| Message ID | 20221211030829.802437-16-bmeng@tinylab.org |
|---|---|
| State | New |
| Headers | show |
| Series | [v3,01/16] hw/riscv: Select MSI_NONBROKEN in SIFIVE_PLIC | expand |
On Sun, Dec 11, 2022 at 1:21 PM Bin Meng <bmeng@tinylab.org> wrote: > > The pending register upper limit is currently set to > plic->num_sources >> 3, which is wrong, e.g.: considering > plic->num_sources is 7, the upper limit becomes 0 which fails > the range check if reading the pending register at pending_base. > > Fixes: 1e24429e40df ("SiFive RISC-V PLIC Block") > Signed-off-by: Bin Meng <bmeng@tinylab.org> > Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Thanks! Applied to riscv-to-apply.next Alistair > > --- > > (no changes since v1) > > hw/intc/sifive_plic.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/hw/intc/sifive_plic.c b/hw/intc/sifive_plic.c > index 1a792cc3f5..5522ede2cf 100644 > --- a/hw/intc/sifive_plic.c > +++ b/hw/intc/sifive_plic.c > @@ -143,7 +143,8 @@ static uint64_t sifive_plic_read(void *opaque, hwaddr addr, unsigned size) > uint32_t irq = (addr - plic->priority_base) >> 2; > > return plic->source_priority[irq]; > - } else if (addr_between(addr, plic->pending_base, plic->num_sources >> 3)) { > + } else if (addr_between(addr, plic->pending_base, > + (plic->num_sources + 31) >> 3)) { > uint32_t word = (addr - plic->pending_base) >> 2; > > return plic->pending[word]; > @@ -202,7 +203,7 @@ static void sifive_plic_write(void *opaque, hwaddr addr, uint64_t value, > sifive_plic_update(plic); > } > } else if (addr_between(addr, plic->pending_base, > - plic->num_sources >> 3)) { > + (plic->num_sources + 31) >> 3)) { > qemu_log_mask(LOG_GUEST_ERROR, > "%s: invalid pending write: 0x%" HWADDR_PRIx "", > __func__, addr); > -- > 2.34.1 > >
diff --git a/hw/intc/sifive_plic.c b/hw/intc/sifive_plic.c index 1a792cc3f5..5522ede2cf 100644 --- a/hw/intc/sifive_plic.c +++ b/hw/intc/sifive_plic.c @@ -143,7 +143,8 @@ static uint64_t sifive_plic_read(void *opaque, hwaddr addr, unsigned size) uint32_t irq = (addr - plic->priority_base) >> 2; return plic->source_priority[irq]; - } else if (addr_between(addr, plic->pending_base, plic->num_sources >> 3)) { + } else if (addr_between(addr, plic->pending_base, + (plic->num_sources + 31) >> 3)) { uint32_t word = (addr - plic->pending_base) >> 2; return plic->pending[word]; @@ -202,7 +203,7 @@ static void sifive_plic_write(void *opaque, hwaddr addr, uint64_t value, sifive_plic_update(plic); } } else if (addr_between(addr, plic->pending_base, - plic->num_sources >> 3)) { + (plic->num_sources + 31) >> 3)) { qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid pending write: 0x%" HWADDR_PRIx "", __func__, addr);
The pending register upper limit is currently set to plic->num_sources >> 3, which is wrong, e.g.: considering plic->num_sources is 7, the upper limit becomes 0 which fails the range check if reading the pending register at pending_base. Fixes: 1e24429e40df ("SiFive RISC-V PLIC Block") Signed-off-by: Bin Meng <bmeng@tinylab.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> --- (no changes since v1) hw/intc/sifive_plic.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)