On 2020/11/3 17:53, Jiaxun Yang wrote: > > > 在 2020/11/3 17:32, AlexChen 写道: >> According to the loongson spec >> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf) >> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know >> that the ISR size of per CORE is 8, so here we need to divide >> (addr - R_PERCORE_ISR(0)) by 8, not 4. > Hi Alex > > Thanks! > > That was my fault.. Per Core ISA is rarely used by kernel.. > > Reviewed-by: Jiaxun Yang <[email protected]> >> Reported-by: Euler Robot <[email protected]> > Btw: > How can you discover this by robot? > Huawei owns real artifical intelligence technology lol :-) > >
Thanks for your review. EulerRobot is a virtualization software quality automation project that integrates some tools and test suites such as gcc/clang make test, qemu ut, qtest, coccinelle scripts and avocado-vt. The code checking tool found there was a potential array out of bounds at 'r = p->per_core_isr[core]', since 'core' may be 7 which is bigger than 'per_core_isr' array size 3. So we found this bug. Thanks, Alex > - Jiaxun >> Signed-off-by: Alex Chen <[email protected]> >> --- >> hw/intc/loongson_liointc.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/hw/intc/loongson_liointc.c b/hw/intc/loongson_liointc.c >> index 30fb375b72..fbbfb57ee9 100644 >> --- a/hw/intc/loongson_liointc.c >> +++ b/hw/intc/loongson_liointc.c >> @@ -130,7 +130,7 @@ liointc_read(void *opaque, hwaddr addr, unsigned int >> size) >> >> if (addr >= R_PERCORE_ISR(0) && >> addr < R_PERCORE_ISR(NUM_CORES)) { >> - int core = (addr - R_PERCORE_ISR(0)) / 4; >> + int core = (addr - R_PERCORE_ISR(0)) / 8; >> r = p->per_core_isr[core]; >> goto out; >> } >> @@ -173,7 +173,7 @@ liointc_write(void *opaque, hwaddr addr, >> >> if (addr >= R_PERCORE_ISR(0) && >> addr < R_PERCORE_ISR(NUM_CORES)) { >> - int core = (addr - R_PERCORE_ISR(0)) / 4; >> + int core = (addr - R_PERCORE_ISR(0)) / 8; >> p->per_core_isr[core] = value; >> goto out; >> } > . >
