From nobody Tue Nov 4 21:40:43 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531410230069446.50993312326364; Thu, 12 Jul 2018 08:43:50 -0700 (PDT) Received: from localhost ([::1]:60851 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddkz-0005gt-1S for importer@patchew.org; Thu, 12 Jul 2018 11:43:49 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41259) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddjM-0004cr-F0 for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:42:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fddjL-0008T5-Fp for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:42:08 -0400 Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:43486) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fddjH-0008GP-OT; Thu, 12 Jul 2018 11:42:03 -0400 Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1fddj8-0003qR-9G; Thu, 12 Jul 2018 16:41:54 +0100 From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Date: Thu, 12 Jul 2018 16:41:51 +0100 Message-Id: <20180712154152.32183-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180712154152.32183-1-peter.maydell@linaro.org> References: <20180712154152.32183-1-peter.maydell@linaro.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:8b0:1d0::2 Subject: [Qemu-devel] [PATCH for-3.0 1/2] hw/intc/arm_gic: Check interrupt number in gic_deactivate_irq() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jan Kiszka , Luc Michel , patches@linaro.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" In gic_deactivate_irq() the interrupt number comes from the guest (on a write to the GICC_DIR register), so we need to sanity check that it isn't out of range before we use it as an array index. Handle this in a similar manner to the check we do in gic_complete_irq() for the GICC_EOI register. The array overrun is not disastrous because the calling code uses (value & 0x3ff) to extract the interrupt field, so the only out-of-range values possible are 1020..1023, which allow overrunning only from irq_state[] into the following irq_target[] array which the guest can already manipulate. Signed-off-by: Peter Maydell Reviewed-by: Luc Michel Reviewed-by: Richard Henderson --- hw/intc/arm_gic.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c index ea0323f9691..b0a69d6386e 100644 --- a/hw/intc/arm_gic.c +++ b/hw/intc/arm_gic.c @@ -543,7 +543,21 @@ static bool gic_eoi_split(GICState *s, int cpu, MemTxA= ttrs attrs) static void gic_deactivate_irq(GICState *s, int cpu, int irq, MemTxAttrs a= ttrs) { int cm =3D 1 << cpu; - int group =3D gic_has_groups(s) && GIC_TEST_GROUP(irq, cm); + int group; + + if (irq >=3D s->num_irq) { + /* + * This handles two cases: + * 1. If software writes the ID of a spurious interrupt [ie 1023] + * to the GICC_DIR, the GIC ignores that write. + * 2. If software writes the number of a non-existent interrupt + * this must be a subcase of "value written is not an active inter= rupt" + * and so this is UNPREDICTABLE. We choose to ignore it. + */ + return; + } + + group =3D gic_has_groups(s) && GIC_TEST_GROUP(irq, cm); =20 if (!gic_eoi_split(s, cpu, attrs)) { /* This is UNPREDICTABLE; we choose to ignore it */ --=20 2.17.1 From nobody Tue Nov 4 21:40:43 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531410269793274.7870677161409; Thu, 12 Jul 2018 08:44:29 -0700 (PDT) Received: from localhost ([::1]:60852 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddlc-00068s-M7 for importer@patchew.org; Thu, 12 Jul 2018 11:44:28 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41248) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddjJ-0004bN-RJ for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:42:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fddjI-0008QQ-RV for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:42:05 -0400 Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:43486) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fddjG-0008GP-FY; Thu, 12 Jul 2018 11:42:02 -0400 Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1fddj9-0003qk-2l; Thu, 12 Jul 2018 16:41:55 +0100 From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Date: Thu, 12 Jul 2018 16:41:52 +0100 Message-Id: <20180712154152.32183-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180712154152.32183-1-peter.maydell@linaro.org> References: <20180712154152.32183-1-peter.maydell@linaro.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:8b0:1d0::2 Subject: [Qemu-devel] [PATCH for-3.0 2/2] hw/intc/arm_gic: Fix handling of GICD_ITARGETSR X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jan Kiszka , Luc Michel , patches@linaro.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The GICD_ITARGETSR implementation still has some 11MPCore behaviour that we were incorrectly using in our GICv1 and GICv2 implementations for the case where the interrupt number is less than GIC_INTERNAL. The desired behaviour here is: * for 11MPCore: RAZ/WI for irqs 0..28; read a number matching the CPU doing the read for irqs 29..31 * for GICv1 and v2: RAZ/WI if uniprocessor; otherwise read a number matching the CPU doing the read for all irqs < 32 Stop squashing GICD_ITARGETSR to 0 for IRQs 0..28 unless this is an 11MPCore GIC. Reported-by: Jan Kiszka Signed-off-by: Peter Maydell Reviewed-by: Luc Michel Reviewed-by: Richard Henderson --- hw/intc/arm_gic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c index b0a69d6386e..34dc84ae813 100644 --- a/hw/intc/arm_gic.c +++ b/hw/intc/arm_gic.c @@ -751,7 +751,9 @@ static uint32_t gic_dist_readb(void *opaque, hwaddr off= set, MemTxAttrs attrs) if (irq >=3D s->num_irq) { goto bad_reg; } - if (irq >=3D 29 && irq <=3D 31) { + if (irq < 29 && s->revision =3D=3D REV_11MPCORE) { + res =3D 0; + } else if (irq < GIC_INTERNAL) { res =3D cm; } else { res =3D GIC_TARGET(irq); @@ -1014,7 +1016,7 @@ static void gic_dist_writeb(void *opaque, hwaddr offs= et, if (irq >=3D s->num_irq) { goto bad_reg; } - if (irq < 29) { + if (irq < 29 && s->revision =3D=3D REV_11MPCORE) { value =3D 0; } else if (irq < GIC_INTERNAL) { value =3D ALL_CPU_MASK; --=20 2.17.1