On 2014-02-18 16:28, Peter Maydell wrote: > The ethernet device in the musicpal only has two tx queues, > but we modelled it with four CTDP registers, presumably a > cut and paste from the rx queue registers. Since the tx_queue[] > array is only 2 entries long this allowed a guest to overrun > this buffer. Remove the nonexistent registers. > > Signed-off-by: Peter Maydell <[email protected]>
Acked-by: Jan Kiszka <[email protected]> > --- > There's no readily available documentation for this SoC, > but I'm told the BSP for it indicates that there are > indeed only two tx queues. > > hw/arm/musicpal.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > > diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c > index 023e875..a8d0086 100644 > --- a/hw/arm/musicpal.c > +++ b/hw/arm/musicpal.c > @@ -92,8 +92,6 @@ > #define MP_ETH_CRDP3 0x4AC > #define MP_ETH_CTDP0 0x4E0 > #define MP_ETH_CTDP1 0x4E4 > -#define MP_ETH_CTDP2 0x4E8 > -#define MP_ETH_CTDP3 0x4EC > > /* MII PHY access */ > #define MP_ETH_SMIR_DATA 0x0000FFFF > @@ -308,7 +306,7 @@ static uint64_t mv88w8618_eth_read(void *opaque, hwaddr > offset, > case MP_ETH_CRDP0 ... MP_ETH_CRDP3: > return s->rx_queue[(offset - MP_ETH_CRDP0)/4]; > > - case MP_ETH_CTDP0 ... MP_ETH_CTDP3: > + case MP_ETH_CTDP0 ... MP_ETH_CTDP1: > return s->tx_queue[(offset - MP_ETH_CTDP0)/4]; > > default: > @@ -362,7 +360,7 @@ static void mv88w8618_eth_write(void *opaque, hwaddr > offset, > s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value; > break; > > - case MP_ETH_CTDP0 ... MP_ETH_CTDP3: > + case MP_ETH_CTDP0 ... MP_ETH_CTDP1: > s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value; > break; > } >
signature.asc
Description: OpenPGP digital signature
