Paolo Bonzini <[email protected]> 于2018年11月14日周三 下午11:44写道:
> On 14/11/2018 02:38, Li Qiang wrote: > > > > > > Paolo Bonzini <[email protected] <mailto:[email protected]>> 于2018 > > 年11月14日周三 上午2:27写道: > > > > On 13/11/2018 11:17, Kevin Wolf wrote: > > > Am 13.11.2018 um 02:45 hat Li Qiang geschrieben: > > >> Ping.... what't the status of this patch. > > >> > > >> I see Kevin's new pr doesn't contain this patch. > > > > > > Oh, I thought you said that you wanted to fix this at a higher > > level so > > > that the problem is caught before even getting into nvme code? If > you > > > don't, I can apply the patch for my next pull request. > > > > As far as I know the bug doesn't exist. Li Qiang, if you have a > > reproducer please send it. > > > > > > Hello Paolo, > > Though I've send the debug information and ASAN output in the mail to > > [email protected] <mailto:[email protected]>, I'm glad provide here. > > This is for read, I think the write the same but as the PoC is in > > userspace, the mmap can only map the exact size of the MMIO, > > So we can only write within the area. But if we using a module we can > > write the out of MMIO I think > > The nvme device's parameter should set as 'cmb_size_mb=2' and the PCI > > address may differ in your system. > > Ok, thanks. I've created a reproducer using qtest (though I have to run > now and cannot post it properly). > > The patch for the fix is simply: > > So do you send this or me? > diff --git a/hw/block/nvme.c b/hw/block/nvme.c > index fc7dacb816..6385033af3 100644 > --- a/hw/block/nvme.c > +++ b/hw/block/nvme.c > @@ -1192,7 +1192,7 @@ static const MemoryRegionOps nvme_cmb_ops = { > .write = nvme_cmb_write, > .endianness = DEVICE_LITTLE_ENDIAN, > .impl = { > - .min_access_size = 2, > + .min_access_size = 1, > .max_access_size = 8, > }, > }; > > > The memory subsystem _is_ recognizing the out-of-bounds 32-bit access, > Thanks, this strengthen my understanding of memory subsystem. Thanks, Li Qiang > but because min_access_size=2 it sends down a write at offset 2097151 > and size 2. > Paolo >
