hw/riscv/riscv-iommu.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-)
The MSI table is not limited to 4k. The only constraint the table has
is that its base address must be aligned to its size, ensuring no
offsets of the table size will overrun when added to the base address
(see "8.5. MSI page tables" of the AIA spec).
Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
---
hw/riscv/riscv-iommu.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/hw/riscv/riscv-iommu.c b/hw/riscv/riscv-iommu.c
index 96a7fbdefcf3..155190d032dd 100644
--- a/hw/riscv/riscv-iommu.c
+++ b/hw/riscv/riscv-iommu.c
@@ -558,6 +558,7 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
MemTxResult res;
dma_addr_t addr;
uint64_t intn;
+ size_t offset;
uint32_t n190;
uint64_t pte[2];
int fault_type = RISCV_IOMMU_FQ_TTYPE_UADDR_WR;
@@ -565,16 +566,18 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
/* Interrupt File Number */
intn = riscv_iommu_pext_u64(PPN_DOWN(gpa), ctx->msi_addr_mask);
- if (intn >= 256) {
- /* Interrupt file number out of range */
- res = MEMTX_ACCESS_ERROR;
- cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
- goto err;
- }
+ offset = intn * sizeof(pte);
/* fetch MSI PTE */
addr = PPN_PHYS(get_field(ctx->msiptp, RISCV_IOMMU_DC_MSIPTP_PPN));
- addr = addr | (intn * sizeof(pte));
+ if (addr & offset) {
+ /* Interrupt file number out of range */
+ res = MEMTX_ACCESS_ERROR;
+ cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
+ goto err;
+ }
+
+ addr |= offset;
res = dma_memory_read(s->target_as, addr, &pte, sizeof(pte),
MEMTXATTRS_UNSPECIFIED);
if (res != MEMTX_OK) {
--
2.49.0On 9/4/25 16:27, Andrew Jones wrote:
> The MSI table is not limited to 4k. The only constraint the table has
> is that its base address must be aligned to its size, ensuring no
> offsets of the table size will overrun when added to the base address
> (see "8.5. MSI page tables" of the AIA spec).
>
> Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
> Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
This one looks like a qemu-stable material.
Please let me know if it is not.
Thanks,
/mjt
On Thu, Sep 4, 2025 at 11:29 PM Andrew Jones <ajones@ventanamicro.com> wrote:
>
> The MSI table is not limited to 4k. The only constraint the table has
> is that its base address must be aligned to its size, ensuring no
> offsets of the table size will overrun when added to the base address
> (see "8.5. MSI page tables" of the AIA spec).
>
> Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
> Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
Thanks!
Applied to riscv-to-apply.next
Alistair
> ---
> hw/riscv/riscv-iommu.c | 17 ++++++++++-------
> 1 file changed, 10 insertions(+), 7 deletions(-)
>
> diff --git a/hw/riscv/riscv-iommu.c b/hw/riscv/riscv-iommu.c
> index 96a7fbdefcf3..155190d032dd 100644
> --- a/hw/riscv/riscv-iommu.c
> +++ b/hw/riscv/riscv-iommu.c
> @@ -558,6 +558,7 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
> MemTxResult res;
> dma_addr_t addr;
> uint64_t intn;
> + size_t offset;
> uint32_t n190;
> uint64_t pte[2];
> int fault_type = RISCV_IOMMU_FQ_TTYPE_UADDR_WR;
> @@ -565,16 +566,18 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
>
> /* Interrupt File Number */
> intn = riscv_iommu_pext_u64(PPN_DOWN(gpa), ctx->msi_addr_mask);
> - if (intn >= 256) {
> - /* Interrupt file number out of range */
> - res = MEMTX_ACCESS_ERROR;
> - cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
> - goto err;
> - }
> + offset = intn * sizeof(pte);
>
> /* fetch MSI PTE */
> addr = PPN_PHYS(get_field(ctx->msiptp, RISCV_IOMMU_DC_MSIPTP_PPN));
> - addr = addr | (intn * sizeof(pte));
> + if (addr & offset) {
> + /* Interrupt file number out of range */
> + res = MEMTX_ACCESS_ERROR;
> + cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
> + goto err;
> + }
> +
> + addr |= offset;
> res = dma_memory_read(s->target_as, addr, &pte, sizeof(pte),
> MEMTXATTRS_UNSPECIFIED);
> if (res != MEMTX_OK) {
> --
> 2.49.0
>
>
On 9/4/25 10:27 AM, Andrew Jones wrote:
> The MSI table is not limited to 4k. The only constraint the table has
> is that its base address must be aligned to its size, ensuring no
> offsets of the table size will overrun when added to the base address
> (see "8.5. MSI page tables" of the AIA spec).
>
> Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
> Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
> ---
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
> hw/riscv/riscv-iommu.c | 17 ++++++++++-------
> 1 file changed, 10 insertions(+), 7 deletions(-)
>
> diff --git a/hw/riscv/riscv-iommu.c b/hw/riscv/riscv-iommu.c
> index 96a7fbdefcf3..155190d032dd 100644
> --- a/hw/riscv/riscv-iommu.c
> +++ b/hw/riscv/riscv-iommu.c
> @@ -558,6 +558,7 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
> MemTxResult res;
> dma_addr_t addr;
> uint64_t intn;
> + size_t offset;
> uint32_t n190;
> uint64_t pte[2];
> int fault_type = RISCV_IOMMU_FQ_TTYPE_UADDR_WR;
> @@ -565,16 +566,18 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,
>
> /* Interrupt File Number */
> intn = riscv_iommu_pext_u64(PPN_DOWN(gpa), ctx->msi_addr_mask);
> - if (intn >= 256) {
> - /* Interrupt file number out of range */
> - res = MEMTX_ACCESS_ERROR;
> - cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
> - goto err;
> - }
> + offset = intn * sizeof(pte);
>
> /* fetch MSI PTE */
> addr = PPN_PHYS(get_field(ctx->msiptp, RISCV_IOMMU_DC_MSIPTP_PPN));
> - addr = addr | (intn * sizeof(pte));
> + if (addr & offset) {
> + /* Interrupt file number out of range */
> + res = MEMTX_ACCESS_ERROR;
> + cause = RISCV_IOMMU_FQ_CAUSE_MSI_LOAD_FAULT;
> + goto err;
> + }
> +
> + addr |= offset;
> res = dma_memory_read(s->target_as, addr, &pte, sizeof(pte),
> MEMTXATTRS_UNSPECIFIED);
> if (res != MEMTX_OK) {
© 2016 - 2026 Red Hat, Inc.