[PATCH qemu 0/2] hw/cxl: Two media operations related fixes.

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.
@ 2026-01-02 15:47 ` Jonathan Cameron via
  0 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron @ 2026-01-02 15:47 UTC (permalink / raw)
  To: Michael Tsirkin, qemu-devel, Vinayak Holikatti
  Cc: linuxarm, linux-cxl, Ravi Shankar

Peter reported both of these last cycle.  Both are related to sanity
checking parameters.

Jonathan Cameron (2):
  hw/cxl: Check for overflow on santize media as both base and offset
    64bit.
  hw/cxl: Take into account how many media operations are requested for
    param check

 hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

-- 
2.48.1

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.
@ 2026-01-02 15:47 ` Jonathan Cameron via
  0 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron via @ 2026-01-02 15:47 UTC (permalink / raw)
  To: Michael Tsirkin, qemu-devel, Vinayak Holikatti
  Cc: linuxarm, linux-cxl, Ravi Shankar

Peter reported both of these last cycle.  Both are related to sanity
checking parameters.

Jonathan Cameron (2):
  hw/cxl: Check for overflow on santize media as both base and offset
    64bit.
  hw/cxl: Take into account how many media operations are requested for
    param check

 hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

-- 
2.48.1

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH qemu 1/2] hw/cxl: Check for overflow on santize media as both base and offset 64bit.
  2026-01-02 15:47 ` Jonathan Cameron via
@ 2026-01-02 15:47   ` Jonathan Cameron via
  -1 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron @ 2026-01-02 15:47 UTC (permalink / raw)
  To: Michael Tsirkin, qemu-devel, Vinayak Holikatti
  Cc: linuxarm, linux-cxl, Ravi Shankar

The both the size and base of a media sanitize operation are both provided
by the VM, an overflow is possible which may result in checks on valid
range passing when they should not.  Close that by checking for overflow
on the addition.

Fixes: 40ab4ed10775 ("hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)")
Closes: https://lore.kernel.org/qemu-devel/CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com/
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index a64b8ba5351f..d8f62a13a8ec 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -2411,7 +2411,7 @@ static uint64_t get_dc_size(CXLType3Dev *ct3d, MemoryRegion **dc_mr)
 static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
                              size_t length)
 {
-    uint64_t vmr_size, pmr_size, dc_size;
+    uint64_t vmr_size, pmr_size, dc_size, dpa_end;
 
     if ((dpa_addr % CXL_CACHE_LINE_SIZE) ||
         (length % CXL_CACHE_LINE_SIZE)  ||
@@ -2423,7 +2423,12 @@ static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
     pmr_size = get_pmr_size(ct3d, NULL);
     dc_size = get_dc_size(ct3d, NULL);
 
-    if (dpa_addr + length > vmr_size + pmr_size + dc_size) {
+    /* sanitize 64 bit values coming from guest */
+    if (uadd64_overflow(dpa_addr, length, &dpa_end)) {
+        return -EINVAL;
+    }
+
+    if (dpa_end > vmr_size + pmr_size + dc_size) {
         return -EINVAL;
     }
 
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [PATCH qemu 1/2] hw/cxl: Check for overflow on santize media as both base and offset 64bit.
@ 2026-01-02 15:47   ` Jonathan Cameron via
  0 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron via @ 2026-01-02 15:47 UTC (permalink / raw)
  To: Michael Tsirkin, qemu-devel, Vinayak Holikatti
  Cc: linuxarm, linux-cxl, Ravi Shankar

The both the size and base of a media sanitize operation are both provided
by the VM, an overflow is possible which may result in checks on valid
range passing when they should not.  Close that by checking for overflow
on the addition.

Fixes: 40ab4ed10775 ("hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)")
Closes: https://lore.kernel.org/qemu-devel/CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com/
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index a64b8ba5351f..d8f62a13a8ec 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -2411,7 +2411,7 @@ static uint64_t get_dc_size(CXLType3Dev *ct3d, MemoryRegion **dc_mr)
 static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
                              size_t length)
 {
-    uint64_t vmr_size, pmr_size, dc_size;
+    uint64_t vmr_size, pmr_size, dc_size, dpa_end;
 
     if ((dpa_addr % CXL_CACHE_LINE_SIZE) ||
         (length % CXL_CACHE_LINE_SIZE)  ||
@@ -2423,7 +2423,12 @@ static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
     pmr_size = get_pmr_size(ct3d, NULL);
     dc_size = get_dc_size(ct3d, NULL);
 
-    if (dpa_addr + length > vmr_size + pmr_size + dc_size) {
+    /* sanitize 64 bit values coming from guest */
+    if (uadd64_overflow(dpa_addr, length, &dpa_end)) {
+        return -EINVAL;
+    }
+
+    if (dpa_end > vmr_size + pmr_size + dc_size) {
         return -EINVAL;
     }
 
-- 
2.48.1



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [PATCH qemu 2/2] hw/cxl: Take into account how many media operations are requested for param check
  2026-01-02 15:47 ` Jonathan Cameron via
@ 2026-01-02 15:47   ` Jonathan Cameron via
  -1 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron @ 2026-01-02 15:47 UTC (permalink / raw)
  To: Michael Tsirkin, qemu-devel, Vinayak Holikatti
  Cc: linuxarm, linux-cxl, Ravi Shankar

Whilst the spec doesn't speak to it directly my assumption is that
a request for more operations than exist should result in an invalid
input error return.

Fixes: 77a8e9fe0ecb ("hw/cxl/cxl-mailbox-utils: Add support for Media operations discovery commands cxl r3.2 (8.2.10.9.5.3)")
Closes: https://lore.kernel.org/qemu-devel/CAFEAcA-p5wZkNxK7wNVq_3PAzEE-muOd1Def-0O-FSpck4DrBQ@mail.gmail.com/
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index d8f62a13a8ec..2f449980cdc0 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -2547,7 +2547,7 @@ static CXLRetCode media_operations_discovery(uint8_t *payload_in,
      * sub class command.
      */
     if (media_op_in_disc_pl->dpa_range_count ||
-        start_index > ARRAY_SIZE(media_op_matrix)) {
+        start_index + num_ops > ARRAY_SIZE(media_op_matrix)) {
         return CXL_MBOX_INVALID_INPUT;
     }
 
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [PATCH qemu 2/2] hw/cxl: Take into account how many media operations are requested for param check
@ 2026-01-02 15:47   ` Jonathan Cameron via
  0 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron via @ 2026-01-02 15:47 UTC (permalink / raw)
  To: Michael Tsirkin, qemu-devel, Vinayak Holikatti
  Cc: linuxarm, linux-cxl, Ravi Shankar

Whilst the spec doesn't speak to it directly my assumption is that
a request for more operations than exist should result in an invalid
input error return.

Fixes: 77a8e9fe0ecb ("hw/cxl/cxl-mailbox-utils: Add support for Media operations discovery commands cxl r3.2 (8.2.10.9.5.3)")
Closes: https://lore.kernel.org/qemu-devel/CAFEAcA-p5wZkNxK7wNVq_3PAzEE-muOd1Def-0O-FSpck4DrBQ@mail.gmail.com/
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index d8f62a13a8ec..2f449980cdc0 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -2547,7 +2547,7 @@ static CXLRetCode media_operations_discovery(uint8_t *payload_in,
      * sub class command.
      */
     if (media_op_in_disc_pl->dpa_range_count ||
-        start_index > ARRAY_SIZE(media_op_matrix)) {
+        start_index + num_ops > ARRAY_SIZE(media_op_matrix)) {
         return CXL_MBOX_INVALID_INPUT;
     }
 
-- 
2.48.1



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* Re: [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.
  2026-01-02 15:47 ` Jonathan Cameron via
@ 2026-02-04 11:15   ` Jonathan Cameron via qemu development
  -1 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron @ 2026-02-04 11:15 UTC (permalink / raw)
  To: Michael Tsirkin, qemu-devel, Vinayak Holikatti, linuxarm
  Cc: linux-cxl, Ravi Shankar, Peter Maydell

On Fri, 2 Jan 2026 15:47:29 +0000
Jonathan Cameron <Jonathan.Cameron@huawei.com> wrote:

> Peter reported both of these last cycle.  Both are related to sanity
> checking parameters.

Hi Michael

Just a reminder to take a look at and if possible queue these up.

I see I didn't +CC Peter. Sorry about that Peter. If you could sanity
check as they are fixes for bugs you reported a while back.

Thanks,

Jonathan

> 
> Jonathan Cameron (2):
>   hw/cxl: Check for overflow on santize media as both base and offset
>     64bit.
>   hw/cxl: Take into account how many media operations are requested for
>     param check
> 
>  hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.
@ 2026-02-04 11:15   ` Jonathan Cameron via qemu development
  0 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-02-04 11:15 UTC (permalink / raw)
  To: Michael Tsirkin, qemu-devel, Vinayak Holikatti, linuxarm
  Cc: linux-cxl, Ravi Shankar, Peter Maydell

On Fri, 2 Jan 2026 15:47:29 +0000
Jonathan Cameron <Jonathan.Cameron@huawei.com> wrote:

> Peter reported both of these last cycle.  Both are related to sanity
> checking parameters.

Hi Michael

Just a reminder to take a look at and if possible queue these up.

I see I didn't +CC Peter. Sorry about that Peter. If you could sanity
check as they are fixes for bugs you reported a while back.

Thanks,

Jonathan

> 
> Jonathan Cameron (2):
>   hw/cxl: Check for overflow on santize media as both base and offset
>     64bit.
>   hw/cxl: Take into account how many media operations are requested for
>     param check
> 
>  hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.
  2026-01-02 15:47 ` Jonathan Cameron via
                   ` (3 preceding siblings ...)
  (?)
@ 2026-02-05 22:11 ` Michael Tokarev
  2026-02-06  9:42     ` Jonathan Cameron via qemu development
  -1 siblings, 1 reply; 11+ messages in thread
From: Michael Tokarev @ 2026-02-05 22:11 UTC (permalink / raw)
  To: Jonathan Cameron, Michael Tsirkin, qemu-devel, Vinayak Holikatti
  Cc: linuxarm, linux-cxl, Ravi Shankar, qemu-stable

On 1/2/26 18:47, Jonathan Cameron via wrote:
> Peter reported both of these last cycle.  Both are related to sanity
> checking parameters.
> 
> Jonathan Cameron (2):
>    hw/cxl: Check for overflow on santize media as both base and offset
>      64bit.
>    hw/cxl: Take into account how many media operations are requested for
>      param check
> 
>   hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
>   1 file changed, 8 insertions(+), 3 deletions(-)

Is this one worth picking up for qemu-stable (10.1.x & 10.2.x)?

Thanks,

/mjt

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.
  2026-02-05 22:11 ` Michael Tokarev
@ 2026-02-06  9:42     ` Jonathan Cameron via qemu development
  0 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron @ 2026-02-06  9:42 UTC (permalink / raw)
  To: Michael Tokarev
  Cc: Michael Tsirkin, qemu-devel, Vinayak Holikatti, linuxarm,
	linux-cxl, Ravi Shankar, qemu-stable

On Fri, 6 Feb 2026 01:11:55 +0300
Michael Tokarev <mjt@tls.msk.ru> wrote:

> On 1/2/26 18:47, Jonathan Cameron via wrote:
> > Peter reported both of these last cycle.  Both are related to sanity
> > checking parameters.
> > 
> > Jonathan Cameron (2):
> >    hw/cxl: Check for overflow on santize media as both base and offset
> >      64bit.
> >    hw/cxl: Take into account how many media operations are requested for
> >      param check
> > 
> >   hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
> >   1 file changed, 8 insertions(+), 3 deletions(-)  
> 
> Is this one worth picking up for qemu-stable (10.1.x & 10.2.x)?
> 
They are fairly obscure features but if it applies cleanly it seems
sensible to backport.

Thanks

Jonathan

> Thanks,
> 
> /mjt


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.
@ 2026-02-06  9:42     ` Jonathan Cameron via qemu development
  0 siblings, 0 replies; 11+ messages in thread
From: Jonathan Cameron via qemu development @ 2026-02-06  9:42 UTC (permalink / raw)
  To: Michael Tokarev
  Cc: Michael Tsirkin, qemu-devel, Vinayak Holikatti, linuxarm,
	linux-cxl, Ravi Shankar, qemu-stable

On Fri, 6 Feb 2026 01:11:55 +0300
Michael Tokarev <mjt@tls.msk.ru> wrote:

> On 1/2/26 18:47, Jonathan Cameron via wrote:
> > Peter reported both of these last cycle.  Both are related to sanity
> > checking parameters.
> > 
> > Jonathan Cameron (2):
> >    hw/cxl: Check for overflow on santize media as both base and offset
> >      64bit.
> >    hw/cxl: Take into account how many media operations are requested for
> >      param check
> > 
> >   hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
> >   1 file changed, 8 insertions(+), 3 deletions(-)  
> 
> Is this one worth picking up for qemu-stable (10.1.x & 10.2.x)?
> 
They are fairly obscure features but if it applies cleanly it seems
sensible to backport.

Thanks

Jonathan

> Thanks,
> 
> /mjt



^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2026-02-06  9:43 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-02 15:47 [PATCH qemu 0/2] hw/cxl: Two media operations related fixes Jonathan Cameron
2026-01-02 15:47 ` Jonathan Cameron via
2026-01-02 15:47 ` [PATCH qemu 1/2] hw/cxl: Check for overflow on santize media as both base and offset 64bit Jonathan Cameron
2026-01-02 15:47   ` Jonathan Cameron via
2026-01-02 15:47 ` [PATCH qemu 2/2] hw/cxl: Take into account how many media operations are requested for param check Jonathan Cameron
2026-01-02 15:47   ` Jonathan Cameron via
2026-02-04 11:15 ` [PATCH qemu 0/2] hw/cxl: Two media operations related fixes Jonathan Cameron
2026-02-04 11:15   ` Jonathan Cameron via qemu development
2026-02-05 22:11 ` Michael Tokarev
2026-02-06  9:42   ` Jonathan Cameron
2026-02-06  9:42     ` Jonathan Cameron via qemu development

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.