From nobody Mon Feb  9 09:52:55 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.61 as permitted sender) client-ip=205.139.110.61;
 envelope-from=philmd@redhat.com; helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=philmd@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1599131389; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jdJYK30Ztni0jp/gCwWazBN84eOK2ycUcl0AwSIdGey9noSIdJn1uRg2+9lxIIWoOWJNPsshp4tdyzy8UkVjvPu3uVkNIGqG9BS3sw/wV+JHLckubgA0G6T6yt6p+Rdxjme8KPS4mI8v55I8qIEFmL4hv6hbUF/aV6PS6NErPls=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1599131389;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To;
	bh=Gfc0vh/hSxUgj/nHXInlGH3QJr0Hadg3+ww1zXZjK0w=;
	b=RLvhd+OKB3tge9J5gPPVVfw25ZDHDJCUKIYTwGuFa9pSId+Ipoz+6SxXRaK5tGdJ1xVyEltvcUeaj/Kipq0lwwxyDKxkAyAqR6rZcsAn34kMXF8PCe02EuuhSUuWMkZ5OArMRW/5mvY3sE677b5pzXf2+xUq45l0JWj0sc8Wlb8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=philmd@redhat.com;
	dmarc=pass header.from=<philmd@redhat.com> (p=none dis=none)
 header.from=<philmd@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com
 [205.139.110.61]) by mx.zohomail.com
	with SMTPS id 1599131389318862.8953139758501;
 Thu, 3 Sep 2020 04:09:49 -0700 (PDT)
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-370-Jdf9lz2-Nyi_C9Yh5764qw-1; Thu, 03 Sep 2020 07:09:44 -0400
Received: by mail-wm1-f69.google.com with SMTP id a7so854550wmc.2
        for <importer@patchew.org>; Thu, 03 Sep 2020 04:09:44 -0700 (PDT)
Return-Path: <philmd@redhat.com>
Return-Path: <philmd@redhat.com>
Received: from localhost.localdomain (50.red-83-52-54.dynamicip.rima-tde.net.
 [83.52.54.50])
        by smtp.gmail.com with ESMTPSA id
 z13sm3820908wro.97.2020.09.03.04.09.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 03 Sep 2020 04:09:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1599131388;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Gfc0vh/hSxUgj/nHXInlGH3QJr0Hadg3+ww1zXZjK0w=;
	b=UKpe9sK8U3RUHZqdpXNqXB4rCXrncs31Su5LskFZuaklFP58EOqfSz06TUsDj8vnGis3Xt
	nPvrJ/0V39wrd8LVFi5JFeo09w8z+whs1G3s02p2cAfUH6SltRPjMGwSZr26xdSnJB10aN
	oqYebD4A7XYgdV5WS4hH/8uRf8fupHQ=
X-MC-Unique: Jdf9lz2-Nyi_C9Yh5764qw-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=Gfc0vh/hSxUgj/nHXInlGH3QJr0Hadg3+ww1zXZjK0w=;
        b=KubkfzrMGiGzI+4F/MlNe4LCkkSsxRZdEr5PY8QQKv/Y4QAL5j9aZU23D2KEEmPl3J
         vBAHfSGp3pyYgSzhC6hLitdw88mGiwBqmWNNrb9Gl9d2nECn+TC3OctUo17kHA1T98ds
         v7I7Ch1iX7Ljk0hDlbquvy6ghF6/m0gFgwViu4/V/N5Lic7AgfZkjz3b0si8DFxHZXCV
         2i50wmA7hkE4BN3IlC0oX70VdcjhqEbNXiWcC0sHZepCFr2XFf61Rquz8pBsyepMGvKg
         EsFZ3cz13XVGdAwfYNsQKc9izLcLU3IqArxNLxp5qb5d703ONgRGSKU6i3OMpehue4lG
         StuQ==
X-Gm-Message-State: AOAM5303ZXK/5NSJpqKdjYVezGs6n9APWeMMF2EJcv2LEbBQOiI9giD6
	zSvpRI9+YgTKHHo2AaHnbgntB5pGEwCHBOls24BxgG5pCJ4FivnAdADtVOBolMP5N3IqYCoaG5L
	tTriXbBQ462M5dA==
X-Received: by 2002:a1c:4c06:: with SMTP id z6mr1916146wmf.40.1599131383033;
        Thu, 03 Sep 2020 04:09:43 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJxa1QNXafg0ye14T7uTUb9HQ/dvqWbALHxQzlyRjgumJlibWVrf8ZVOSq1l2j24wGvld+nBug==
X-Received: by 2002:a1c:4c06:: with SMTP id z6mr1916113wmf.40.1599131382849;
        Thu, 03 Sep 2020 04:09:42 -0700 (PDT)
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
To: qemu-devel@nongnu.org
Cc: John Snow <jsnow@redhat.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Li Qiang <liq3ea@163.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Edgar E. Iglesias" <edgar.iglesias@gmail.com>,
	Eduardo Habkost <ehabkost@redhat.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>,
	Jan Kiszka <jan.kiszka@web.de>,
	Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>,
	Eric Auger <eric.auger@redhat.com>,
	Peter Chubb <peter.chubb@nicta.com.au>,
	Beniamino Galvani <b.galvani@gmail.com>,
	Robert Foley <robert.foley@linaro.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	"Emilio G . Cota" <cota@braap.org>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>,
	Jason Wang <jasowang@redhat.com>,
	Andrew Baumann <Andrew.Baumann@microsoft.com>,
	Laszlo Ersek <lersek@redhat.com>,
	Klaus Jensen <k.jensen@samsung.com>,
	Stefan Hajnoczi <stefanha@redhat.com>,
	Tony Nguyen <tony.nguyen@bt.com>,
	Peter Xu <peterx@redhat.com>,
	qemu-arm@nongnu.org,
	Prasad J Pandit <pjp@fedoraproject.org>,
	qemu-block@nongnu.org,
	Alistair Francis <alistair@alistair23.me>,
	Andrew Jeffery <andrew@aj.id.au>,
	Alexander Bulekov <alxndr@bu.edu>,
	Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
	"Edgar E . Iglesias" <edgar.iglesias@xilinx.com>,
	Joel Stanley <joel@jms.id.au>,
	=?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>,
	Peter Maydell <peter.maydell@linaro.org>,
	qemu-ppc@nongnu.org,
	Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>,
	David Gibson <david@gibson.dropbear.id.au>,
	Richard Henderson <rth@twiddle.net>
Subject: [RFC PATCH 11/12] hw/pci: Only allow PCI slave devices to write to
 direct memory
Date: Thu,  3 Sep 2020 13:08:30 +0200
Message-Id: <20200903110831.353476-12-philmd@redhat.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200903110831.353476-1-philmd@redhat.com>
References: <20200903110831.353476-1-philmd@redhat.com>
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com
X-Mimecast-Spam-Score: 0.002
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)

Do not allow PCI slaves to write to indirect memory
regions such MMIO.

This fixes LP#1886362 and LP#1888606.

Example with the former reproducer:

  $ cat << EOF | \
    qemu-system-i386 -M q35,accel=3Dqtest \
                     -qtest stdio \
                     -trace memory_access\* \
  outl 0xcf8 0x80001010
  outl 0xcfc 0xe1020000
  outl 0xcf8 0x80001014
  outl 0xcf8 0x80001004
  outw 0xcfc 0x7
  outl 0xcf8 0x800010a2
  write 0xe102003b 0x1 0xff
  write 0xe1020103 0x1e 0xffffff055c5e5c30be4511d084fffffffffffffffffffffff=
fffffffffff
  write 0xe1020420 0x4 0xffffffff
  write 0xe1020424 0x4 0xffffffff
  write 0xe102042b 0x1 0xff
  write 0xe1020430 0x4 0x055c5e5c
  write 0x5c041 0x1 0x04
  write 0x5c042 0x1 0x02
  write 0x5c043 0x1 0xe1
  write 0x5c048 0x1 0x8a
  write 0x5c04a 0x1 0x31
  write 0x5c04b 0x1 0xff
  write 0xe1020403 0x1 0xff
  EOF
  562564:memory_access_illegal is_write:1 addr:0xe1020400 size:0x000e regio=
n:'e1000e-mmio'
  562592:memory_access_illegal is_write:1 addr:0xe102040e size:0x007c regio=
n:'e1000e-mmio'
  562601:memory_access_illegal is_write:1 addr:0xe102048a size:0x0004 regio=
n:'e1000e-mmio'

Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1886362
Buglink: https://bugs.launchpad.net/qemu/+bug/1888606
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
---
 include/hw/pci/pci.h | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index 8f901e6c289..cd97268b3a8 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -788,8 +788,12 @@ static inline AddressSpace *pci_get_address_space(PCID=
evice *dev)
 static inline int pci_dma_rw(PCIDevice *dev, dma_addr_t addr,
                              void *buf, dma_addr_t len, DMADirection dir)
 {
+    MemTxAttrs attrs =3D {
+        .direct_access =3D (dir =3D=3D DMA_DIRECTION_FROM_DEVICE),
+        .requester_id =3D pci_requester_id(dev),
+    };
     return dma_memory_rw(pci_get_address_space(dev), addr, buf, len,
-                         dir, MEMTXATTRS_UNSPECIFIED);
+                         dir, attrs);
 }
=20
 static inline int pci_dma_read(PCIDevice *dev, dma_addr_t addr,
@@ -808,14 +812,18 @@ static inline int pci_dma_write(PCIDevice *dev, dma_a=
ddr_t addr,
     static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev,      \
                                                    dma_addr_t addr)     \
     {                                                                   \
-        return ld##_l##_dma(pci_get_address_space(dev), addr,           \
-                            MEMTXATTRS_UNSPECIFIED);                    \
+        MemTxAttrs attrs =3D {                                            \
+            .requester_id =3D pci_requester_id(dev),                      \
+        };                                                              \
+        return ld##_l##_dma(pci_get_address_space(dev), addr, attrs);   \
     }                                                                   \
     static inline void st##_s##_pci_dma(PCIDevice *dev,                 \
                                         dma_addr_t addr, uint##_bits##_t v=
al) \
     {                                                                   \
-        st##_s##_dma(pci_get_address_space(dev), addr, val,             \
-                     MEMTXATTRS_UNSPECIFIED);                           \
+        MemTxAttrs attrs =3D {                                            \
+            .requester_id =3D pci_requester_id(dev),                      \
+        };                                                              \
+        st##_s##_dma(pci_get_address_space(dev), addr, val, attrs);     \
     }
=20
 PCI_DMA_DEFINE_LDST(ub, b, 8);
--=20
2.26.2