From: Peter Maydell <peter.maydell@linaro.org>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: qemu-devel@nongnu.org, Vinayak Holikatti <vinayak.kh@samsung.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Fan Ni <fan.ni@samsung.com>
Subject: Re: [PULL 05/27] hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)
Date: Tue, 28 Oct 2025 13:41:00 +0000 [thread overview]
Message-ID: <CAFEAcA99KqkF+T-vBo2yihaTy5GhUmPoNFkii_cDM0+WX-5Epg@mail.gmail.com> (raw)
In-Reply-To: <CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com>
Ping -- these issues in this change seem to still be
present in the current version. Would somebody like to have
a look at them ?
On Thu, 10 Jul 2025 at 14:23, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Wed, 14 May 2025 at 12:50, Michael S. Tsirkin <mst@redhat.com> wrote:
> >
> > From: Vinayak Holikatti <vinayak.kh@samsung.com>
> >
> > CXL spec 3.2 section 8.2.10.9.5.3 describes media operations commands.
> > CXL devices supports media operations Sanitize and Write zero command.
> >
> > Signed-off-by: Vinayak Holikatti <vinayak.kh@samsung.com>
> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > Message-Id: <20250305092501.191929-6-Jonathan.Cameron@huawei.com>
> > Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > ---
>
> > +static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,
> > + size_t length)
> > +{
> > + uint64_t vmr_size, pmr_size, dc_size;
> > +
> > + if ((dpa_addr % CXL_CACHE_LINE_SIZE) ||
> > + (length % CXL_CACHE_LINE_SIZE) ||
> > + (length <= 0)) {
> > + return -EINVAL;
> > + }
> > +
> > + vmr_size = get_vmr_size(ct3d, NULL);
> > + pmr_size = get_pmr_size(ct3d, NULL);
> > + dc_size = get_dc_size(ct3d, NULL);
> > +
> > + if (dpa_addr + length > vmr_size + pmr_size + dc_size) {
>
> Hi; Coverity flagged up a potential issue in this function (CID 1610093)
> Partly it is a false positive (it thinks vmr_size etc can
> be -1, but they won't I assume ever be memory regions of that
> size), but it did make me notice that this address/length
> check looks wrong. If the guest can pass us a (dpa_addr, length)
> combination that overflows a 64-bit integer then we can
> incorrectly pass this length test.
>
> > + return -EINVAL;
> > + }
> > +
> > + if (dpa_addr > vmr_size + pmr_size) {
> > + if (!ct3_test_region_block_backed(ct3d, dpa_addr, length)) {
> > + return -ENODEV;
> > + }
> > + }
> > +
> > + return 0;
> > +}
>
>
>
> > +static CXLRetCode media_operations_sanitize(CXLType3Dev *ct3d,
> > + uint8_t *payload_in,
> > + size_t len_in,
> > + uint8_t *payload_out,
> > + size_t *len_out,
> > + uint8_t fill_value,
> > + CXLCCI *cci)
> > +{
> > + struct media_operations_sanitize {
> > + uint8_t media_operation_class;
> > + uint8_t media_operation_subclass;
> > + uint8_t rsvd[2];
> > + uint32_t dpa_range_count;
> > + struct dpa_range_list_entry dpa_range_list[];
> > + } QEMU_PACKED *media_op_in_sanitize_pl = (void *)payload_in;
> > + uint32_t dpa_range_count = media_op_in_sanitize_pl->dpa_range_count;
>
> This looks dubious -- a packed struct presumably from the
> guest, with a 32-bit value, that we are reading without
> doing any handling of host endianness ?
>
> thanks
> -- PMM
next prev parent reply other threads:[~2025-10-28 13:42 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 11:50 [PULL 00/27] virtio,pci,pc: fixes, features Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 01/27] hw/cxl: Support aborting background commands Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 02/27] hw/cxl: Support get/set mctp response payload size Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 03/27] hw/cxl/cxl-mailbox-utils: Add support for Media operations discovery commands cxl r3.2 (8.2.10.9.5.3) Michael S. Tsirkin
2025-07-10 13:26 ` Peter Maydell
2025-09-17 13:05 ` Jonathan Cameron via
2025-05-14 11:50 ` [PULL 04/27] hw/cxl: factor out calculation of sanitize duration from cmd_santize_overwrite Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 05/27] hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3) Michael S. Tsirkin
2025-07-10 13:23 ` Peter Maydell
2025-10-28 13:41 ` Peter Maydell [this message]
2025-05-14 11:50 ` [PULL 06/27] hw/cxl/cxl-mailbox-utils: CXL CCI Get/Set alert config commands Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 07/27] docs/cxl: Add serial number for persistent-memdev Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 08/27] hw/pci: Do not add ROM BAR for SR-IOV VF Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 09/27] hw/pci: Fix SR-IOV VF number calculation Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 10/27] pcie_sriov: Ensure PF and VF are mutually exclusive Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 11/27] pcie_sriov: Check PCI Express for SR-IOV PF Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 12/27] pcie_sriov: Allow user to create SR-IOV device Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 13/27] virtio-pci: Implement SR-IOV PF Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 14/27] virtio-net: Implement SR-IOV VF Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 15/27] docs: Document composable SR-IOV device Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 16/27] pcie_sriov: Make a PCI device with user-created VF ARI-capable Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 17/27] pci-testdev.c: Add membar-backed option for backing membar Michael S. Tsirkin
2025-05-14 11:50 ` [PULL 18/27] system/runstate: add VM state change cb with return value Michael S. Tsirkin
2025-05-14 11:51 ` [PULL 19/27] vhost: return failure if stop virtqueue failed in vhost_dev_stop Michael S. Tsirkin
2025-05-14 11:51 ` [PULL 20/27] vhost-user: return failure if backend crash when live migration Michael S. Tsirkin
2025-05-14 11:51 ` [PULL 21/27] vhost-scsi: support VIRTIO_SCSI_F_HOTPLUG Michael S. Tsirkin
2025-05-14 11:51 ` [PULL 22/27] virtio: Call set_features during reset Michael S. Tsirkin
2025-05-14 11:51 ` [PULL 23/27] virtio: Move virtio_reset() Michael S. Tsirkin
2025-05-14 11:51 ` [PULL 24/27] intel_iommu: Use BQL_LOCK_GUARD to manage cleanup automatically Michael S. Tsirkin
2025-05-14 11:51 ` [PULL 25/27] intel_iommu: Take locks when looking for and creating address spaces Michael S. Tsirkin
2025-05-14 11:51 ` [PULL 26/27] hw/i386/amd_iommu: Isolate AMDVI-PCI from amd-iommu device to allow full control over the PCI device creation Michael S. Tsirkin
2025-05-14 11:51 ` [PULL 27/27] hw/i386/amd_iommu: Allow migration when explicitly create the AMDVI-PCI device Michael S. Tsirkin
2025-05-15 21:53 ` [PULL 00/27] virtio,pci,pc: fixes, features Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFEAcA99KqkF+T-vBo2yihaTy5GhUmPoNFkii_cDM0+WX-5Epg@mail.gmail.com \
--to=peter.maydell@linaro.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=fan.ni@samsung.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vinayak.kh@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).