On Wed, 28 Sep 2022 17:16:51 +0200 dinhngoc.tu@xxxxxxx wrote: Hi, > From: Tu Dinh Ngoc <dinhngoc.tu@xxxxxxx> > > The `len' parameter of kvm__register_pio specifies a range of I/O ports > to be registered for the same handler. However, the `size' parameter of > PIO events specifies the number of bytes read/written to a single I/O > port. > > kvm__emulate_io confuses the two and uses the number of bytes > read/written in its I/O handler search, meaning reads/writes with a size > larger than the registered range length will be silently dropped. Yes, and this is intended. On real hardware you just cannot generally expect larger I/O accesses to work and affect multiple registers, this is true for both the legacy IBM PC I/O operations, and also for modern MMIO devices. And specifically exceeding the registered range should be outright denied. So where did you see this problem? Because this looks like a misbehaving guest, and we should not take any chances and prefer denying dodgy requests over potentially running into security issues by allowing accesses beyond the allocated range. Cheers, Andre > > Fix this issue by specifying a MMIO tree search range of 1 port. > --- > mmio.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mmio.c b/mmio.c > index 5a114e9..212e979 100644 > --- a/mmio.c > +++ b/mmio.c > @@ -222,7 +222,7 @@ bool kvm__emulate_io(struct kvm_cpu *vcpu, u16 port, void *data, > struct mmio_mapping *mmio; > bool is_write = direction == KVM_EXIT_IO_OUT; > > - mmio = mmio_get(&pio_tree, port, size); > + mmio = mmio_get(&pio_tree, port, 1); > if (!mmio) { > if (vcpu->kvm->cfg.ioport_debug) { > fprintf(stderr, "IO error: %s port=%x, size=%d, count=%u\n",