msix: Prevent bogus mask updates on MMIO accesses

>From: Jan Kiszka <jan.kiszka@siemens.com> Only accesses to the MSI-X table must trigger a call to msix_handle_mask_update, otherwise the vector value might be out of range. Signed-off-by: N Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>

msix: Prevent bogus mask updates on MMIO accesses
>From: Jan Kiszka <jan.kiszka@siemens.com> Only accesses to the MSI-X table must trigger a call to msix_handle_mask_update, otherwise the vector value might be out of range. Signed-off-by: N Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>
9a93b617 · Michael S. Tsirkin · Anthony Liguori · 50322249 · 9a93b617
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

hw/msix.c hw/msix.c +6 -0

未找到文件。
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -176,6 +176,12 @@ static void msix_mmio_write(void *opaque, target_phys_addr_t addr,
    PCIDevice *dev = opaque;
    unsigned int offset = addr & (MSIX_PAGE_SIZE - 1) & ~0x3;
    int vector = offset / PCI_MSIX_ENTRY_SIZE;
+
+    /* MSI-X page includes a read-only PBA and a writeable Vector Control. */
+    if (vector >= dev->msix_entries_nr) {
+        return;
+    }
+
    pci_set_long(dev->msix_table_page + offset, val);
    msix_handle_mask_update(dev, vector);
 }