| Message ID | 20221127165753.30533-1-jim.shu@sifive.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hw/intc: sifive_plic: fix out-of-bound access of source_priority array | expand |
On Mon, Nov 28, 2022 at 12:59 AM Jim Shu <jim.shu@sifive.com> wrote: > > If the number of interrupt is not multiple of 32, PLIC will have > out-of-bound access to source_priority array. Compute the number of > interrupt in the last word to avoid this out-of-bound access of array. > > Signed-off-by: Jim Shu <jim.shu@sifive.com> > --- > hw/intc/sifive_plic.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > Reviewed-by: Bin Meng <bmeng@tinylab.org>
On Mon, Nov 28, 2022 at 2:59 AM Jim Shu <jim.shu@sifive.com> wrote: > > If the number of interrupt is not multiple of 32, PLIC will have > out-of-bound access to source_priority array. Compute the number of > interrupt in the last word to avoid this out-of-bound access of array. > > Signed-off-by: Jim Shu <jim.shu@sifive.com> Thanks! Applied to riscv-to-apply.next Alistair > --- > hw/intc/sifive_plic.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/hw/intc/sifive_plic.c b/hw/intc/sifive_plic.c > index c2dfacf028..1cf156cf85 100644 > --- a/hw/intc/sifive_plic.c > +++ b/hw/intc/sifive_plic.c > @@ -78,6 +78,7 @@ static uint32_t sifive_plic_claimed(SiFivePLICState *plic, uint32_t addrid) > uint32_t max_irq = 0; > uint32_t max_prio = plic->target_priority[addrid]; > int i, j; > + int num_irq_in_word = 32; > > for (i = 0; i < plic->bitfield_words; i++) { > uint32_t pending_enabled_not_claimed = > @@ -88,7 +89,16 @@ static uint32_t sifive_plic_claimed(SiFivePLICState *plic, uint32_t addrid) > continue; > } > > - for (j = 0; j < 32; j++) { > + if (i == (plic->bitfield_words - 1)) { > + /* > + * If plic->num_sources is not multiple of 32, num-of-irq in last > + * word is not 32. Compute the num-of-irq of last word to avoid > + * out-of-bound access of source_priority array. > + */ > + num_irq_in_word = plic->num_sources - ((plic->bitfield_words - 1) << 5); > + } > + > + for (j = 0; j < num_irq_in_word; j++) { > int irq = (i << 5) + j; > uint32_t prio = plic->source_priority[irq]; > int enabled = pending_enabled_not_claimed & (1 << j); > -- > 2.17.1 > >
diff --git a/hw/intc/sifive_plic.c b/hw/intc/sifive_plic.c index c2dfacf028..1cf156cf85 100644 --- a/hw/intc/sifive_plic.c +++ b/hw/intc/sifive_plic.c @@ -78,6 +78,7 @@ static uint32_t sifive_plic_claimed(SiFivePLICState *plic, uint32_t addrid) uint32_t max_irq = 0; uint32_t max_prio = plic->target_priority[addrid]; int i, j; + int num_irq_in_word = 32; for (i = 0; i < plic->bitfield_words; i++) { uint32_t pending_enabled_not_claimed = @@ -88,7 +89,16 @@ static uint32_t sifive_plic_claimed(SiFivePLICState *plic, uint32_t addrid) continue; } - for (j = 0; j < 32; j++) { + if (i == (plic->bitfield_words - 1)) { + /* + * If plic->num_sources is not multiple of 32, num-of-irq in last + * word is not 32. Compute the num-of-irq of last word to avoid + * out-of-bound access of source_priority array. + */ + num_irq_in_word = plic->num_sources - ((plic->bitfield_words - 1) << 5); + } + + for (j = 0; j < num_irq_in_word; j++) { int irq = (i << 5) + j; uint32_t prio = plic->source_priority[irq]; int enabled = pending_enabled_not_claimed & (1 << j);
If the number of interrupt is not multiple of 32, PLIC will have out-of-bound access to source_priority array. Compute the number of interrupt in the last word to avoid this out-of-bound access of array. Signed-off-by: Jim Shu <jim.shu@sifive.com> --- hw/intc/sifive_plic.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)