On 16/08/20 19:30, Philippe Mathieu-Daudé wrote:
> There is an issue when accessing an alias memory region via the
> memory_region_dispatch_read() / memory_region_dispatch_write()
> calls:
>
> The memory_region_init_alias() flow is:
>
> memory_region_init_alias()
> -> memory_region_init()
> -> object_initialize(TYPE_MEMORY_REGION)
> -> memory_region_initfn()
> -> mr->ops = &unassigned_mem_ops;
>
> Later when accessing the alias, the memory_region_dispatch_read()
> flow is:
>
> memory_region_dispatch_read()
> -> memory_region_access_valid(mr)
> -> mr->ops->valid.accepts()
> -> unassigned_mem_accepts()
> <- false
> <- false
> <- MEMTX_DECODE_ERROR
>
> The caller gets a MEMTX_DECODE_ERROR while the access is OK.
What is the path that leads to this call?
> Fix by directly dispatching aliases accesses to its origin region.
>
> Fixes: 2cdfcf272d ("memory: assign MemoryRegionOps to all regions")
I don't think the "Fixes" is okay because you'd have gotten a different
bug before.
> + if (mr->alias) {
> + addr += mr->alias_offset;
> + mr = mr->alias;
> + }
Also, I think this would have to be a while loop.
Paolo
