From 9a93b61730e3b46ef1c01ca522c6abe80ec13832 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Mon, 21 Nov 2011 18:57:31 +0200 Subject: [PATCH] msix: Prevent bogus mask updates on MMIO accesses >From: Jan Kiszka Only accesses to the MSI-X table must trigger a call to msix_handle_mask_update, otherwise the vector value might be out of range. Signed-off-by: Jan Kiszka Signed-off-by: Michael S. Tsirkin Signed-off-by: Anthony Liguori --- hw/msix.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/msix.c b/hw/msix.c index 63b41b9933..29696016ad 100644 --- a/hw/msix.c +++ b/hw/msix.c @@ -176,6 +176,12 @@ static void msix_mmio_write(void *opaque, target_phys_addr_t addr, PCIDevice *dev = opaque; unsigned int offset = addr & (MSIX_PAGE_SIZE - 1) & ~0x3; int vector = offset / PCI_MSIX_ENTRY_SIZE; + + /* MSI-X page includes a read-only PBA and a writeable Vector Control. */ + if (vector >= dev->msix_entries_nr) { + return; + } + pci_set_long(dev->msix_table_page + offset, val); msix_handle_mask_update(dev, vector); }