[PATCH qemu] hw/cxl: Fix register block locator size

Linux CXL
 help / color / mirror / Atom feed

* [PATCH qemu] hw/cxl: Fix register block locator size
@ 2025-05-29 13:48 Jonathan Cameron
  2025-05-29 17:24 ` Fan Ni
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Jonathan Cameron @ 2025-05-29 13:48 UTC (permalink / raw)
  To: qemu-devel, mst, Fan Ni; +Cc: linux-cxl, linuxarm

This has been wrong from day 1.  For now we only have
two entries (component and device registers).

The wrong size could lead to arbitrary data off the stack being presented
in PCIe config space.

Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 include/hw/cxl/cxl_pci.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/hw/cxl/cxl_pci.h b/include/hw/cxl/cxl_pci.h
index d0855ed78b..3bb882ce89 100644
--- a/include/hw/cxl/cxl_pci.h
+++ b/include/hw/cxl/cxl_pci.h
@@ -31,7 +31,7 @@
 #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_LENGTH 0x20
 #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_REVID  2
 
-#define REG_LOC_DVSEC_LENGTH 0x24
+#define REG_LOC_DVSEC_LENGTH 0x1C
 #define REG_LOC_DVSEC_REVID  0
 
 enum {
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH qemu] hw/cxl: Fix register block locator size
  2025-05-29 13:48 [PATCH qemu] hw/cxl: Fix register block locator size Jonathan Cameron
@ 2025-05-29 17:24 ` Fan Ni
  2025-05-30  2:59 ` Zhijian Li (Fujitsu)
  2025-05-30 13:18 ` Jonathan Cameron
  2 siblings, 0 replies; 5+ messages in thread
From: Fan Ni @ 2025-05-29 17:24 UTC (permalink / raw)
  To: Jonathan Cameron; +Cc: qemu-devel, mst, linux-cxl, linuxarm

On Thu, May 29, 2025 at 02:48:28PM +0100, Jonathan Cameron wrote:
> This has been wrong from day 1.  For now we only have
> two entries (component and device registers).
> 
> The wrong size could lead to arbitrary data off the stack being presented
> in PCIe config space.
> 
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---

Reviewed-by: Fan Ni <fan.ni@samsung.com>

>  include/hw/cxl/cxl_pci.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/hw/cxl/cxl_pci.h b/include/hw/cxl/cxl_pci.h
> index d0855ed78b..3bb882ce89 100644
> --- a/include/hw/cxl/cxl_pci.h
> +++ b/include/hw/cxl/cxl_pci.h
> @@ -31,7 +31,7 @@
>  #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_LENGTH 0x20
>  #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_REVID  2
>  
> -#define REG_LOC_DVSEC_LENGTH 0x24
> +#define REG_LOC_DVSEC_LENGTH 0x1C
>  #define REG_LOC_DVSEC_REVID  0
>  
>  enum {
> -- 
> 2.48.1
> 

-- 
Fan Ni (From gmail)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH qemu] hw/cxl: Fix register block locator size
  2025-05-29 13:48 [PATCH qemu] hw/cxl: Fix register block locator size Jonathan Cameron
  2025-05-29 17:24 ` Fan Ni
@ 2025-05-30  2:59 ` Zhijian Li (Fujitsu)
  2025-05-30 13:17   ` Jonathan Cameron
  2025-05-30 13:18 ` Jonathan Cameron
  2 siblings, 1 reply; 5+ messages in thread
From: Zhijian Li (Fujitsu) @ 2025-05-30  2:59 UTC (permalink / raw)
  To: Jonathan Cameron, qemu-devel@nongnu.org, mst@redhat.com, Fan Ni
  Cc: linux-cxl@vger.kernel.org, linuxarm@huawei.com



On 29/05/2025 21:48, Jonathan Cameron via wrote:
> This has been wrong from day 1.  For now we only have
> two entries (component and device registers).

Wow, I finally understood this.


> 
> The wrong size could lead to arbitrary data off the stack being presented
> in PCIe config space.
> 
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---
>   include/hw/cxl/cxl_pci.h | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/hw/cxl/cxl_pci.h b/include/hw/cxl/cxl_pci.h
> index d0855ed78b..3bb882ce89 100644
> --- a/include/hw/cxl/cxl_pci.h
> +++ b/include/hw/cxl/cxl_pci.h
> @@ -31,7 +31,7 @@
>   #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_LENGTH 0x20
>   #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_REVID  2
>   
> -#define REG_LOC_DVSEC_LENGTH 0x24
> +#define REG_LOC_DVSEC_LENGTH 0x1C

IMHO, REG_LOC_DVSEC_LENGTH is device specific, that mean we shouldn't put it in
a general header with a general name

try:
$ git grep REG_LOC_DVSEC_LENGTH

we got another REG_LOC_DVSEC_LENGTH, shouldn't its value (0x1C - 0x8)?


  51     regloc_dvsec = &(CXLDVSECRegisterLocator) {
  52         .rsvd         = 0,
  53         .reg0_base_lo = RBI_CXL_DEVICE_REG | 0,
  54         .reg0_base_hi = 0,
  55     };
  56     cxl_component_create_dvsec(cxl_cstate, CXL3_SWITCH_MAILBOX_CCI,
  57                                REG_LOC_DVSEC_LENGTH, REG_LOC_DVSEC,
  58                                REG_LOC_DVSEC_REVID, (uint8_t *)regloc_dvsec);


Thanks
Zhijian



>   #define REG_LOC_DVSEC_REVID  0
>   
>   enum {

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH qemu] hw/cxl: Fix register block locator size
  2025-05-30  2:59 ` Zhijian Li (Fujitsu)
@ 2025-05-30 13:17   ` Jonathan Cameron
  0 siblings, 0 replies; 5+ messages in thread
From: Jonathan Cameron @ 2025-05-30 13:17 UTC (permalink / raw)
  To: Zhijian Li (Fujitsu)
  Cc: qemu-devel@nongnu.org, mst@redhat.com, Fan Ni,
	linux-cxl@vger.kernel.org, linuxarm@huawei.com

On Fri, 30 May 2025 02:59:40 +0000
"Zhijian Li (Fujitsu)" <lizhijian@fujitsu.com> wrote:

> On 29/05/2025 21:48, Jonathan Cameron via wrote:
> > This has been wrong from day 1.  For now we only have
> > two entries (component and device registers).  
> 
> Wow, I finally understood this.
> 
> 
> > 
> > The wrong size could lead to arbitrary data off the stack being presented
> > in PCIe config space.
> > 
> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > ---
> >   include/hw/cxl/cxl_pci.h | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/include/hw/cxl/cxl_pci.h b/include/hw/cxl/cxl_pci.h
> > index d0855ed78b..3bb882ce89 100644
> > --- a/include/hw/cxl/cxl_pci.h
> > +++ b/include/hw/cxl/cxl_pci.h
> > @@ -31,7 +31,7 @@
> >   #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_LENGTH 0x20
> >   #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_REVID  2
> >   
> > -#define REG_LOC_DVSEC_LENGTH 0x24
> > +#define REG_LOC_DVSEC_LENGTH 0x1C  
> 
> IMHO, REG_LOC_DVSEC_LENGTH is device specific, that mean we shouldn't put it in
> a general header with a general name
> 
> try:
> $ git grep REG_LOC_DVSEC_LENGTH
> 
> we got another REG_LOC_DVSEC_LENGTH, shouldn't its value (0x1C - 0x8)?
> 
> 
>   51     regloc_dvsec = &(CXLDVSECRegisterLocator) {
>   52         .rsvd         = 0,
>   53         .reg0_base_lo = RBI_CXL_DEVICE_REG | 0,
>   54         .reg0_base_hi = 0,
>   55     };
>   56     cxl_component_create_dvsec(cxl_cstate, CXL3_SWITCH_MAILBOX_CCI,
>   57                                REG_LOC_DVSEC_LENGTH, REG_LOC_DVSEC,
>   58                                REG_LOC_DVSEC_REVID, (uint8_t *)regloc_dvsec);
> 
Ah.  This isn't a bug at all.  I clearly needed more caffeine.

We are fine because at least in 3.2 the register block identifier of 0 is reserved and
I misread the code completely.  It is odd to have empty entries but not a bug.

Jonathan

> 
> Thanks
> Zhijian
> 
> 
> 
> >   #define REG_LOC_DVSEC_REVID  0
> >   
> >   enum   


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH qemu] hw/cxl: Fix register block locator size
  2025-05-29 13:48 [PATCH qemu] hw/cxl: Fix register block locator size Jonathan Cameron
  2025-05-29 17:24 ` Fan Ni
  2025-05-30  2:59 ` Zhijian Li (Fujitsu)
@ 2025-05-30 13:18 ` Jonathan Cameron
  2 siblings, 0 replies; 5+ messages in thread
From: Jonathan Cameron @ 2025-05-30 13:18 UTC (permalink / raw)
  To: qemu-devel, mst, Fan Ni, linuxarm; +Cc: linux-cxl

On Thu, 29 May 2025 14:48:28 +0100
Jonathan Cameron <Jonathan.Cameron@huawei.com> wrote:

> This has been wrong from day 1.  For now we only have
> two entries (component and device registers).
> 
> The wrong size could lead to arbitrary data off the stack being presented
> in PCIe config space.

As noted in reply to Zhijian, this whole patch is garbage.
A fixed 'larger' size is fine as it will be 0 filled and that
is valid under the spec. 

Sorry for the noise.

Jonathan

> 
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---
>  include/hw/cxl/cxl_pci.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/hw/cxl/cxl_pci.h b/include/hw/cxl/cxl_pci.h
> index d0855ed78b..3bb882ce89 100644
> --- a/include/hw/cxl/cxl_pci.h
> +++ b/include/hw/cxl/cxl_pci.h
> @@ -31,7 +31,7 @@
>  #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_LENGTH 0x20
>  #define PCIE_CXL3_FLEXBUS_PORT_DVSEC_REVID  2
>  
> -#define REG_LOC_DVSEC_LENGTH 0x24
> +#define REG_LOC_DVSEC_LENGTH 0x1C
>  #define REG_LOC_DVSEC_REVID  0
>  
>  enum {


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-05-30 13:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-29 13:48 [PATCH qemu] hw/cxl: Fix register block locator size Jonathan Cameron
2025-05-29 17:24 ` Fan Ni
2025-05-30  2:59 ` Zhijian Li (Fujitsu)
2025-05-30 13:17   ` Jonathan Cameron
2025-05-30 13:18 ` Jonathan Cameron

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox