From 936a236c4e4b1068ade99220260cd04f68eb0212 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Mon, 15 Jul 2019 14:17:03 +0100 Subject: [PATCH] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Lei Sun found while auditing the code that a CPU write would trigger a NULL pointer dereference. >From UG1085 datasheet [*] AXI writes in this region are ignored and generates an AXI Slave Error (SLVERR). Fix by implementing the write_with_attrs() handler. Return MEMTX_ERROR when the region is accessed (this error maps to an AXI slave error). [*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf Reported-by: Lei Sun Reviewed-by: Francisco Iglesias Tested-by: Francisco Iglesias Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Peter Maydell --- hw/ssi/xilinx_spips.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index b7c7275dbe..3c4e8365ee 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -1220,8 +1220,24 @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value, return lqspi_read(opaque, addr, value, size, attrs); } +static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value, + unsigned size, MemTxAttrs attrs) +{ + /* + * From UG1085, Chapter 24 (Quad-SPI controllers): + * - Writes are ignored + * - AXI writes generate an external AXI slave error (SLVERR) + */ + qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64 + " (value: 0x%" PRIx64 "\n", + __func__, size << 3, offset, value); + + return MEMTX_ERROR; +} + static const MemoryRegionOps lqspi_ops = { .read_with_attrs = lqspi_read, + .write_with_attrs = lqspi_write, .endianness = DEVICE_NATIVE_ENDIAN, .valid = { .min_access_size = 1, -- 2.30.2