From: Michael S. Tsirkin <mst@redhat.com>
Date: Mon, 21 Nov 2011 16:57:31 +0000 (+0200)
Subject: msix: Prevent bogus mask updates on MMIO accesses
X-Git-Tag: qemu-xen-4.2.0~103
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=9a93b61730e3b46ef1c01ca522c6abe80ec13832;p=qemu-upstream-4.2-testing.git

msix: Prevent bogus mask updates on MMIO accesses

>From: Jan Kiszka <jan.kiszka@siemens.com>

Only accesses to the MSI-X table must trigger a call to
msix_handle_mask_update, otherwise the vector
value might be out of range.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---

diff --git a/hw/msix.c b/hw/msix.c
index 63b41b993..29696016a 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -176,6 +176,12 @@ static void msix_mmio_write(void *opaque, target_phys_addr_t addr,
     PCIDevice *dev = opaque;
     unsigned int offset = addr & (MSIX_PAGE_SIZE - 1) & ~0x3;
     int vector = offset / PCI_MSIX_ENTRY_SIZE;
+
+    /* MSI-X page includes a read-only PBA and a writeable Vector Control. */
+    if (vector >= dev->msix_entries_nr) {
+        return;
+    }
+
     pci_set_long(dev->msix_table_page + offset, val);
     msix_handle_mask_update(dev, vector);
 }