| Message ID | 20221125154030.42108-3-philmd@linaro.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() | expand |
On Fri, Nov 25, 2022 at 7:41 PM Philippe Mathieu-Daudé <philmd@linaro.org> wrote: > > Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > hw/display/qxl.h | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/hw/display/qxl.h b/hw/display/qxl.h > index e74de9579d..78b3a6c9ba 100644 > --- a/hw/display/qxl.h > +++ b/hw/display/qxl.h > @@ -147,6 +147,25 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL) > #define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1) > > /* qxl.c */ > +/** > + * qxl_phys2virt: Get a pointer within a PCI VRAM memory region. > + * > + * @qxl: QXL device > + * @phys: physical offset of buffer within the VRAM > + * @group_id: memory slot group > + * > + * Returns a host pointer to a buffer placed at offset @phys within the > + * active slot @group_id of the PCI VGA RAM memory region associated with > + * the @qxl device. If the slot is inactive, or the offset is out > + * of the memory region, returns NULL. > + * > + * Use with care; by the time this function returns, the returned pointer is > + * not protected by RCU anymore. If the caller is not within an RCU critical > + * section and does not hold the iothread lock, it must have other means of > + * protecting the pointer, such as a reference to the region that includes > + * the incoming ram_addr_t. > + * > + */ > void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id); > void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...) > G_GNUC_PRINTF(2, 3); > -- > 2.38.1 > > -- Marc-André Lureau
diff --git a/hw/display/qxl.h b/hw/display/qxl.h index e74de9579d..78b3a6c9ba 100644 --- a/hw/display/qxl.h +++ b/hw/display/qxl.h @@ -147,6 +147,25 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL) #define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1) /* qxl.c */ +/** + * qxl_phys2virt: Get a pointer within a PCI VRAM memory region. + * + * @qxl: QXL device + * @phys: physical offset of buffer within the VRAM + * @group_id: memory slot group + * + * Returns a host pointer to a buffer placed at offset @phys within the + * active slot @group_id of the PCI VGA RAM memory region associated with + * the @qxl device. If the slot is inactive, or the offset is out + * of the memory region, returns NULL. + * + * Use with care; by the time this function returns, the returned pointer is + * not protected by RCU anymore. If the caller is not within an RCU critical + * section and does not hold the iothread lock, it must have other means of + * protecting the pointer, such as a reference to the region that includes + * the incoming ram_addr_t. + * + */ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id); void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...) G_GNUC_PRINTF(2, 3);
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> --- hw/display/qxl.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)