULL 09/10] target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026, Peter Maydell, 2019/07/15
- [Qemu-devel] [PULL 08/10] pl031: Correctly migrate state when using -rtc clock=host, Peter Maydell, 2019/07/15
- [Qemu-devel] [PULL 10/10] target/arm: NS BusFault on vector table fetch escalates to NS HardFault, Peter Maydell, 2019/07/15
- Re: [Qemu-devel] [PULL 00/10] target-arm queue, Peter Maydell, 2019/07/15
- Re: [Qemu-devel] [PULL 00/10] target-arm queue, no-reply, 2019/07/15
- Re: [Qemu-devel] [PULL 00/10] target-arm queue, no-reply, 2019/07/16