@@ -834,8 +834,17 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr,
void *buf, dma_addr_t len,
DMADirection dir, MemTxAttrs attrs)
{
- return dma_memory_rw(pci_get_address_space(dev), addr, buf, len,
- dir, attrs);
+ bool prior_engaged_state;
+ MemTxResult result;
+
+ prior_engaged_state = dev->qdev.engaged_in_io;
+
+ dev->qdev.engaged_in_io = true;
+ result = dma_memory_rw(pci_get_address_space(dev), addr, buf, len,
+ dir, attrs);
+ dev->qdev.engaged_in_io = prior_engaged_state;
+
+ return result;
}
/**
@@ -288,8 +288,16 @@ static MemTxResult dma_buf_rw(void *buf, dma_addr_t len, dma_addr_t *residual,
uint8_t *ptr = buf;
dma_addr_t xresidual;
int sg_cur_index;
+ DeviceState *dev;
+ bool prior_engaged_state;
MemTxResult res = MEMTX_OK;
+ dev = sg->dev;
+ if (dev) {
+ prior_engaged_state = dev->engaged_in_io;
+ dev->engaged_in_io = true;
+ }
+
xresidual = sg->size;
sg_cur_index = 0;
len = MIN(len, xresidual);
@@ -302,6 +310,10 @@ static MemTxResult dma_buf_rw(void *buf, dma_addr_t len, dma_addr_t *residual,
xresidual -= xfer;
}
+ if (dev) {
+ dev->engaged_in_io = prior_engaged_state;
+ }
+
if (residual) {
*residual = xresidual;
}
This patch leverages the DeviceState engaged_in_io flag to prevent issues due to accesses similar to bh -> dma -> mmio. e.g. CVE-2021-3929 Signed-off-by: Alexander Bulekov <alxndr@bu.edu> --- include/hw/pci/pci.h | 13 +++++++++++-- softmmu/dma-helpers.c | 12 ++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-)