From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
To: "Zhijian Li (Fujitsu)" <lizhijian@fujitsu.com>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"mst@redhat.com" <mst@redhat.com>, Fan Ni <fan.ni@samsung.com>,
"linux-cxl@vger.kernel.org" <linux-cxl@vger.kernel.org>,
"linuxarm@huawei.com" <linuxarm@huawei.com>
Subject: Re: [PATCH qemu] hw/cxl: Fix register block locator size
Date: Fri, 30 May 2025 14:17:00 +0100 [thread overview]
Message-ID: <20250530141700.00005619@huawei.com> (raw)
In-Reply-To: <e7050a05-3349-46c6-9ac5-60b621f54a0b@fujitsu.com>
On Fri, 30 May 2025 02:59:40 +0000
"Zhijian Li (Fujitsu)" <lizhijian@fujitsu.com> wrote:
> On 29/05/2025 21:48, Jonathan Cameron via wrote:
> > This has been wrong from day 1. For now we only have
> > two entries (component and device registers).
>
> Wow, I finally understood this.
>
>
> >
> > The wrong size could lead to arbitrary data off the stack being presented
> > in PCIe config space.
> >
> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > ---
> > include/hw/cxl/cxl_pci.h | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/include/hw/cxl/cxl_pci.h b/include/hw/cxl/cxl_pci.h
> > index d0855ed78b..3bb882ce89 100644
> > --- a/include/hw/cxl/cxl_pci.h
> > +++ b/include/hw/cxl/cxl_pci.h
> > @@ -31,7 +31,7 @@
> > #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_LENGTH 0x20
> > #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_REVID 2
> >
> > -#define REG_LOC_DVSEC_LENGTH 0x24
> > +#define REG_LOC_DVSEC_LENGTH 0x1C
>
> IMHO, REG_LOC_DVSEC_LENGTH is device specific, that mean we shouldn't put it in
> a general header with a general name
>
> try:
> $ git grep REG_LOC_DVSEC_LENGTH
>
> we got another REG_LOC_DVSEC_LENGTH, shouldn't its value (0x1C - 0x8)?
>
>
> 51 regloc_dvsec = &(CXLDVSECRegisterLocator) {
> 52 .rsvd = 0,
> 53 .reg0_base_lo = RBI_CXL_DEVICE_REG | 0,
> 54 .reg0_base_hi = 0,
> 55 };
> 56 cxl_component_create_dvsec(cxl_cstate, CXL3_SWITCH_MAILBOX_CCI,
> 57 REG_LOC_DVSEC_LENGTH, REG_LOC_DVSEC,
> 58 REG_LOC_DVSEC_REVID, (uint8_t *)regloc_dvsec);
>
Ah. This isn't a bug at all. I clearly needed more caffeine.
We are fine because at least in 3.2 the register block identifier of 0 is reserved and
I misread the code completely. It is odd to have empty entries but not a bug.
Jonathan
>
> Thanks
> Zhijian
>
>
>
> > #define REG_LOC_DVSEC_REVID 0
> >
> > enum
WARNING: multiple messages have this Message-ID (diff)
From: Jonathan Cameron via <qemu-devel@nongnu.org>
To: "Zhijian Li (Fujitsu)" <lizhijian@fujitsu.com>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"mst@redhat.com" <mst@redhat.com>, Fan Ni <fan.ni@samsung.com>,
"linux-cxl@vger.kernel.org" <linux-cxl@vger.kernel.org>,
"linuxarm@huawei.com" <linuxarm@huawei.com>
Subject: Re: [PATCH qemu] hw/cxl: Fix register block locator size
Date: Fri, 30 May 2025 14:17:00 +0100 [thread overview]
Message-ID: <20250530141700.00005619@huawei.com> (raw)
In-Reply-To: <e7050a05-3349-46c6-9ac5-60b621f54a0b@fujitsu.com>
On Fri, 30 May 2025 02:59:40 +0000
"Zhijian Li (Fujitsu)" <lizhijian@fujitsu.com> wrote:
> On 29/05/2025 21:48, Jonathan Cameron via wrote:
> > This has been wrong from day 1. For now we only have
> > two entries (component and device registers).
>
> Wow, I finally understood this.
>
>
> >
> > The wrong size could lead to arbitrary data off the stack being presented
> > in PCIe config space.
> >
> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > ---
> > include/hw/cxl/cxl_pci.h | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/include/hw/cxl/cxl_pci.h b/include/hw/cxl/cxl_pci.h
> > index d0855ed78b..3bb882ce89 100644
> > --- a/include/hw/cxl/cxl_pci.h
> > +++ b/include/hw/cxl/cxl_pci.h
> > @@ -31,7 +31,7 @@
> > #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_LENGTH 0x20
> > #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_REVID 2
> >
> > -#define REG_LOC_DVSEC_LENGTH 0x24
> > +#define REG_LOC_DVSEC_LENGTH 0x1C
>
> IMHO, REG_LOC_DVSEC_LENGTH is device specific, that mean we shouldn't put it in
> a general header with a general name
>
> try:
> $ git grep REG_LOC_DVSEC_LENGTH
>
> we got another REG_LOC_DVSEC_LENGTH, shouldn't its value (0x1C - 0x8)?
>
>
> 51 regloc_dvsec = &(CXLDVSECRegisterLocator) {
> 52 .rsvd = 0,
> 53 .reg0_base_lo = RBI_CXL_DEVICE_REG | 0,
> 54 .reg0_base_hi = 0,
> 55 };
> 56 cxl_component_create_dvsec(cxl_cstate, CXL3_SWITCH_MAILBOX_CCI,
> 57 REG_LOC_DVSEC_LENGTH, REG_LOC_DVSEC,
> 58 REG_LOC_DVSEC_REVID, (uint8_t *)regloc_dvsec);
>
Ah. This isn't a bug at all. I clearly needed more caffeine.
We are fine because at least in 3.2 the register block identifier of 0 is reserved and
I misread the code completely. It is odd to have empty entries but not a bug.
Jonathan
>
> Thanks
> Zhijian
>
>
>
> > #define REG_LOC_DVSEC_REVID 0
> >
> > enum
next prev parent reply other threads:[~2025-05-30 13:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-29 13:48 [PATCH qemu] hw/cxl: Fix register block locator size Jonathan Cameron
2025-05-29 13:48 ` Jonathan Cameron via
2025-05-29 17:24 ` Fan Ni
2025-05-30 2:59 ` Zhijian Li (Fujitsu)
2025-05-30 2:59 ` Zhijian Li (Fujitsu) via
2025-05-30 13:17 ` Jonathan Cameron [this message]
2025-05-30 13:17 ` Jonathan Cameron via
2025-05-30 13:18 ` Jonathan Cameron
2025-05-30 13:18 ` Jonathan Cameron via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250530141700.00005619@huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=fan.ni@samsung.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=lizhijian@fujitsu.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.