diff options
| author | Alistair Francis <alistair.francis@xilinx.com> | 2016-10-04 13:28:09 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2016-10-04 13:28:09 +0100 |
| commit | 79b2ac8f28748b09816d09bd62a2b49ddc01ebeb (patch) | |
| tree | 3c39c8d93b8ee3544d3cb9b206f401de652013c2 | |
| parent | 03bf19535c2581937397e608335c111c03895ba8 (diff) | |
cadence_gem: Fix priority queue out of bounds access
There was an error with some of the register implementation assuming
there are 16 priority queues supported when the IP only supports 8. This
patch corrects the registers to only support 8 queues.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 33bf2d28326d22875602234b8b15cf56fb678333.1474911607.git.alistair.francis@xilinx.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| -rw-r--r-- | hw/net/cadence_gem.c | 22 |
1 files changed, 4 insertions, 18 deletions
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c index 8618e7acac..7915732f74 100644 --- a/hw/net/cadence_gem.c +++ b/hw/net/cadence_gem.c @@ -147,25 +147,19 @@ #define GEM_INT_Q1_MASK (0x00000640 / 4) #define GEM_TRANSMIT_Q1_PTR (0x00000440 / 4) -#define GEM_TRANSMIT_Q15_PTR (GEM_TRANSMIT_Q1_PTR + 14) +#define GEM_TRANSMIT_Q7_PTR (GEM_TRANSMIT_Q1_PTR + 6) #define GEM_RECEIVE_Q1_PTR (0x00000480 / 4) -#define GEM_RECEIVE_Q15_PTR (GEM_RECEIVE_Q1_PTR + 14) +#define GEM_RECEIVE_Q7_PTR (GEM_RECEIVE_Q1_PTR + 6) #define GEM_INT_Q1_ENABLE (0x00000600 / 4) #define GEM_INT_Q7_ENABLE (GEM_INT_Q1_ENABLE + 6) -#define GEM_INT_Q8_ENABLE (0x00000660 / 4) -#define GEM_INT_Q15_ENABLE (GEM_INT_Q8_ENABLE + 7) #define GEM_INT_Q1_DISABLE (0x00000620 / 4) #define GEM_INT_Q7_DISABLE (GEM_INT_Q1_DISABLE + 6) -#define GEM_INT_Q8_DISABLE (0x00000680 / 4) -#define GEM_INT_Q15_DISABLE (GEM_INT_Q8_DISABLE + 7) #define GEM_INT_Q1_MASK (0x00000640 / 4) #define GEM_INT_Q7_MASK (GEM_INT_Q1_MASK + 6) -#define GEM_INT_Q8_MASK (0x000006A0 / 4) -#define GEM_INT_Q15_MASK (GEM_INT_Q8_MASK + 7) #define GEM_SCREENING_TYPE1_REGISTER_0 (0x00000500 / 4) @@ -1372,13 +1366,13 @@ static void gem_write(void *opaque, hwaddr offset, uint64_t val, case GEM_RXQBASE: s->rx_desc_addr[0] = val; break; - case GEM_RECEIVE_Q1_PTR ... GEM_RECEIVE_Q15_PTR: + case GEM_RECEIVE_Q1_PTR ... GEM_RECEIVE_Q7_PTR: s->rx_desc_addr[offset - GEM_RECEIVE_Q1_PTR + 1] = val; break; case GEM_TXQBASE: s->tx_desc_addr[0] = val; break; - case GEM_TRANSMIT_Q1_PTR ... GEM_TRANSMIT_Q15_PTR: + case GEM_TRANSMIT_Q1_PTR ... GEM_TRANSMIT_Q7_PTR: s->tx_desc_addr[offset - GEM_TRANSMIT_Q1_PTR + 1] = val; break; case GEM_RXSTATUS: @@ -1392,10 +1386,6 @@ static void gem_write(void *opaque, hwaddr offset, uint64_t val, s->regs[GEM_INT_Q1_MASK + offset - GEM_INT_Q1_ENABLE] &= ~val; gem_update_int_status(s); break; - case GEM_INT_Q8_ENABLE ... GEM_INT_Q15_ENABLE: - s->regs[GEM_INT_Q8_MASK + offset - GEM_INT_Q8_ENABLE] &= ~val; - gem_update_int_status(s); - break; case GEM_IDR: s->regs[GEM_IMR] |= val; gem_update_int_status(s); @@ -1404,10 +1394,6 @@ static void gem_write(void *opaque, hwaddr offset, uint64_t val, s->regs[GEM_INT_Q1_MASK + offset - GEM_INT_Q1_DISABLE] |= val; gem_update_int_status(s); break; - case GEM_INT_Q8_DISABLE ... GEM_INT_Q15_DISABLE: - s->regs[GEM_INT_Q8_MASK + offset - GEM_INT_Q8_DISABLE] |= val; - gem_update_int_status(s); - break; case GEM_SPADDR1LO: case GEM_SPADDR2LO: case GEM_SPADDR3LO: |