Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2224992,
    "url": "http://patchwork.ozlabs.org/api/patches/2224992/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260420075159.106615-1-thuth@redhat.com/",
    "project": {
        "id": 14,
        "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api",
        "name": "QEMU Development",
        "link_name": "qemu-devel",
        "list_id": "qemu-devel.nongnu.org",
        "list_email": "qemu-devel@nongnu.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260420075159.106615-1-thuth@redhat.com>",
    "list_archive_url": null,
    "date": "2026-04-20T07:51:59",
    "name": "system/memory: Don't call MR handlers for bytes beyond the MR's size",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "054447f004e5796170eee47f736e1083cb03e361",
    "submitter": {
        "id": 66152,
        "url": "http://patchwork.ozlabs.org/api/people/66152/?format=api",
        "name": "Thomas Huth",
        "email": "thuth@redhat.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260420075159.106615-1-thuth@redhat.com/mbox/",
    "series": [
        {
            "id": 500562,
            "url": "http://patchwork.ozlabs.org/api/series/500562/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500562",
            "date": "2026-04-20T07:51:59",
            "name": "system/memory: Don't call MR handlers for bytes beyond the MR's size",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/500562/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2224992/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2224992/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=Uy/Wr9aV;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzd4l19c2z1yD4\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 17:52:39 +1000 (AEST)",
            "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wEjQV-0000YY-DZ; Mon, 20 Apr 2026 03:52:15 -0400",
            "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <thuth@redhat.com>) id 1wEjQU-0000YJ-3k\n for qemu-devel@nongnu.org; Mon, 20 Apr 2026 03:52:14 -0400",
            "from us-smtp-delivery-124.mimecast.com ([170.10.133.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <thuth@redhat.com>) id 1wEjQS-0004gs-C5\n for qemu-devel@nongnu.org; Mon, 20 Apr 2026 03:52:13 -0400",
            "from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-208-eGi1NL8sPICfsAMblAtSqg-1; Mon,\n 20 Apr 2026 03:52:06 -0400",
            "from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id E7D5B180036E; Mon, 20 Apr 2026 07:52:04 +0000 (UTC)",
            "from thuth-p1g4.redhat.com (unknown [10.44.49.13])\n by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id 15109195608E; Mon, 20 Apr 2026 07:52:01 +0000 (UTC)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776671530;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n bh=Y6sRFQU9hniZGz00f7FB0D0r1ItHeqZ+OWj5XypA2Tg=;\n b=Uy/Wr9aVfDDn+R+fNYrBK1dqbAlwCIuQOLFUdXuTH4Ywn1nUh6eZs/24wauPFKM7Uwekp0\n BXez6pexY3pEpA6WzoQeSbukkeCA2RGorgdtY0oz0CERwSqmcZQFPoYQr7gSg+pGvNWWSE\n Eg4QdHV98YRZ66M/qnVg2XdJnQv/wq4=",
        "X-MC-Unique": "eGi1NL8sPICfsAMblAtSqg-1",
        "X-Mimecast-MFC-AGG-ID": "eGi1NL8sPICfsAMblAtSqg_1776671525",
        "From": "Thomas Huth <thuth@redhat.com>",
        "To": "Paolo Bonzini <pbonzini@redhat.com>, Peter Xu <peterx@redhat.com>,\n qemu-devel@nongnu.org",
        "Cc": "=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>",
        "Subject": "[PATCH] system/memory: Don't call MR handlers for bytes beyond the\n MR's size",
        "Date": "Mon, 20 Apr 2026 09:51:59 +0200",
        "Message-ID": "<20260420075159.106615-1-thuth@redhat.com>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "X-Scanned-By": "MIMEDefang 3.0 on 10.30.177.17",
        "Received-SPF": "pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com",
        "X-Spam_score_int": "-20",
        "X-Spam_score": "-2.1",
        "X-Spam_bar": "--",
        "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no",
        "X-Spam_action": "no action",
        "X-BeenThere": "qemu-devel@nongnu.org",
        "X-Mailman-Version": "2.1.29",
        "Precedence": "list",
        "List-Id": "qemu development <qemu-devel.nongnu.org>",
        "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>",
        "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>",
        "List-Post": "<mailto:qemu-devel@nongnu.org>",
        "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>",
        "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>",
        "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org",
        "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"
    },
    "content": "From: Thomas Huth <thuth@redhat.com>\n\nIf a guest triggers a multi-byte read/write at the very end of a memory\nregion, the code access_with_adjusted_size() still tries to access\nall bytes of the transfer, even if the final bytes are already beyond\nthe memory region's size. If the device handler cannot cope with those\naccesses, bad things can happen, for example:\n\n $ echo \"writew 0x800064 0x4142\" | \\\n   ./qemu-system-avr -M mega2560 -display none -qtest stdio -accel qtest\n [I 0.000001] OPENED\n [R +0.001750] writew 0x800064 0x4142\n qemu-system-avr: ../../devel/qemu/hw/misc/avr_power.c:58:\n  avr_mask_write: Assertion `offset == 0' failed.\n Aborted                    (core dumped)\n\nWe really should not call MR handlers for bytes that are beyond the\nMR's size, so let's add a check to limit the size in such cases.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/work_items/3393\nSigned-off-by: Thomas Huth <thuth@redhat.com>\n---\n system/memory.c | 13 +++++++++++--\n 1 file changed, 11 insertions(+), 2 deletions(-)",
    "diff": "diff --git a/system/memory.c b/system/memory.c\nindex 56f3225b21a..2ff74c42e3f 100644\n--- a/system/memory.c\n+++ b/system/memory.c\n@@ -531,6 +531,7 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,\n     uint64_t access_mask;\n     unsigned access_size;\n     unsigned i;\n+    unsigned int checked_size;\n     MemTxResult r = MEMTX_OK;\n     bool reentrancy_guard_applied = false;\n \n@@ -557,13 +558,21 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,\n     /* FIXME: support unaligned access? */\n     access_size = MAX(MIN(size, access_size_max), access_size_min);\n     access_mask = MAKE_64BIT_MASK(0, access_size * 8);\n+\n+    if (addr + size > mr->size) {\n+        assert(addr < mr->size);\n+        checked_size = mr->size - addr;\n+    } else {\n+        checked_size = size;\n+    }\n+\n     if (devend_big_endian(mr->ops->endianness)) {\n-        for (i = 0; i < size; i += access_size) {\n+        for (i = 0; i < checked_size; i += access_size) {\n             r |= access_fn(mr, addr + i, value, access_size,\n                         (size - access_size - i) * 8, access_mask, attrs);\n         }\n     } else {\n-        for (i = 0; i < size; i += access_size) {\n+        for (i = 0; i < checked_size; i += access_size) {\n             r |= access_fn(mr, addr + i, value, access_size, i * 8,\n                         access_mask, attrs);\n         }\n",
    "prefixes": []
}