From nobody Sat May 30 17:31:19 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1779947814; cv=none; d=zohomail.com; s=zohoarc; b=kdvLGau/AW1veR3vOlF+3D4g6MHopiNS9KKOqmsv1Jh8eIJftO12WnyOlGxGb4wGR7y86m0vU/oyGKtbOdUd1fKRvdvn+7B4EVjHoLWf2aJSxpVVLNy1vZ9e08MP4anO291akOq+YDxoLCx5sOx8E0WWkbc0MVvQHUinIsfoX8U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779947814; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=W2PUBTnl7NO+GZMfRvUslTvPkHKEc8GZDQXDvKmhtZI=; b=WkfjeKQ0sIwr5PwM7OZ+4J6om4ycJ7gaXcKHuYC5K4mDKno+JRwcKq5iOFpWJvqgalD73nB0P+oAUvd9HlDXmKRV18xK+F1iciYJIUjMpi+jsAmesaOz1usvgb64gek9Q3hefW1naGNfzQS+cpyTo3OO7Ys2CxTK/qlhe+CgAzA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779947814833232.79756212669054; Wed, 27 May 2026 22:56:54 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wSTiw-0006Js-0Q; Thu, 28 May 2026 01:56:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wSTiu-0006JC-N1 for qemu-devel@nongnu.org; Thu, 28 May 2026 01:56:04 -0400 Received: from mail-pf1-x429.google.com ([2607:f8b0:4864:20::429]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wSTip-0004f5-Sx for qemu-devel@nongnu.org; Thu, 28 May 2026 01:56:02 -0400 Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-8353fd1cb5fso6289282b3a.0 for ; Wed, 27 May 2026 22:55:59 -0700 (PDT) Received: from gmail.com ([114.249.134.218]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-841f3cbce48sm758068b3a.10.2026.05.27.22.55.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 May 2026 22:55:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779947758; x=1780552558; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=W2PUBTnl7NO+GZMfRvUslTvPkHKEc8GZDQXDvKmhtZI=; b=WblairuqvRXQJR4LLtKMaPDap7bZIaFVi1fblbp99ZwVM1Yx827aqOU5xZR1YGWI5j dsTwvGUsmqEdOx7PZnLbgjccK1OSyQC+Rb+UL5kVtdeS5Dw87hkMwvtFkMMwzBbAIs9f eFlRhUtUp59382kw77E+WhH9mYk9kzr7PqozoBi5qh8GG5jgBCOgvYPkz4L8qgyx8jKj cY5b/lC14Z+8fYr0qwpitXGYPNOsaW0r6RRPI5vhWjPf/UXxWisPAqtgeB9HXsKeoi35 tFX2grt42kEXohpWRKzRMzuP71bc6xmeNyymv9aLTmSpUFwHJh7T6wEluqGhR6kO+JRN HPWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779947758; x=1780552558; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=W2PUBTnl7NO+GZMfRvUslTvPkHKEc8GZDQXDvKmhtZI=; b=pXQjPQ1bdBS7q1VIGIEo1zhku//84SdicliZpSiI4NslDNkH7332QOlCNiywKuCgLY bOC+QAL6u/zVQvdbOf6kiGthRXbbg9xdoiiPD1Zsxekmvmvx2RyQM4vlMvmljov5pqj5 bB+v9t0XrA47kwIChAg/OapncwL9hDAOK5NkylSigD3fJcYPpV2UIAoNr5BcbaD8fSc3 MsdMw0Lz/AMV83puyeSljpDuTGG92TJ/gGRtjXg1YopbyqPJ1x42Vm/oFkfB9BHsNM3d GVd54TYqQfkPQSD1ZDDn8sIgcYPx84GTqQuRnLda1LpCalpWDmLTQ/BkdvuRHN/lh58N uNzg== X-Gm-Message-State: AOJu0YyJrhv3EYSEcgaW7TL0bOlWCHI4oqCKb7kUsq8AWcngj+g2fvTk 9NWzthxA+KY/G6Sy1yFRovuTeZPqhTaPqjFiwDcrdonVIVX+UyFywo2moDQjx2nck9Q= X-Gm-Gg: Acq92OHaVl6kGbsIxURuSts08vvBjotEExWWmwa4l2UGDB3YjskHBNPXa+EfDGs5TWw Q3y3gevUx3n4sHmPXFKGn6ey5Fgv5IfuYQsbILUV0CKVeSyFxGgRqS0E8rzlVd1x7deWFwXkE7K 8WNlF199UncdOg1uLcgTiL9bCE86Wroz8bPaNBjNYTOK7z4OVKPPn+bAvuhZVP+6zGLaqdUQS0C C6gponjlqhWUovqH6yjuxVov7R7yvedErA8ETphNxvViQ4WsaJfEvPklbeAEnYwUnEKF5BXuEKC OcAFgUfw81atOV0CVV5gWHC4yANH+m1aQA1YKhE/sfVY4ABHZI2rs1aZBNKZ6IrbAeyX16mWHbg 9WLxJ+hxltnVq9t31mUVDzkp1NkG3Zw/k53jq1e8shxSk17Momr+580+fMXdSj9f10HIV6MKZds S/pCWYnLgm8yLlYIuvnZJuGR0rpXJoC4Cgl1k= X-Received: by 2002:a05:6a00:9283:b0:827:33cb:c7a3 with SMTP id d2e1a72fcca58-841fda94381mr209905b3a.10.1779947758395; Wed, 27 May 2026 22:55:58 -0700 (PDT) From: Jia Jia To: qemu-devel@nongnu.org Cc: Jonathan Cameron , Jonathan Cameron , Fan Ni , Fabiano Rosas , Laurent Vivier , Paolo Bonzini , linux-cxl@vger.kernel.org Subject: [PATCH v3 1/2] hw/cxl: factor Set Feature write bounds helper Date: Thu, 28 May 2026 13:55:24 +0800 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: <20260429152750.2409174-1-physicalmtea@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::429; envelope-from=physicalmtea@gmail.com; helo=mail-pf1-x429.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1779947816653158500 Content-Type: text/plain; charset="utf-8" c1c4d6b38b13 added the same offset + length validation twice in cmd_features_set_feature(), once for patrol scrub and once for ECS. Factor that logic into a small helper so later patches can reuse the same check for the other Set Feature write-attribute branches. No functional change intended. Signed-off-by: Jia Jia --- hw/cxl/cxl-mailbox-utils.c | 40 ++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index d8ba7e8625..2e4cc5824d 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1702,6 +1702,21 @@ static CXLRetCode cmd_features_get_feature(const str= uct cxl_cmd *cmd, return CXL_MBOX_SUCCESS; } =20 +static CXLRetCode cxl_set_feature_copy(void *write_attrs, + size_t write_attrs_size, + uint16_t offset, + const void *payload, + uint16_t bytes_to_copy) +{ + if ((uint32_t)offset + bytes_to_copy > write_attrs_size) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + + memcpy((uint8_t *)write_attrs + offset, payload, bytes_to_copy); + + return CXL_MBOX_SUCCESS; +} + /* CXL r3.1 section 8.2.9.6.3: Set Feature (Opcode 0502h) */ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd, uint8_t *payload_in, @@ -1713,6 +1728,7 @@ static CXLRetCode cmd_features_set_feature(const stru= ct cxl_cmd *cmd, CXLSetFeatureInHeader *hdr =3D (void *)payload_in; CXLSetFeatureInfo *set_feat_info; uint16_t bytes_to_copy =3D 0; + CXLRetCode ret; uint8_t data_transfer_flag; CXLType3Dev *ct3d; uint16_t count; @@ -1760,13 +1776,13 @@ static CXLRetCode cmd_features_set_feature(const st= ruct cxl_cmd *cmd, return CXL_MBOX_UNSUPPORTED; } =20 - if ((uint32_t)hdr->offset + bytes_to_copy > - sizeof(ct3d->patrol_scrub_wr_attrs)) { - return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + ret =3D cxl_set_feature_copy(&ct3d->patrol_scrub_wr_attrs, + sizeof(ct3d->patrol_scrub_wr_attrs), + hdr->offset, ps_write_attrs, + bytes_to_copy); + if (ret) { + return ret; } - memcpy((uint8_t *)&ct3d->patrol_scrub_wr_attrs + hdr->offset, - ps_write_attrs, - bytes_to_copy); set_feat_info->data_size +=3D bytes_to_copy; =20 if (data_transfer_flag =3D=3D CXL_SET_FEATURE_FLAG_FULL_DATA_TRANS= FER || @@ -1787,13 +1803,13 @@ static CXLRetCode cmd_features_set_feature(const st= ruct cxl_cmd *cmd, return CXL_MBOX_UNSUPPORTED; } =20 - if ((uint32_t)hdr->offset + bytes_to_copy > - sizeof(ct3d->ecs_wr_attrs)) { - return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + ret =3D cxl_set_feature_copy(&ct3d->ecs_wr_attrs, + sizeof(ct3d->ecs_wr_attrs), + hdr->offset, ecs_write_attrs, + bytes_to_copy); + if (ret) { + return ret; } - memcpy((uint8_t *)&ct3d->ecs_wr_attrs + hdr->offset, - ecs_write_attrs, - bytes_to_copy); set_feat_info->data_size +=3D bytes_to_copy; =20 if (data_transfer_flag =3D=3D CXL_SET_FEATURE_FLAG_FULL_DATA_TRANS= FER || --=20 2.34.1 From nobody Sat May 30 17:31:19 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1779947804; cv=none; d=zohomail.com; s=zohoarc; b=Rka4O9uquJ57akfHSSNRLxTIGWwlyqEh9Rba1x9A7HKTOjWJzbslLfelDrjBmAsAr2TlRpugtCrYCQAgYEZ1/dSDlUxYi4/li7NEn9j4PFSW4D9bh2pS6vhp9K6BcnEK2HOhPo8+5XSn0tYtrN7qNuPJq2nyNGzVE05Ei/xfQrg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779947804; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ZOnEl6g9CzHOp9himAORSol4KLevjnd3PpxGJzoKEiQ=; b=nj1U2fEHRBGrXLqsnxnSwHGmJ41fLG2kk8evfdlH+JI6tD4S35ATnEJhZtlJ71WO8/wmn/FAymIO4EVrW0m6pQAO04Bfv+lbJ1jYCn3stJtnJnnwNx1CeWgYidh6Bz6yvrLThiDy/SMQRkkvZXFwjHeRTy7Cw++kSlcvGM4dn1c= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779947804048262.38085387513365; Wed, 27 May 2026 22:56:44 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wSTiy-0006Ki-Pz; Thu, 28 May 2026 01:56:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wSTiw-0006Jw-Ix for qemu-devel@nongnu.org; Thu, 28 May 2026 01:56:06 -0400 Received: from mail-pg1-x532.google.com ([2607:f8b0:4864:20::532]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wSTiu-0004ff-Nz for qemu-devel@nongnu.org; Thu, 28 May 2026 01:56:06 -0400 Received: by mail-pg1-x532.google.com with SMTP id 41be03b00d2f7-c85067c9ccdso3158619a12.3 for ; Wed, 27 May 2026 22:56:02 -0700 (PDT) Received: from gmail.com ([114.249.134.218]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-841f3cbce48sm758068b3a.10.2026.05.27.22.55.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 May 2026 22:56:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779947761; x=1780552561; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZOnEl6g9CzHOp9himAORSol4KLevjnd3PpxGJzoKEiQ=; b=EcU5gpN4azGvmR1lIeBq4jsK82x8/LgtPSI0D5CBzCLJR3S4fnsxp+Y9Gp6sLeJpIi dnJXoD2mTNn2g72/ajbUuwDvwuMLC2Oe1jeDVt1EG5h47ofJgw01bWwTZWpYrc+H4N8M A8JRnNSHtPD4ogiz3yU3lHTIhsOUFZRditQGoK9OiKHVBMJy5kjIHXRMiI6vR2IOPolz diy3ITFfYRT8quUnhOm0OoE/pdNfHVrEGKt43VJaaZDvtBaf0vgYKaHS21+nHcFr2EBD gl5krDMwuvSlI3Zqc24U8Sj+fkFmpTgY4AyYCIhG9L5IE/nUvzRFb1hDmD4bEW+ZnWiG kIQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779947761; x=1780552561; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ZOnEl6g9CzHOp9himAORSol4KLevjnd3PpxGJzoKEiQ=; b=jrVZ0KOhifI7hoMED6kfydYbaOMe+Y4b/reenZ19KYYKCQAV5O9Ro0U4r/TzEHwTg+ mWpKdStABMhPthHHKv9dTesmKhZxFqcahwr+2DKoeUTlW/sIEdVIkY0uxa9LKs2K4jrj uR5N84UKxfmNToBoMuTSED1wbl4VthPsg8q7fob7HlgS4M9fQZkn5EJ2oEo/DoQvPhTy cjUiQOdt6FbX7P3ruzCJ54agjdjS9WBJY1i8AptSfm5hX5SFXJMnOWaZ5m1uOwCjM7tT ut2NG+j/n463q+OJ1/pFCiUEYCU/7aUKzyEe1D/ANzXQv0WsHiDstscZIYHYW1S9Qohb fUmg== X-Gm-Message-State: AOJu0YwkbJCK6C3hHkYc0rldI0d3CJLNeqWt6olLe32eqq3THfFnzr9Z Beq4C04UBIDjh8cUySOB7Im+0l2C6JdoeA5cEzPtF57TOssV1ePGI9tI46r70RMY5OI= X-Gm-Gg: Acq92OF1AC88h+plvndahHOXlV9J2vg13mld0ZzEMoAwY0cylDK3ngbxhDrZiia9Hy1 olNgsur6almh8bMrqzBpPGJQupPGew31t2Fky/a86xmTckOpg9PgEmDY6cKO5DVb6FtZC8AJXkj BJ65EyDwnetqjaDou39yJQXlxe8v938Y2m+XuOoh1Vi1sY3wCrUQ6HPRihuBLHxCDMkJyQmzslU GadsEn5rnWfXWveuXI4nQIkUowI+oJTtaFZ8219wZOyqrCDMddqNZlZfLFAr0Lcom1R4K9VO4vD xP1US1rDXgueAwDn8t0t6d+ZeC48EkwZcYvENZHQUvX1WNIYw5G7+uL2QeXugz02YaQEVZ2O1qg GCbIk2o89vq3651kO+X/yhPtl0Yj4s9cMvYTAG0svCItx+2Kxb4Bk4eGMvav1/irMqyhS/c/lC3 kJHmA+zry+ImsYYc7QHdZYJBqOm4l6GRkZMc7/Wu96cD8omA== X-Received: by 2002:a05:6a21:7008:b0:398:b178:a53f with SMTP id adf61e73a8af0-3b328ec4d08mr26857031637.40.1779947761546; Wed, 27 May 2026 22:56:01 -0700 (PDT) From: Jia Jia To: qemu-devel@nongnu.org Cc: Jonathan Cameron , Jonathan Cameron , Fan Ni , Fabiano Rosas , Laurent Vivier , Paolo Bonzini , linux-cxl@vger.kernel.org, qemu-stable@nongnu.org Subject: [PATCH v3 2/2] hw/cxl: validate PPR and sparing Set Feature writes Date: Thu, 28 May 2026 13:55:25 +0800 Message-Id: <61025cb5676b04afcfd7c4cc16904c95564c7a48.1779946245.git.physicalmtea@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: <20260429152750.2409174-1-physicalmtea@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::532; envelope-from=physicalmtea@gmail.com; helo=mail-pg1-x532.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1779947805234158500 Content-Type: text/plain; charset="utf-8" The Post Package Repair and memory sparing Set Feature branches still copy mailbox payload data into fixed-size write-attribute objects without checking that hdr->offset + bytes_to_copy stays within the target buffer. patrol scrub and ECS already reject oversized writes, but the later PPR and sparing feature additions missed the same validation. A full mailbox payload can therefore overrun the target write-attribute object, for example in the rank sparing branch. Use cxl_set_feature_copy() there as well and return CXL_MBOX_INVALID_PAYLOAD_LENGTH for oversized requests. Fixes: 5e5a86bab83 ("hw/cxl: Add support for Maintenance command and Post P= ackage Repair (PPR)") Fixes: da5cafdc4dd ("hw/cxl: Add emulation for memory sparing control featu= re") Link: https://gitlab.com/qemu-project/qemu/-/work_items/3458 Cc: qemu-stable@nongnu.org Signed-off-by: Jia Jia --- hw/cxl/cxl-mailbox-utils.c | 54 +++++++++++++++++++++++++++++--------- 1 file changed, 42 insertions(+), 12 deletions(-) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 2e4cc5824d..4c7a083e4c 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1829,8 +1829,13 @@ static CXLRetCode cmd_features_set_feature(const str= uct cxl_cmd *cmd, return CXL_MBOX_UNSUPPORTED; } =20 - memcpy((uint8_t *)&ct3d->soft_ppr_wr_attrs + hdr->offset, - sppr_write_attrs, bytes_to_copy); + ret =3D cxl_set_feature_copy(&ct3d->soft_ppr_wr_attrs, + sizeof(ct3d->soft_ppr_wr_attrs), + hdr->offset, sppr_write_attrs, + bytes_to_copy); + if (ret) { + return ret; + } set_feat_info->data_size +=3D bytes_to_copy; =20 if (data_transfer_flag =3D=3D CXL_SET_FEATURE_FLAG_FULL_DATA_TRANS= FER || @@ -1848,8 +1853,13 @@ static CXLRetCode cmd_features_set_feature(const str= uct cxl_cmd *cmd, return CXL_MBOX_UNSUPPORTED; } =20 - memcpy((uint8_t *)&ct3d->hard_ppr_wr_attrs + hdr->offset, - hppr_write_attrs, bytes_to_copy); + ret =3D cxl_set_feature_copy(&ct3d->hard_ppr_wr_attrs, + sizeof(ct3d->hard_ppr_wr_attrs), + hdr->offset, hppr_write_attrs, + bytes_to_copy); + if (ret) { + return ret; + } set_feat_info->data_size +=3D bytes_to_copy; =20 if (data_transfer_flag =3D=3D CXL_SET_FEATURE_FLAG_FULL_DATA_TRANS= FER || @@ -1867,8 +1877,13 @@ static CXLRetCode cmd_features_set_feature(const str= uct cxl_cmd *cmd, return CXL_MBOX_UNSUPPORTED; } =20 - memcpy((uint8_t *)&ct3d->cacheline_sparing_wr_attrs + hdr->offset, - mem_sparing_write_attrs, bytes_to_copy); + ret =3D cxl_set_feature_copy(&ct3d->cacheline_sparing_wr_attrs, + sizeof(ct3d->cacheline_sparing_wr_attrs= ), + hdr->offset, mem_sparing_write_attrs, + bytes_to_copy); + if (ret) { + return ret; + } set_feat_info->data_size +=3D bytes_to_copy; =20 if (data_transfer_flag =3D=3D CXL_SET_FEATURE_FLAG_FULL_DATA_TRANS= FER || @@ -1885,8 +1900,13 @@ static CXLRetCode cmd_features_set_feature(const str= uct cxl_cmd *cmd, return CXL_MBOX_UNSUPPORTED; } =20 - memcpy((uint8_t *)&ct3d->row_sparing_wr_attrs + hdr->offset, - mem_sparing_write_attrs, bytes_to_copy); + ret =3D cxl_set_feature_copy(&ct3d->row_sparing_wr_attrs, + sizeof(ct3d->row_sparing_wr_attrs), + hdr->offset, mem_sparing_write_attrs, + bytes_to_copy); + if (ret) { + return ret; + } set_feat_info->data_size +=3D bytes_to_copy; =20 if (data_transfer_flag =3D=3D CXL_SET_FEATURE_FLAG_FULL_DATA_TRANS= FER || @@ -1903,8 +1923,13 @@ static CXLRetCode cmd_features_set_feature(const str= uct cxl_cmd *cmd, return CXL_MBOX_UNSUPPORTED; } =20 - memcpy((uint8_t *)&ct3d->bank_sparing_wr_attrs + hdr->offset, - mem_sparing_write_attrs, bytes_to_copy); + ret =3D cxl_set_feature_copy(&ct3d->bank_sparing_wr_attrs, + sizeof(ct3d->bank_sparing_wr_attrs), + hdr->offset, mem_sparing_write_attrs, + bytes_to_copy); + if (ret) { + return ret; + } set_feat_info->data_size +=3D bytes_to_copy; =20 if (data_transfer_flag =3D=3D CXL_SET_FEATURE_FLAG_FULL_DATA_TRANS= FER || @@ -1921,8 +1946,13 @@ static CXLRetCode cmd_features_set_feature(const str= uct cxl_cmd *cmd, return CXL_MBOX_UNSUPPORTED; } =20 - memcpy((uint8_t *)&ct3d->rank_sparing_wr_attrs + hdr->offset, - mem_sparing_write_attrs, bytes_to_copy); + ret =3D cxl_set_feature_copy(&ct3d->rank_sparing_wr_attrs, + sizeof(ct3d->rank_sparing_wr_attrs), + hdr->offset, mem_sparing_write_attrs, + bytes_to_copy); + if (ret) { + return ret; + } set_feat_info->data_size +=3D bytes_to_copy; =20 if (data_transfer_flag =3D=3D CXL_SET_FEATURE_FLAG_FULL_DATA_TRANS= FER || --=20 2.34.1