From nobody Mon May 25 13:48:45 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1778753129; cv=none; d=zohomail.com; s=zohoarc; b=Y0jqflHJDhWb/gEuQJ+yPjfdoPoZXC8evKYkmPNyzGW8Ej1odnjvYibr0Umt9dXwZhW42R36nTISMeaokUm9F7cTFzLT9g/pOTUA1By6uKQ+OtyNbFAf61UXSgmngzTS1nx20Hf/ZuCgIFsK63I0iYV4ws9LB1Vpg/YZxd81mVo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778753129; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=4bqa0lYObAd3dxl/VTa570rH40u3aDoC060Hk7vuExo=; b=jv4fDwbDxCralpEUZP4Iwknd0ZWri/t1wvf35YdVJzKt3u8o9YSqj75TfFwQEYeye1/2BchrRzJ1H2OQ6Z6znl2HqCXlM+iljOkGKNqrOvm4bnFLw6rZtvSTKCDtk5EKO/radztlpCRsn2sPcz/Jy1yyRzE2HJJ0EwY+ci8CIGI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778753129076229.96676877737332; Thu, 14 May 2026 03:05:29 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wNSwM-0007y9-S3; Thu, 14 May 2026 06:05:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wNSw7-0007s6-24 for qemu-devel@nongnu.org; Thu, 14 May 2026 06:05:01 -0400 Received: from mgamail.intel.com ([198.175.65.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wNSw2-0004S9-Ey for qemu-devel@nongnu.org; Thu, 14 May 2026 06:04:56 -0400 Received: from orviesa005.jf.intel.com ([10.64.159.145]) by orvoesa105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 May 2026 03:04:54 -0700 Received: from junjie-optiplex-micro-plus-7010.bj.intel.com ([10.238.152.98]) by orviesa005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 May 2026 03:04:49 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1778753095; x=1810289095; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=+BLqURsj/4GVgeflQIwmatoKV0hGhqVWlZAtXVERMfY=; b=LVNEGVBn2sk0tvmfhujV/pDs6bL6Fr1MD8ALdDS39wvEv27GQ+VW4mtQ 1x7jYPG0WJAt8VrYkWL1J8CH0Y79rvj1U4Yvszyoe0nndHow0JwarQmi3 v7ed19hi7nbNIg8FdmrdGJfgkVEquiNOFS0Eejqb+VmYtI+xe7ZNx2q5k IDRYtfK2RPlyvdG7d8XWIGc4sp0MizLY0xWO7+uMHOE/RG8IqLVrKyTE8 GTxM3/gNc09sbxdkfAOTtLgQYYRY1Ws+0u9S0ehlGP1iYyZNp3D8E01DH e5FvikKlpiHadk9Y/JBFI/uu8DFHzr+en9ePxpTEu3lfKTjUDzM+yuPgn A==; X-CSE-ConnectionGUID: Uufdc/4bSrKYQtHm2PDffA== X-CSE-MsgGUID: g4XcuYGyRHas7rwo4jzCVQ== X-IronPort-AV: E=McAfee;i="6800,10657,11785"; a="90796076" X-IronPort-AV: E=Sophos;i="6.23,234,1770624000"; d="scan'208";a="90796076" X-CSE-ConnectionGUID: x7VEPXeITFOz9wDGSMfR3A== X-CSE-MsgGUID: ATc2XyCdQt6r1jo14lLPXg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,234,1770624000"; d="scan'208";a="243324922" From: Junjie Cao To: qemu-devel@nongnu.org Cc: zhenzhong.duan@intel.com, yi.l.liu@intel.com, philmd@linaro.org, mst@redhat.com, jasowang@redhat.com, clement.mathieu--drif@bull.com, marcel.apfelbaum@gmail.com, pbonzini@redhat.com, richard.henderson@linaro.org, farosas@suse.de, lvivier@redhat.com, Junjie Cao Subject: [PATCH v4 1/2] intel_iommu: fix guest-triggerable abort on oversized MMIO access Date: Fri, 15 May 2026 02:07:02 +0800 Message-ID: <20260514180703.85686-2-junjie.cao@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260514180703.85686-1-junjie.cao@intel.com> References: <20260514180703.85686-1-junjie.cao@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=198.175.65.13; envelope-from=junjie.cao@intel.com; helo=mgamail.intel.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DATE_IN_FUTURE_06_12=1.947, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @intel.com) X-ZM-MESSAGEID: 1778753131650158500 Content-Type: text/plain; charset="utf-8" An 8-byte guest access to a 32-bit-only VT-d register hit assert(size =3D=3D 4) and aborted QEMU. Remove all 25 asserts. All 3 read-side and 18 of 22 write-side asserts are at non-8-aligned offsets (unreachable, rejected by memory_region_access_valid()) -- simply deleted. The remaining 4, all writes at 8-aligned offsets, are reachable: FECTL 0x38, IECTL 0xa0, IEADDR 0xa8, PECTL 0xe0. Truncating the high half via vtd_set_long() matches prior behavior; log under -d guest_errors since the VT-d spec is silent on oversized accesses to 32-bit registers, and add a comment so future maintainers don't delete the check as "harmless". min_access_size stays 4, so all size-based branches on 64-bit register pairs are preserved. Found by generic-fuzz (24 distinct crash seeds, all fixed). Suggested-by: Zhenzhong Duan Signed-off-by: Junjie Cao Reviewed-by: Yi Liu --- hw/i386/intel_iommu.c | 74 ++++++++++++++++++++++++++++--------------- 1 file changed, 49 insertions(+), 25 deletions(-) diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c index b784c5f10a..17f897177d 100644 --- a/hw/i386/intel_iommu.c +++ b/hw/i386/intel_iommu.c @@ -21,6 +21,7 @@ =20 #include "qemu/osdep.h" #include "qemu/error-report.h" +#include "qemu/log.h" #include "qemu/main-loop.h" #include "qapi/error.h" #include "hw/core/sysbus.h" @@ -3713,7 +3714,6 @@ static uint64_t vtd_mem_read(void *opaque, hwaddr add= r, unsigned size) break; =20 case DMAR_RTADDR_REG_HI: - assert(size =3D=3D 4); val =3D vtd_get_quad_raw(s, DMAR_RTADDR_REG) >> 32; break; =20 @@ -3728,12 +3728,10 @@ static uint64_t vtd_mem_read(void *opaque, hwaddr a= ddr, unsigned size) break; =20 case DMAR_IQA_REG_HI: - assert(size =3D=3D 4); val =3D s->iq >> 32; break; =20 case DMAR_PEUADDR_REG: - assert(size =3D=3D 4); val =3D vtd_get_long_raw(s, DMAR_PEUADDR_REG); break; =20 @@ -3779,7 +3777,6 @@ static void vtd_mem_write(void *opaque, hwaddr addr, break; =20 case DMAR_CCMD_REG_HI: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); vtd_handle_ccmd_write(s); break; @@ -3795,13 +3792,11 @@ static void vtd_mem_write(void *opaque, hwaddr addr, break; =20 case DMAR_IOTLB_REG_HI: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); vtd_handle_iotlb_write(s); break; =20 case DMAR_PEUADDR_REG: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 @@ -3815,27 +3810,35 @@ static void vtd_mem_write(void *opaque, hwaddr addr, break; =20 case DMAR_IVA_REG_HI: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 /* Fault Status Register, 32-bit */ case DMAR_FSTS_REG: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); vtd_handle_fsts_write(s); break; =20 /* Fault Event Control Register, 32-bit */ case DMAR_FECTL_REG: - assert(size =3D=3D 4); + /* + * 32-bit register at an 8-byte-aligned offset: a well-formed + * 8-byte guest access reaches this handler. vtd_set_long() + * takes uint32_t and truncates the high half -- undefined per + * the VT-d spec but harmless here. Flag it under + * -d guest_errors so the guest-side bug surfaces. + */ + if (size !=3D 4) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid %u-byte access to 32-bit reg " + "addr=3D0x%" PRIx64 "\n", __func__, size, addr); + } vtd_set_long(s, addr, val); vtd_handle_fectl_write(s); break; =20 /* Fault Event Data Register, 32-bit */ case DMAR_FEDATA_REG: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 @@ -3854,13 +3857,11 @@ static void vtd_mem_write(void *opaque, hwaddr addr, =20 /* Fault Event Upper Address Register, 32-bit */ case DMAR_FEUADDR_REG: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 /* Protected Memory Enable Register, 32-bit */ case DMAR_PMEN_REG: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 @@ -3874,7 +3875,6 @@ static void vtd_mem_write(void *opaque, hwaddr addr, break; =20 case DMAR_RTADDR_REG_HI: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 @@ -3889,7 +3889,6 @@ static void vtd_mem_write(void *opaque, hwaddr addr, break; =20 case DMAR_IQT_REG_HI: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); /* 19:63 of IQT_REG is RsvdZ, do nothing here */ break; @@ -3905,39 +3904,57 @@ static void vtd_mem_write(void *opaque, hwaddr addr, break; =20 case DMAR_IQA_REG_HI: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 /* Invalidation Completion Status Register, 32-bit */ case DMAR_ICS_REG: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); vtd_handle_ics_write(s); break; =20 /* Invalidation Event Control Register, 32-bit */ case DMAR_IECTL_REG: - assert(size =3D=3D 4); + /* + * 32-bit register at an 8-byte-aligned offset: a well-formed + * 8-byte guest access reaches this handler. vtd_set_long() + * takes uint32_t and truncates the high half -- undefined per + * the VT-d spec but harmless here. Flag it under + * -d guest_errors so the guest-side bug surfaces. + */ + if (size !=3D 4) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid %u-byte access to 32-bit reg " + "addr=3D0x%" PRIx64 "\n", __func__, size, addr); + } vtd_set_long(s, addr, val); vtd_handle_iectl_write(s); break; =20 /* Invalidation Event Data Register, 32-bit */ case DMAR_IEDATA_REG: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 /* Invalidation Event Address Register, 32-bit */ case DMAR_IEADDR_REG: - assert(size =3D=3D 4); + /* + * 32-bit register at an 8-byte-aligned offset: a well-formed + * 8-byte guest access reaches this handler. vtd_set_long() + * takes uint32_t and truncates the high half -- undefined per + * the VT-d spec but harmless here. Flag it under + * -d guest_errors so the guest-side bug surfaces. + */ + if (size !=3D 4) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid %u-byte access to 32-bit reg " + "addr=3D0x%" PRIx64 "\n", __func__, size, addr); + } vtd_set_long(s, addr, val); break; =20 /* Invalidation Event Upper Address Register, 32-bit */ case DMAR_IEUADDR_REG: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 @@ -3951,7 +3968,6 @@ static void vtd_mem_write(void *opaque, hwaddr addr, break; =20 case DMAR_FRCD_REG_0_1: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 @@ -3966,7 +3982,6 @@ static void vtd_mem_write(void *opaque, hwaddr addr, break; =20 case DMAR_FRCD_REG_0_3: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); /* May clear bit 127 (Fault), update PPF */ vtd_update_fsts_ppf(s); @@ -3981,18 +3996,27 @@ static void vtd_mem_write(void *opaque, hwaddr addr, break; =20 case DMAR_IRTA_REG_HI: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); break; =20 case DMAR_PRS_REG: - assert(size =3D=3D 4); vtd_set_long(s, addr, val); vtd_handle_prs_write(s); break; =20 case DMAR_PECTL_REG: - assert(size =3D=3D 4); + /* + * 32-bit register at an 8-byte-aligned offset: a well-formed + * 8-byte guest access reaches this handler. vtd_set_long() + * takes uint32_t and truncates the high half -- undefined per + * the VT-d spec but harmless here. Flag it under + * -d guest_errors so the guest-side bug surfaces. + */ + if (size !=3D 4) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid %u-byte access to 32-bit reg " + "addr=3D0x%" PRIx64 "\n", __func__, size, addr); + } vtd_set_long(s, addr, val); vtd_handle_pectl_write(s); break; --=20 2.43.0 From nobody Mon May 25 13:48:45 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1778753139; cv=none; d=zohomail.com; s=zohoarc; b=M+vgEcroQIm0uYDHl0JZ5ex2ZLtOyOD9+17wUUDqHtjPbye3rCPvexrOp2cOHKIUD7ryznD4HSALrKZ/Eq40+Co7tx7P5MxH1GuOuutVM5AH5yNYstH1ykROH64wu5FCG8uXv5b3xV6W12NKo9/OdpZIcFPwKLNAPz4X/rlG8AY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778753139; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=5U9cAjE9UtgAfaCGgczSjqv0JPGib9P+jIfbqpNluUc=; b=KDWOUXdQy3EV1Whpxqihc+Ywiug2nr/ZyJMUuNiLUGCkS+PM6+0cRKkmVUKO5go7yxWoCjqNK/ZxnVMxIO/ysoRZrW+Y23G61ku/upkkHSnyfxgLAuyZsZdG+hx/OxXqHpbGtjUUyw3LUZi4INaUVwK+o4fZujs9PrQxUr5rbsE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778753139752533.8170079787599; Thu, 14 May 2026 03:05:39 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wNSwP-00084M-CR; Thu, 14 May 2026 06:05:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wNSwC-0007sc-7J for qemu-devel@nongnu.org; Thu, 14 May 2026 06:05:06 -0400 Received: from mgamail.intel.com ([198.175.65.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wNSw7-0004S9-RS for qemu-devel@nongnu.org; Thu, 14 May 2026 06:05:02 -0400 Received: from orviesa005.jf.intel.com ([10.64.159.145]) by orvoesa105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 May 2026 03:05:00 -0700 Received: from junjie-optiplex-micro-plus-7010.bj.intel.com ([10.238.152.98]) by orviesa005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 May 2026 03:04:55 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1778753100; x=1810289100; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=wItBfHW6v9wsyjtAKVgJYEePhRBXmoutUyn+sJKbZ/w=; b=LikigXhNVY7D/7EmKwdOBVoDArn987dMDdvVh0NRL9RZFGPOdKq/HYC4 WB6+A23aVuxvPrc+L6t6bHQyRbGOChApXvHI8FdrOrZy6n7kvWSQexO6e 0YgvAPA2zH+DrmU3vT/yDFA+zugyyy4uSalnARdbTVDDcnwbXcjyUPy+D hLxAR1NQUQDtiSW9YAUjBigt7tIeVYwhDWRrWBRVgEQ3AWnLTfFjsMloB uo4Dgs48PIyVUV/RDjU66pInjBuMy3GjmUQPD7ZcUrS5qR+m475WXojj+ amveWcKjHJJehJUFNsRdw/z/spE00X6x3dg/3T8qbYi0qDgwjSVCSMD1U A==; X-CSE-ConnectionGUID: iRD0hALQSOm7Xo8smTQLAA== X-CSE-MsgGUID: RAnT/FrDSSS6xLtGZIkWOQ== X-IronPort-AV: E=McAfee;i="6800,10657,11785"; a="90796079" X-IronPort-AV: E=Sophos;i="6.23,234,1770624000"; d="scan'208";a="90796079" X-CSE-ConnectionGUID: vAMUAX5RQQC26QMHztz38g== X-CSE-MsgGUID: 1Tct7TkQSrulbDLcD1GKig== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,234,1770624000"; d="scan'208";a="243324929" From: Junjie Cao To: qemu-devel@nongnu.org Cc: zhenzhong.duan@intel.com, yi.l.liu@intel.com, philmd@linaro.org, mst@redhat.com, jasowang@redhat.com, clement.mathieu--drif@bull.com, marcel.apfelbaum@gmail.com, pbonzini@redhat.com, richard.henderson@linaro.org, farosas@suse.de, lvivier@redhat.com, Junjie Cao Subject: [PATCH v4 2/2] tests/qtest: add 8-byte MMIO access sweep for intel-iommu Date: Fri, 15 May 2026 02:07:03 +0800 Message-ID: <20260514180703.85686-3-junjie.cao@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260514180703.85686-1-junjie.cao@intel.com> References: <20260514180703.85686-1-junjie.cao@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=198.175.65.13; envelope-from=junjie.cao@intel.com; helo=mgamail.intel.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DATE_IN_FUTURE_06_12=1.947, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @intel.com) X-ZM-MESSAGEID: 1778753141400158500 Sweep every 4-byte-aligned offset in the VT-d MMIO register space with 8-byte reads and writes to verify that no register handler aborts on an oversized access. Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Junjie Cao Reviewed-by: Yi Liu --- tests/qtest/intel-iommu-test.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/tests/qtest/intel-iommu-test.c b/tests/qtest/intel-iommu-test.c index e5cc6acaf0..b1763ed294 100644 --- a/tests/qtest/intel-iommu-test.c +++ b/tests/qtest/intel-iommu-test.c @@ -17,11 +17,39 @@ #define ECAP_STAGE_1_FIXED1 (VTD_ECAP_QI | VTD_ECAP_IR | VTD_ECAP_IRO |= \ VTD_ECAP_MHMV | VTD_ECAP_SMTS | VTD_ECAP_FST= S) =20 +static inline uint32_t vtd_reg_readl(QTestState *s, uint64_t offset) +{ + return qtest_readl(s, Q35_HOST_BRIDGE_IOMMU_ADDR + offset); +} + static inline uint64_t vtd_reg_readq(QTestState *s, uint64_t offset) { return qtest_readq(s, Q35_HOST_BRIDGE_IOMMU_ADDR + offset); } =20 +static inline void vtd_reg_writeq(QTestState *s, uint64_t offset, + uint64_t value) +{ + qtest_writeq(s, Q35_HOST_BRIDGE_IOMMU_ADDR + offset, value); +} + +static void test_intel_iommu_8byte_access(void) +{ + QTestState *s; + uint64_t off; + + s =3D qtest_init("-M q35 -device intel-iommu"); + + for (off =3D 0; off < DMAR_REG_SIZE; off +=3D 4) { + vtd_reg_readq(s, off); + vtd_reg_writeq(s, off, 0); + } + + g_assert_cmpuint(vtd_reg_readl(s, DMAR_VER_REG), !=3D, 0); + + qtest_quit(s); +} + static void test_intel_iommu_stage_1(void) { uint8_t init_csr[DMAR_REG_SIZE]; /* register values */ @@ -58,6 +86,8 @@ static void test_intel_iommu_stage_1(void) int main(int argc, char **argv) { g_test_init(&argc, &argv, NULL); + qtest_add_func("/q35/intel-iommu/8byte-access", + test_intel_iommu_8byte_access); qtest_add_func("/q35/intel-iommu/stage-1", test_intel_iommu_stage_1); =20 return g_test_run(); --=20 2.43.0