* Re: [PATCH] hw/cxl: Fix read from bogus memory
2024-05-31 16:22 [PATCH] hw/cxl: Fix read from bogus memory Ira Weiny
@ 2024-05-31 16:29 ` Peter Maydell
2024-06-02 19:25 ` Michael S. Tsirkin
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Peter Maydell @ 2024-05-31 16:29 UTC (permalink / raw)
To: Ira Weiny; +Cc: Michael S. Tsirkin, Jonathan Cameron, qemu-devel, Fan Ni
On Fri, 31 May 2024 at 17:22, Ira Weiny <ira.weiny@intel.com> wrote:
>
> Peter and coverity report:
>
> We've passed '&data' to address_space_write(), which means "read
> from the address on the stack where the function argument 'data'
> lives", so instead of writing 64 bytes of data to the guest ,
> we'll write 64 bytes which start with a host pointer value and
> then continue with whatever happens to be on the host stack
> after that.
>
> Indeed the intention was to write 64 bytes of data at the address given.
>
> Fix the parameter to address_space_write().
>
Coverity CID: 1544772
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Link: https://lore.kernel.org/all/CAFEAcA-u4sytGwTKsb__Y+_+0O2-WwARntm3x8WNhvL1WfHOBg@mail.gmail.com/
> Fixes: 6bda41a69bdc ("hw/cxl: Add clear poison mailbox command support.")
> Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Signed-off-by: Ira Weiny <ira.weiny@intel.com>
> ---
> Compile tested only. Jonathan please double check me.
> ---
> hw/mem/cxl_type3.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> index 3e42490b6ce8..582412d9925f 100644
> --- a/hw/mem/cxl_type3.c
> +++ b/hw/mem/cxl_type3.c
> @@ -1025,7 +1025,7 @@ static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t *data)
> as = &ct3d->hostpmem_as;
> }
>
> - address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, &data,
> + address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, data,
> CXL_CACHE_LINE_SIZE);
> return true;
> }
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
thanks
-- PMM
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] hw/cxl: Fix read from bogus memory
2024-05-31 16:22 [PATCH] hw/cxl: Fix read from bogus memory Ira Weiny
2024-05-31 16:29 ` Peter Maydell
@ 2024-06-02 19:25 ` Michael S. Tsirkin
2024-06-03 11:57 ` Jonathan Cameron via
2024-06-03 12:53 ` Philippe Mathieu-Daudé
3 siblings, 0 replies; 7+ messages in thread
From: Michael S. Tsirkin @ 2024-06-02 19:25 UTC (permalink / raw)
To: Ira Weiny; +Cc: Jonathan Cameron, qemu-devel, Fan Ni, Peter Maydell
On Fri, May 31, 2024 at 11:22:05AM -0500, Ira Weiny wrote:
> Peter and coverity report:
>
> We've passed '&data' to address_space_write(), which means "read
> from the address on the stack where the function argument 'data'
> lives", so instead of writing 64 bytes of data to the guest ,
> we'll write 64 bytes which start with a host pointer value and
> then continue with whatever happens to be on the host stack
> after that.
>
> Indeed the intention was to write 64 bytes of data at the address given.
>
> Fix the parameter to address_space_write().
>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Link: https://lore.kernel.org/all/CAFEAcA-u4sytGwTKsb__Y+_+0O2-WwARntm3x8WNhvL1WfHOBg@mail.gmail.com/
> Fixes: 6bda41a69bdc ("hw/cxl: Add clear poison mailbox command support.")
> Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
I'll queue it for the next pull which should go out soonish.
> ---
> Compile tested only. Jonathan please double check me.
> ---
> hw/mem/cxl_type3.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> index 3e42490b6ce8..582412d9925f 100644
> --- a/hw/mem/cxl_type3.c
> +++ b/hw/mem/cxl_type3.c
> @@ -1025,7 +1025,7 @@ static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t *data)
> as = &ct3d->hostpmem_as;
> }
>
> - address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, &data,
> + address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, data,
> CXL_CACHE_LINE_SIZE);
> return true;
> }
>
> ---
> base-commit: 3b2fe44bb7f605f179e5e7feb2c13c2eb3abbb80
> change-id: 20240531-fix-poison-set-cacheline-e32bc1e74b27
>
> Best regards,
> --
> Ira Weiny <ira.weiny@intel.com>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] hw/cxl: Fix read from bogus memory
2024-05-31 16:22 [PATCH] hw/cxl: Fix read from bogus memory Ira Weiny
2024-05-31 16:29 ` Peter Maydell
2024-06-02 19:25 ` Michael S. Tsirkin
@ 2024-06-03 11:57 ` Jonathan Cameron via
2024-06-03 12:53 ` Philippe Mathieu-Daudé
3 siblings, 0 replies; 7+ messages in thread
From: Jonathan Cameron via @ 2024-06-03 11:57 UTC (permalink / raw)
To: Ira Weiny; +Cc: Michael S. Tsirkin, qemu-devel, Fan Ni, Peter Maydell
On Fri, 31 May 2024 11:22:05 -0500
Ira Weiny <ira.weiny@intel.com> wrote:
> Peter and coverity report:
>
> We've passed '&data' to address_space_write(), which means "read
> from the address on the stack where the function argument 'data'
> lives", so instead of writing 64 bytes of data to the guest ,
> we'll write 64 bytes which start with a host pointer value and
> then continue with whatever happens to be on the host stack
> after that.
>
> Indeed the intention was to write 64 bytes of data at the address given.
>
> Fix the parameter to address_space_write().
>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Link: https://lore.kernel.org/all/CAFEAcA-u4sytGwTKsb__Y+_+0O2-WwARntm3x8WNhvL1WfHOBg@mail.gmail.com/
> Fixes: 6bda41a69bdc ("hw/cxl: Add clear poison mailbox command support.")
> Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Signed-off-by: Ira Weiny <ira.weiny@intel.com>
> ---
> Compile tested only. Jonathan please double check me.
Looks good to me.
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---
> hw/mem/cxl_type3.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> index 3e42490b6ce8..582412d9925f 100644
> --- a/hw/mem/cxl_type3.c
> +++ b/hw/mem/cxl_type3.c
> @@ -1025,7 +1025,7 @@ static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t *data)
> as = &ct3d->hostpmem_as;
> }
>
> - address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, &data,
> + address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, data,
> CXL_CACHE_LINE_SIZE);
> return true;
> }
>
> ---
> base-commit: 3b2fe44bb7f605f179e5e7feb2c13c2eb3abbb80
> change-id: 20240531-fix-poison-set-cacheline-e32bc1e74b27
>
> Best regards,
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] hw/cxl: Fix read from bogus memory
2024-05-31 16:22 [PATCH] hw/cxl: Fix read from bogus memory Ira Weiny
` (2 preceding siblings ...)
2024-06-03 11:57 ` Jonathan Cameron via
@ 2024-06-03 12:53 ` Philippe Mathieu-Daudé
2024-06-03 15:05 ` Michael S. Tsirkin
3 siblings, 1 reply; 7+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-06-03 12:53 UTC (permalink / raw)
To: Ira Weiny, Michael S. Tsirkin, Jonathan Cameron
Cc: qemu-devel, Fan Ni, Peter Maydell
On 31/5/24 18:22, Ira Weiny wrote:
> Peter and coverity report:
>
> We've passed '&data' to address_space_write(), which means "read
> from the address on the stack where the function argument 'data'
> lives", so instead of writing 64 bytes of data to the guest ,
> we'll write 64 bytes which start with a host pointer value and
> then continue with whatever happens to be on the host stack
> after that.
>
> Indeed the intention was to write 64 bytes of data at the address given.
>
> Fix the parameter to address_space_write().
>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Link: https://lore.kernel.org/all/CAFEAcA-u4sytGwTKsb__Y+_+0O2-WwARntm3x8WNhvL1WfHOBg@mail.gmail.com/
> Fixes: 6bda41a69bdc ("hw/cxl: Add clear poison mailbox command support.")
> Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Signed-off-by: Ira Weiny <ira.weiny@intel.com>
> ---
> Compile tested only. Jonathan please double check me.
> ---
> hw/mem/cxl_type3.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks, patch queued.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] hw/cxl: Fix read from bogus memory
2024-06-03 12:53 ` Philippe Mathieu-Daudé
@ 2024-06-03 15:05 ` Michael S. Tsirkin
2024-06-03 15:10 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 7+ messages in thread
From: Michael S. Tsirkin @ 2024-06-03 15:05 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Ira Weiny, Jonathan Cameron, qemu-devel, Fan Ni, Peter Maydell
On Mon, Jun 03, 2024 at 02:53:35PM +0200, Philippe Mathieu-Daudé wrote:
> On 31/5/24 18:22, Ira Weiny wrote:
> > Peter and coverity report:
> >
> > We've passed '&data' to address_space_write(), which means "read
> > from the address on the stack where the function argument 'data'
> > lives", so instead of writing 64 bytes of data to the guest ,
> > we'll write 64 bytes which start with a host pointer value and
> > then continue with whatever happens to be on the host stack
> > after that.
> >
> > Indeed the intention was to write 64 bytes of data at the address given.
> >
> > Fix the parameter to address_space_write().
> >
> > Reported-by: Peter Maydell <peter.maydell@linaro.org>
> > Link: https://lore.kernel.org/all/CAFEAcA-u4sytGwTKsb__Y+_+0O2-WwARntm3x8WNhvL1WfHOBg@mail.gmail.com/
> > Fixes: 6bda41a69bdc ("hw/cxl: Add clear poison mailbox command support.")
> > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> > Signed-off-by: Ira Weiny <ira.weiny@intel.com>
> > ---
> > Compile tested only. Jonathan please double check me.
> > ---
> > hw/mem/cxl_type3.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Thanks, patch queued.
Had it queued too but sure, I can drop.
--
MST
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] hw/cxl: Fix read from bogus memory
2024-06-03 15:05 ` Michael S. Tsirkin
@ 2024-06-03 15:10 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 7+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-06-03 15:10 UTC (permalink / raw)
To: Michael S. Tsirkin
Cc: Ira Weiny, Jonathan Cameron, qemu-devel, Fan Ni, Peter Maydell
On 3/6/24 17:05, Michael S. Tsirkin wrote:
> On Mon, Jun 03, 2024 at 02:53:35PM +0200, Philippe Mathieu-Daudé wrote:
>> On 31/5/24 18:22, Ira Weiny wrote:
>>> Peter and coverity report:
>>>
>>> We've passed '&data' to address_space_write(), which means "read
>>> from the address on the stack where the function argument 'data'
>>> lives", so instead of writing 64 bytes of data to the guest ,
>>> we'll write 64 bytes which start with a host pointer value and
>>> then continue with whatever happens to be on the host stack
>>> after that.
>>>
>>> Indeed the intention was to write 64 bytes of data at the address given.
>>>
>>> Fix the parameter to address_space_write().
>>>
>>> Reported-by: Peter Maydell <peter.maydell@linaro.org>
>>> Link: https://lore.kernel.org/all/CAFEAcA-u4sytGwTKsb__Y+_+0O2-WwARntm3x8WNhvL1WfHOBg@mail.gmail.com/
>>> Fixes: 6bda41a69bdc ("hw/cxl: Add clear poison mailbox command support.")
>>> Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
>>> Signed-off-by: Ira Weiny <ira.weiny@intel.com>
>>> ---
>>> Compile tested only. Jonathan please double check me.
>>> ---
>>> hw/mem/cxl_type3.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> Thanks, patch queued.
>
> Had it queued too but sure, I can drop.
Sorry I didn't notice that along with your R-b tag, my bad.
Don't modify your branch, I'm dropping it.
Regards,
Phil.
^ permalink raw reply [flat|nested] 7+ messages in thread