[v2] intel_iommu: fix guest-triggerable assert in MMIO handlers

[PATCH v2 0/2] intel_iommu: fix guest-triggerable assert in MMIO handlers

Junjie Cao posted 2 patches 1 month ago

Diff against v3 v4
Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260424201842.176953-1-junjie.cao@intel.com

Maintainers: "Michael S. Tsirkin" <mst@redhat.com>, Jason Wang <jasowang@redhat.com>, Yi Liu <yi.l.liu@intel.com>, "Clément Mathieu--Drif" <clement.mathieu--drif@bull.com>, Paolo Bonzini <pbonzini@redhat.com>, Richard Henderson <richard.henderson@linaro.org>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, Fabiano Rosas <farosas@suse.de>, Laurent Vivier <lvivier@redhat.com>

There is a newer version of this series

hw/i386/intel_iommu.c          | 121 +++++++--------------------------
tests/qtest/intel-iommu-test.c |  30 ++++++++
2 files changed, 53 insertions(+), 98 deletions(-)

Expand all Fold all

[PATCH v2 0/2] intel_iommu: fix guest-triggerable assert in MMIO handlers

Posted by Junjie Cao 1 month ago

An 8-byte guest access to any 32-bit-only VT-d register hits
assert(size == 4) and aborts QEMU.  Found by fuzzing with
generic-fuzz; 24 distinct crash inputs all share the same root cause.

v1: https://lore.kernel.org/all/20260420170523.17908-1-junjie.cao@intel.com/
v2: Per Philippe's suggestion, widen .impl.min_access_size to 8
instead of replacing asserts with guest-error checks.  This lets the
memory subsystem always pass size == 8 to the handler, eliminating
all 25 asserts and every size-based branch.

Junjie Cao (2):
  intel_iommu: widen impl.min_access_size to 8 to fix MMIO abort
  tests/qtest: add 8-byte MMIO access sweep for intel-iommu

 hw/i386/intel_iommu.c          | 121 +++++++--------------------------
 tests/qtest/intel-iommu-test.c |  30 ++++++++
 2 files changed, 53 insertions(+), 98 deletions(-)

-- 
2.43.0