[PATCH qemu 0/2] hw/cxl: Two media operations related fixes.

[PATCH qemu 0/2] hw/cxl: Two media operations related fixes.

[Jonathan Cameron]

Peter reported both of these last cycle.  Both are related to sanity
checking parameters.

Jonathan Cameron (2):
  hw/cxl: Check for overflow on santize media as both base and offset
    64bit.
  hw/cxl: Take into account how many media operations are requested for
    param check

 hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

-- 
2.48.1

[PATCH qemu 1/2] hw/cxl: Check for overflow on santize media as both base and offset 64bit.

[Jonathan Cameron]

The both the size and base of a media sanitize operation are both provided
by the VM, an overflow is possible which may result in checks on valid
range passing when they should not.  Close that by checking for overflow
on the addition.

Fixes: 40ab4ed10775 ("hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)")
Closes: https://lore.kernel.org/qemu-devel/CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com/
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index a64b8ba5351f..d8f62a13a8ec 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -2411,7 +2411,7 @@ static uint64_t get_dc_size(CXLType3Dev *ct3d, MemoryRegion **dc_mr)
 static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
                              size_t length)
 {
-    uint64_t vmr_size, pmr_size, dc_size;
+    uint64_t vmr_size, pmr_size, dc_size, dpa_end;
 
     if ((dpa_addr % CXL_CACHE_LINE_SIZE) ||
         (length % CXL_CACHE_LINE_SIZE)  ||
@@ -2423,7 +2423,12 @@ static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
     pmr_size = get_pmr_size(ct3d, NULL);
     dc_size = get_dc_size(ct3d, NULL);
 
-    if (dpa_addr + length > vmr_size + pmr_size + dc_size) {
+    /* sanitize 64 bit values coming from guest */
+    if (uadd64_overflow(dpa_addr, length, &dpa_end)) {
+        return -EINVAL;
+    }
+
+    if (dpa_end > vmr_size + pmr_size + dc_size) {
         return -EINVAL;
     }
 
-- 
2.48.1

[PATCH qemu 2/2] hw/cxl: Take into account how many media operations are requested for param check

[Jonathan Cameron]

Whilst the spec doesn't speak to it directly my assumption is that
a request for more operations than exist should result in an invalid
input error return.

Fixes: 77a8e9fe0ecb ("hw/cxl/cxl-mailbox-utils: Add support for Media operations discovery commands cxl r3.2 (8.2.10.9.5.3)")
Closes: https://lore.kernel.org/qemu-devel/CAFEAcA-p5wZkNxK7wNVq_3PAzEE-muOd1Def-0O-FSpck4DrBQ@mail.gmail.com/
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 hw/cxl/cxl-mailbox-utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index d8f62a13a8ec..2f449980cdc0 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -2547,7 +2547,7 @@ static CXLRetCode media_operations_discovery(uint8_t *payload_in,
      * sub class command.
      */
     if (media_op_in_disc_pl->dpa_range_count ||
-        start_index > ARRAY_SIZE(media_op_matrix)) {
+        start_index + num_ops > ARRAY_SIZE(media_op_matrix)) {
         return CXL_MBOX_INVALID_INPUT;
     }
 
-- 
2.48.1

Re: [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.

[Jonathan Cameron]

On Fri, 2 Jan 2026 15:47:29 +0000
Jonathan Cameron <Jonathan.Cameron@huawei.com> wrote:

> Peter reported both of these last cycle.  Both are related to sanity
> checking parameters.

Hi Michael

Just a reminder to take a look at and if possible queue these up.

I see I didn't +CC Peter. Sorry about that Peter. If you could sanity
check as they are fixes for bugs you reported a while back.

Thanks,

Jonathan

> 
> Jonathan Cameron (2):
>   hw/cxl: Check for overflow on santize media as both base and offset
>     64bit.
>   hw/cxl: Take into account how many media operations are requested for
>     param check
> 
>  hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 

Re: [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.

[Michael Tokarev]

On 1/2/26 18:47, Jonathan Cameron via wrote:
> Peter reported both of these last cycle.  Both are related to sanity
> checking parameters.
> 
> Jonathan Cameron (2):
>    hw/cxl: Check for overflow on santize media as both base and offset
>      64bit.
>    hw/cxl: Take into account how many media operations are requested for
>      param check
> 
>   hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
>   1 file changed, 8 insertions(+), 3 deletions(-)

Is this one worth picking up for qemu-stable (10.1.x & 10.2.x)?

Thanks,

/mjt

Re: [PATCH qemu 0/2] hw/cxl: Two media operations related fixes.

[Jonathan Cameron]

On Fri, 6 Feb 2026 01:11:55 +0300
Michael Tokarev <mjt@tls.msk.ru> wrote:

> On 1/2/26 18:47, Jonathan Cameron via wrote:
> > Peter reported both of these last cycle.  Both are related to sanity
> > checking parameters.
> > 
> > Jonathan Cameron (2):
> >    hw/cxl: Check for overflow on santize media as both base and offset
> >      64bit.
> >    hw/cxl: Take into account how many media operations are requested for
> >      param check
> > 
> >   hw/cxl/cxl-mailbox-utils.c | 11 ++++++++---
> >   1 file changed, 8 insertions(+), 3 deletions(-)  
> 
> Is this one worth picking up for qemu-stable (10.1.x & 10.2.x)?
> 
They are fairly obscure features but if it applies cleanly it seems
sensible to backport.

Thanks

Jonathan

> Thanks,
> 
> /mjt