hw/intc/loongarch_pch_pic.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-)
From: Thomas Huth <thuth@redhat.com>
When booting the Linux kernel from tests/functional/test_loongarch64_virt.py
with a QEMU that has been compiled with --enable-ubsan, there is
a warning like this:
.../hw/intc/loongarch_pch_pic.c:171:46: runtime error: index 512 out of
bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
.../hw/intc/loongarch_pch_pic.c:171:46
.../hw/intc/loongarch_pch_pic.c:175:45: runtime error: index 256 out of
bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
.../hw/intc/loongarch_pch_pic.c:175:45
It happens because "addr" is added first before substracting the base
(PCH_PIC_HTMSI_VEC or PCH_PIC_ROUTE_ENTRY).
Additionally, this code looks like it is not endianness safe, since
it uses a 64-bit pointer to write values into an array of 8-bit values.
Thus rework the code to use the stq_le_p / ldq_le_p helpers here
and make sure that we do not create pointers with undefined behavior
by accident.
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
hw/intc/loongarch_pch_pic.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/hw/intc/loongarch_pch_pic.c b/hw/intc/loongarch_pch_pic.c
index c4b242dbf41..32f01aabf0e 100644
--- a/hw/intc/loongarch_pch_pic.c
+++ b/hw/intc/loongarch_pch_pic.c
@@ -110,10 +110,10 @@ static uint64_t pch_pic_read(void *opaque, hwaddr addr, uint64_t field_mask)
val = s->int_polarity;
break;
case PCH_PIC_HTMSI_VEC ... PCH_PIC_HTMSI_VEC_END:
- val = *(uint64_t *)(s->htmsi_vector + addr - PCH_PIC_HTMSI_VEC);
+ val = ldq_le_p(&s->htmsi_vector[addr - PCH_PIC_HTMSI_VEC]);
break;
case PCH_PIC_ROUTE_ENTRY ... PCH_PIC_ROUTE_ENTRY_END:
- val = *(uint64_t *)(s->route_entry + addr - PCH_PIC_ROUTE_ENTRY);
+ val = ldq_le_p(&s->route_entry[addr - PCH_PIC_ROUTE_ENTRY]);
break;
default:
qemu_log_mask(LOG_GUEST_ERROR,
@@ -129,7 +129,8 @@ static void pch_pic_write(void *opaque, hwaddr addr, uint64_t value,
{
LoongArchPICCommonState *s = LOONGARCH_PIC_COMMON(opaque);
uint32_t offset;
- uint64_t old, mask, data, *ptemp;
+ uint64_t old, mask, data;
+ void *ptemp;
offset = addr & 7;
addr -= offset;
@@ -168,12 +169,12 @@ static void pch_pic_write(void *opaque, hwaddr addr, uint64_t value,
s->int_polarity = (s->int_polarity & ~mask) | data;
break;
case PCH_PIC_HTMSI_VEC ... PCH_PIC_HTMSI_VEC_END:
- ptemp = (uint64_t *)(s->htmsi_vector + addr - PCH_PIC_HTMSI_VEC);
- *ptemp = (*ptemp & ~mask) | data;
+ ptemp = &s->htmsi_vector[addr - PCH_PIC_HTMSI_VEC];
+ stq_le_p(ptemp, (ldq_le_p(ptemp) & ~mask) | data);
break;
case PCH_PIC_ROUTE_ENTRY ... PCH_PIC_ROUTE_ENTRY_END:
- ptemp = (uint64_t *)(s->route_entry + addr - PCH_PIC_ROUTE_ENTRY);
- *ptemp = (*ptemp & ~mask) | data;
+ ptemp = (uint64_t *)&s->route_entry[addr - PCH_PIC_ROUTE_ENTRY];
+ stq_le_p(ptemp, (ldq_le_p(ptemp) & ~mask) | data);
break;
default:
qemu_log_mask(LOG_GUEST_ERROR,
--
2.50.1On 1/8/25 08:01, Thomas Huth wrote: > From: Thomas Huth <thuth@redhat.com> > > When booting the Linux kernel from tests/functional/test_loongarch64_virt.py > with a QEMU that has been compiled with --enable-ubsan, there is > a warning like this: > > .../hw/intc/loongarch_pch_pic.c:171:46: runtime error: index 512 out of > bounds for type 'uint8_t[64]' (aka 'unsigned char[64]') > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior > .../hw/intc/loongarch_pch_pic.c:171:46 > .../hw/intc/loongarch_pch_pic.c:175:45: runtime error: index 256 out of > bounds for type 'uint8_t[64]' (aka 'unsigned char[64]') > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior > .../hw/intc/loongarch_pch_pic.c:175:45 > > It happens because "addr" is added first before substracting the base > (PCH_PIC_HTMSI_VEC or PCH_PIC_ROUTE_ENTRY). > Additionally, this code looks like it is not endianness safe, since > it uses a 64-bit pointer to write values into an array of 8-bit values. > > Thus rework the code to use the stq_le_p / ldq_le_p helpers here > and make sure that we do not create pointers with undefined behavior > by accident. > > Signed-off-by: Thomas Huth <thuth@redhat.com> > --- > hw/intc/loongarch_pch_pic.c | 15 ++++++++------- > 1 file changed, 8 insertions(+), 7 deletions(-) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
On 01.08.2025 09:01, Thomas Huth wrote: > From: Thomas Huth <thuth@redhat.com> > > When booting the Linux kernel from tests/functional/test_loongarch64_virt.py > with a QEMU that has been compiled with --enable-ubsan, there is > a warning like this: > > .../hw/intc/loongarch_pch_pic.c:171:46: runtime error: index 512 out of > bounds for type 'uint8_t[64]' (aka 'unsigned char[64]') > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior > .../hw/intc/loongarch_pch_pic.c:171:46 > .../hw/intc/loongarch_pch_pic.c:175:45: runtime error: index 256 out of > bounds for type 'uint8_t[64]' (aka 'unsigned char[64]') > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior > .../hw/intc/loongarch_pch_pic.c:175:45 > > It happens because "addr" is added first before substracting the base > (PCH_PIC_HTMSI_VEC or PCH_PIC_ROUTE_ENTRY). > Additionally, this code looks like it is not endianness safe, since > it uses a 64-bit pointer to write values into an array of 8-bit values. > > Thus rework the code to use the stq_le_p / ldq_le_p helpers here > and make sure that we do not create pointers with undefined behavior > by accident. > > Signed-off-by: Thomas Huth <thuth@redhat.com> Queued to trivial-patches, thank you! /mjt
On 2025/8/1 下午2:01, Thomas Huth wrote:
> From: Thomas Huth <thuth@redhat.com>
>
> When booting the Linux kernel from tests/functional/test_loongarch64_virt.py
> with a QEMU that has been compiled with --enable-ubsan, there is
> a warning like this:
>
> .../hw/intc/loongarch_pch_pic.c:171:46: runtime error: index 512 out of
> bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> .../hw/intc/loongarch_pch_pic.c:171:46
> .../hw/intc/loongarch_pch_pic.c:175:45: runtime error: index 256 out of
> bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> .../hw/intc/loongarch_pch_pic.c:175:45
>
> It happens because "addr" is added first before substracting the base
> (PCH_PIC_HTMSI_VEC or PCH_PIC_ROUTE_ENTRY).
> Additionally, this code looks like it is not endianness safe, since
> it uses a 64-bit pointer to write values into an array of 8-bit values.
>
> Thus rework the code to use the stq_le_p / ldq_le_p helpers here
> and make sure that we do not create pointers with undefined behavior
> by accident.
>
> Signed-off-by: Thomas Huth <thuth@redhat.com>
> ---
> hw/intc/loongarch_pch_pic.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/hw/intc/loongarch_pch_pic.c b/hw/intc/loongarch_pch_pic.c
> index c4b242dbf41..32f01aabf0e 100644
> --- a/hw/intc/loongarch_pch_pic.c
> +++ b/hw/intc/loongarch_pch_pic.c
> @@ -110,10 +110,10 @@ static uint64_t pch_pic_read(void *opaque, hwaddr addr, uint64_t field_mask)
> val = s->int_polarity;
> break;
> case PCH_PIC_HTMSI_VEC ... PCH_PIC_HTMSI_VEC_END:
> - val = *(uint64_t *)(s->htmsi_vector + addr - PCH_PIC_HTMSI_VEC);
> + val = ldq_le_p(&s->htmsi_vector[addr - PCH_PIC_HTMSI_VEC]);
> break;
> case PCH_PIC_ROUTE_ENTRY ... PCH_PIC_ROUTE_ENTRY_END:
> - val = *(uint64_t *)(s->route_entry + addr - PCH_PIC_ROUTE_ENTRY);
> + val = ldq_le_p(&s->route_entry[addr - PCH_PIC_ROUTE_ENTRY]);
> break;
> default:
> qemu_log_mask(LOG_GUEST_ERROR,
> @@ -129,7 +129,8 @@ static void pch_pic_write(void *opaque, hwaddr addr, uint64_t value,
> {
> LoongArchPICCommonState *s = LOONGARCH_PIC_COMMON(opaque);
> uint32_t offset;
> - uint64_t old, mask, data, *ptemp;
> + uint64_t old, mask, data;
> + void *ptemp;
>
> offset = addr & 7;
> addr -= offset;
> @@ -168,12 +169,12 @@ static void pch_pic_write(void *opaque, hwaddr addr, uint64_t value,
> s->int_polarity = (s->int_polarity & ~mask) | data;
> break;
> case PCH_PIC_HTMSI_VEC ... PCH_PIC_HTMSI_VEC_END:
> - ptemp = (uint64_t *)(s->htmsi_vector + addr - PCH_PIC_HTMSI_VEC);
> - *ptemp = (*ptemp & ~mask) | data;
> + ptemp = &s->htmsi_vector[addr - PCH_PIC_HTMSI_VEC];
> + stq_le_p(ptemp, (ldq_le_p(ptemp) & ~mask) | data);
> break;
> case PCH_PIC_ROUTE_ENTRY ... PCH_PIC_ROUTE_ENTRY_END:
> - ptemp = (uint64_t *)(s->route_entry + addr - PCH_PIC_ROUTE_ENTRY);
> - *ptemp = (*ptemp & ~mask) | data;
> + ptemp = (uint64_t *)&s->route_entry[addr - PCH_PIC_ROUTE_ENTRY];
> + stq_le_p(ptemp, (ldq_le_p(ptemp) & ~mask) | data);
> break;
> default:
> qemu_log_mask(LOG_GUEST_ERROR,
>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
在 2025/8/1 下午2:01, Thomas Huth 写道:
> From: Thomas Huth <thuth@redhat.com>
>
> When booting the Linux kernel from tests/functional/test_loongarch64_virt.py
> with a QEMU that has been compiled with --enable-ubsan, there is
> a warning like this:
>
> .../hw/intc/loongarch_pch_pic.c:171:46: runtime error: index 512 out of
> bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> .../hw/intc/loongarch_pch_pic.c:171:46
> .../hw/intc/loongarch_pch_pic.c:175:45: runtime error: index 256 out of
> bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> .../hw/intc/loongarch_pch_pic.c:175:45
>
> It happens because "addr" is added first before substracting the base
> (PCH_PIC_HTMSI_VEC or PCH_PIC_ROUTE_ENTRY).
> Additionally, this code looks like it is not endianness safe, since
> it uses a 64-bit pointer to write values into an array of 8-bit values.
>
> Thus rework the code to use the stq_le_p / ldq_le_p helpers here
> and make sure that we do not create pointers with undefined behavior
> by accident.
>
> Signed-off-by: Thomas Huth <thuth@redhat.com>
> ---
> hw/intc/loongarch_pch_pic.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
Tested-by: Song Gao <gaosong@loongson.cn>
Thanks.
Song Gao
> diff --git a/hw/intc/loongarch_pch_pic.c b/hw/intc/loongarch_pch_pic.c
> index c4b242dbf41..32f01aabf0e 100644
> --- a/hw/intc/loongarch_pch_pic.c
> +++ b/hw/intc/loongarch_pch_pic.c
> @@ -110,10 +110,10 @@ static uint64_t pch_pic_read(void *opaque, hwaddr addr, uint64_t field_mask)
> val = s->int_polarity;
> break;
> case PCH_PIC_HTMSI_VEC ... PCH_PIC_HTMSI_VEC_END:
> - val = *(uint64_t *)(s->htmsi_vector + addr - PCH_PIC_HTMSI_VEC);
> + val = ldq_le_p(&s->htmsi_vector[addr - PCH_PIC_HTMSI_VEC]);
> break;
> case PCH_PIC_ROUTE_ENTRY ... PCH_PIC_ROUTE_ENTRY_END:
> - val = *(uint64_t *)(s->route_entry + addr - PCH_PIC_ROUTE_ENTRY);
> + val = ldq_le_p(&s->route_entry[addr - PCH_PIC_ROUTE_ENTRY]);
> break;
> default:
> qemu_log_mask(LOG_GUEST_ERROR,
> @@ -129,7 +129,8 @@ static void pch_pic_write(void *opaque, hwaddr addr, uint64_t value,
> {
> LoongArchPICCommonState *s = LOONGARCH_PIC_COMMON(opaque);
> uint32_t offset;
> - uint64_t old, mask, data, *ptemp;
> + uint64_t old, mask, data;
> + void *ptemp;
>
> offset = addr & 7;
> addr -= offset;
> @@ -168,12 +169,12 @@ static void pch_pic_write(void *opaque, hwaddr addr, uint64_t value,
> s->int_polarity = (s->int_polarity & ~mask) | data;
> break;
> case PCH_PIC_HTMSI_VEC ... PCH_PIC_HTMSI_VEC_END:
> - ptemp = (uint64_t *)(s->htmsi_vector + addr - PCH_PIC_HTMSI_VEC);
> - *ptemp = (*ptemp & ~mask) | data;
> + ptemp = &s->htmsi_vector[addr - PCH_PIC_HTMSI_VEC];
> + stq_le_p(ptemp, (ldq_le_p(ptemp) & ~mask) | data);
> break;
> case PCH_PIC_ROUTE_ENTRY ... PCH_PIC_ROUTE_ENTRY_END:
> - ptemp = (uint64_t *)(s->route_entry + addr - PCH_PIC_ROUTE_ENTRY);
> - *ptemp = (*ptemp & ~mask) | data;
> + ptemp = (uint64_t *)&s->route_entry[addr - PCH_PIC_ROUTE_ENTRY];
> + stq_le_p(ptemp, (ldq_le_p(ptemp) & ~mask) | data);
> break;
> default:
> qemu_log_mask(LOG_GUEST_ERROR,
© 2016 - 2025 Red Hat, Inc.