|
 |
05bba0 |
From 27b471e574edcee7ac065a7a46f558dca0fd7bf0 Mon Sep 17 00:00:00 2001
|
|
|
05bba0 |
From: Alex Williamson <alex.williamson@redhat.com>
|
|
|
05bba0 |
Date: Fri, 10 Apr 2015 16:34:08 +0200
|
|
|
05bba0 |
Subject: [PATCH 06/14] vfio-pci: Fix BAR size overflow
|
|
|
05bba0 |
|
|
|
05bba0 |
Message-id: <20150410163408.15324.43004.stgit@gimli.home>
|
|
|
05bba0 |
Patchwork-id: 64792
|
|
|
05bba0 |
O-Subject: [RHEL7.2 qemu-kvm PATCH 6/8] vfio-pci: Fix BAR size overflow
|
|
|
05bba0 |
Bugzilla: 1181267
|
|
|
05bba0 |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
05bba0 |
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
05bba0 |
RH-Acked-by: Bandan Das <bsd@redhat.com>
|
|
|
05bba0 |
|
|
|
05bba0 |
Upstream: 29c6e6df492d81b1843e5dd999171bb84c6effea
|
|
|
05bba0 |
|
|
|
05bba0 |
We use an unsigned int when working with the PCI BAR size, which can
|
|
|
05bba0 |
obviously overflow if the BAR is 4GB or larger. This needs to change
|
|
|
05bba0 |
to a fixed length uint64_t. A similar issue is possible, though even
|
|
|
05bba0 |
more unlikely, when mapping the region above an MSI-X table. The
|
|
|
05bba0 |
start of the MSI-X vector table must be below 4GB, but the end, and
|
|
|
05bba0 |
therefore the start of the next mapping region, could still land at
|
|
|
05bba0 |
4GB.
|
|
|
05bba0 |
|
|
|
05bba0 |
Suggested-by: Nishank Trivedi <nishank.trivedi@netapp.com>
|
|
|
05bba0 |
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
|
|
|
05bba0 |
Reviewed-by: Don Slutz <dslutz@verizon.com>
|
|
|
05bba0 |
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
|
05bba0 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
05bba0 |
---
|
|
|
05bba0 |
hw/misc/vfio.c | 4 ++--
|
|
|
05bba0 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
05bba0 |
|
|
|
05bba0 |
diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
|
|
|
05bba0 |
index f6e019c..607dbf4 100644
|
|
|
05bba0 |
--- a/hw/misc/vfio.c
|
|
|
05bba0 |
+++ b/hw/misc/vfio.c
|
|
|
05bba0 |
@@ -2579,7 +2579,7 @@ empty_region:
|
|
|
05bba0 |
static void vfio_map_bar(VFIODevice *vdev, int nr)
|
|
|
05bba0 |
{
|
|
|
05bba0 |
VFIOBAR *bar = &vdev->bars[nr];
|
|
|
05bba0 |
- unsigned size = bar->size;
|
|
|
05bba0 |
+ uint64_t size = bar->size;
|
|
|
05bba0 |
char name[64];
|
|
|
05bba0 |
uint32_t pci_bar;
|
|
|
05bba0 |
uint8_t type;
|
|
|
05bba0 |
@@ -2628,7 +2628,7 @@ static void vfio_map_bar(VFIODevice *vdev, int nr)
|
|
|
05bba0 |
}
|
|
|
05bba0 |
|
|
|
05bba0 |
if (vdev->msix && vdev->msix->table_bar == nr) {
|
|
|
05bba0 |
- unsigned start;
|
|
|
05bba0 |
+ uint64_t start;
|
|
|
05bba0 |
|
|
|
05bba0 |
start = TARGET_PAGE_ALIGN(vdev->msix->table_offset +
|
|
|
05bba0 |
(vdev->msix->entries * PCI_MSIX_ENTRY_SIZE));
|
|
|
05bba0 |
--
|
|
|
05bba0 |
1.8.3.1
|
|
|
05bba0 |
|