subject:"\[PULL 04\/53\] hw\/cxl\: Add clear poison mailbox command support."

Re: [PULL 04/53] hw/cxl: Add clear poison mailbox command support.

2024-05-31 Thread Ira Weiny

Peter Maydell wrote:
> Ping! This looks like it should be an easy one-liner fix
> for a Coverity-detected read-from-bogus-memory bug --
> could one of the CXL folks have a look at it and send
> a patch, please ?

Done.  Jonathan could you double check I only compile tested.

I think you are correct and apologies for not seeing your report earlier.

Ira

Re: [PULL 04/53] hw/cxl: Add clear poison mailbox command support.

2024-05-31 Thread Peter Maydell

Ping! This looks like it should be an easy one-liner fix
for a Coverity-detected read-from-bogus-memory bug --
could one of the CXL folks have a look at it and send
a patch, please ?

thanks
-- PMM

On Fri, 3 May 2024 at 13:45, Peter Maydell  wrote:
>
> On Mon, 26 Jun 2023 at 13:28, Michael S. Tsirkin  wrote:
> >
> > From: Jonathan Cameron 
> >
> > Current implementation is very simple so many of the corner
> > cases do not exist (e.g. fragmenting larger poison list entries)
>
> Hi; Coverity has just spotted what looks like a bug in this
> function (CID 1544772) where we write bogus data from the host
> stack into guest memory):
>
> > diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> > index ab600735eb..d751803188 100644
> > --- a/hw/mem/cxl_type3.c
> > +++ b/hw/mem/cxl_type3.c
> > @@ -947,6 +947,42 @@ static void set_lsa(CXLType3Dev *ct3d, const void 
> > *buf, uint64_t size,
> >   */
> >  }
> >
> > +static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t 
> > *data)
> > +{
> > +MemoryRegion *vmr = NULL, *pmr = NULL;
> > +AddressSpace *as;
> > +
> > +if (ct3d->hostvmem) {
> > +vmr = host_memory_backend_get_memory(ct3d->hostvmem);
> > +}
> > +if (ct3d->hostpmem) {
> > +pmr = host_memory_backend_get_memory(ct3d->hostpmem);
> > +}
> > +
> > +if (!vmr && !pmr) {
> > +return false;
> > +}
> > +
> > +if (dpa_offset + CXL_CACHE_LINE_SIZE > ct3d->cxl_dstate.mem_size) {
> > +return false;
> > +}
> > +
> > +if (vmr) {
> > +if (dpa_offset < memory_region_size(vmr)) {
> > +as = >hostvmem_as;
> > +} else {
> > +as = >hostpmem_as;
> > +dpa_offset -= memory_region_size(vmr);
> > +}
> > +} else {
> > +as = >hostpmem_as;
> > +}
> > +
> > +address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, ,
> > +CXL_CACHE_LINE_SIZE);
>
> We've passed '' to address_space_write(), which means
> "read from the address on the stack where the function
> argument 'data' lives", so instead of writing 64 bytes of
> data to the guest , we'll write 64 bytes which start with
> a host pointer value and then continue with whatever happens
> to be on the host stack after that.
>
> I assume the intention was "data", not ""...

thanks
-- PMM

Re: [PULL 04/53] hw/cxl: Add clear poison mailbox command support.

2024-05-03 Thread Peter Maydell

On Mon, 26 Jun 2023 at 13:28, Michael S. Tsirkin  wrote:
>
> From: Jonathan Cameron 
>
> Current implementation is very simple so many of the corner
> cases do not exist (e.g. fragmenting larger poison list entries)

Hi; Coverity has just spotted what looks like a bug in this
function (CID 1544772) where we write bogus data from the host
stack into guest memory):

> diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> index ab600735eb..d751803188 100644
> --- a/hw/mem/cxl_type3.c
> +++ b/hw/mem/cxl_type3.c
> @@ -947,6 +947,42 @@ static void set_lsa(CXLType3Dev *ct3d, const void *buf, 
> uint64_t size,
>   */
>  }
>
> +static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t 
> *data)
> +{
> +MemoryRegion *vmr = NULL, *pmr = NULL;
> +AddressSpace *as;
> +
> +if (ct3d->hostvmem) {
> +vmr = host_memory_backend_get_memory(ct3d->hostvmem);
> +}
> +if (ct3d->hostpmem) {
> +pmr = host_memory_backend_get_memory(ct3d->hostpmem);
> +}
> +
> +if (!vmr && !pmr) {
> +return false;
> +}
> +
> +if (dpa_offset + CXL_CACHE_LINE_SIZE > ct3d->cxl_dstate.mem_size) {
> +return false;
> +}
> +
> +if (vmr) {
> +if (dpa_offset < memory_region_size(vmr)) {
> +as = >hostvmem_as;
> +} else {
> +as = >hostpmem_as;
> +dpa_offset -= memory_region_size(vmr);
> +}
> +} else {
> +as = >hostpmem_as;
> +}
> +
> +address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, ,
> +CXL_CACHE_LINE_SIZE);

We've passed '' to address_space_write(), which means
"read from the address on the stack where the function
argument 'data' lives", so instead of writing 64 bytes of
data to the guest , we'll write 64 bytes which start with
a host pointer value and then continue with whatever happens
to be on the host stack after that.

I assume the intention was "data", not ""...

thanks
-- PMM

[PULL 04/53] hw/cxl: Add clear poison mailbox command support.

2023-06-26 Thread Michael S. Tsirkin

From: Jonathan Cameron 

Current implementation is very simple so many of the corner
cases do not exist (e.g. fragmenting larger poison list entries)

Reviewed-by: Fan Ni 
Reviewed-by: Ira Weiny 
Signed-off-by: Jonathan Cameron 
Message-Id: <20230526170010.574-5-jonathan.came...@huawei.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/cxl/cxl_device.h |  1 +
 hw/cxl/cxl-mailbox-utils.c  | 82 +
 hw/mem/cxl_type3.c  | 37 +
 3 files changed, 120 insertions(+)

diff --git a/include/hw/cxl/cxl_device.h b/include/hw/cxl/cxl_device.h
index 32c234ea91..73328a52cf 100644
--- a/include/hw/cxl/cxl_device.h
+++ b/include/hw/cxl/cxl_device.h
@@ -298,6 +298,7 @@ struct CXLType3Class {
 uint64_t offset);
 void (*set_lsa)(CXLType3Dev *ct3d, const void *buf, uint64_t size,
 uint64_t offset);
+bool (*set_cacheline)(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t 
*data);
 };
 
 MemTxResult cxl_type3_read(PCIDevice *d, hwaddr host_addr, uint64_t *data,
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 6c476ad7f4..e3401b6be8 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -65,6 +65,7 @@ enum {
 MEDIA_AND_POISON = 0x43,
 #define GET_POISON_LIST0x0
 #define INJECT_POISON  0x1
+#define CLEAR_POISON   0x2
 };
 
 /* 8.2.8.4.5.1 Command Return Codes */
@@ -512,6 +513,85 @@ static CXLRetCode cmd_media_inject_poison(struct cxl_cmd 
*cmd,
 return CXL_MBOX_SUCCESS;
 }
 
+static CXLRetCode cmd_media_clear_poison(struct cxl_cmd *cmd,
+ CXLDeviceState *cxl_dstate,
+ uint16_t *len_unused)
+{
+CXLType3Dev *ct3d = container_of(cxl_dstate, CXLType3Dev, cxl_dstate);
+CXLPoisonList *poison_list = >poison_list;
+CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d);
+struct clear_poison_pl {
+uint64_t dpa;
+uint8_t data[64];
+};
+CXLPoison *ent;
+uint64_t dpa;
+
+struct clear_poison_pl *in = (void *)cmd->payload;
+
+dpa = ldq_le_p(>dpa);
+if (dpa + CXL_CACHE_LINE_SIZE > cxl_dstate->mem_size) {
+return CXL_MBOX_INVALID_PA;
+}
+
+/* Clearing a region with no poison is not an error so always do so */
+if (cvc->set_cacheline) {
+if (!cvc->set_cacheline(ct3d, dpa, in->data)) {
+return CXL_MBOX_INTERNAL_ERROR;
+}
+}
+
+QLIST_FOREACH(ent, poison_list, node) {
+/*
+ * Test for contained in entry. Simpler than general case
+ * as clearing 64 bytes and entries 64 byte aligned
+ */
+if ((dpa >= ent->start) && (dpa < ent->start + ent->length)) {
+break;
+}
+}
+if (!ent) {
+return CXL_MBOX_SUCCESS;
+}
+
+QLIST_REMOVE(ent, node);
+ct3d->poison_list_cnt--;
+
+if (dpa > ent->start) {
+CXLPoison *frag;
+/* Cannot overflow as replacing existing entry */
+
+frag = g_new0(CXLPoison, 1);
+
+frag->start = ent->start;
+frag->length = dpa - ent->start;
+frag->type = ent->type;
+
+QLIST_INSERT_HEAD(poison_list, frag, node);
+ct3d->poison_list_cnt++;
+}
+
+if (dpa + CXL_CACHE_LINE_SIZE < ent->start + ent->length) {
+CXLPoison *frag;
+
+if (ct3d->poison_list_cnt == CXL_POISON_LIST_LIMIT) {
+cxl_set_poison_list_overflowed(ct3d);
+} else {
+frag = g_new0(CXLPoison, 1);
+
+frag->start = dpa + CXL_CACHE_LINE_SIZE;
+frag->length = ent->start + ent->length - frag->start;
+frag->type = ent->type;
+QLIST_INSERT_HEAD(poison_list, frag, node);
+ct3d->poison_list_cnt++;
+}
+}
+/* Any fragments have been added, free original entry */
+g_free(ent);
+
+return CXL_MBOX_SUCCESS;
+}
+
 #define IMMEDIATE_CONFIG_CHANGE (1 << 1)
 #define IMMEDIATE_DATA_CHANGE (1 << 2)
 #define IMMEDIATE_POLICY_CHANGE (1 << 3)
@@ -543,6 +623,8 @@ static struct cxl_cmd cxl_cmd_set[256][256] = {
 cmd_media_get_poison_list, 16, 0 },
 [MEDIA_AND_POISON][INJECT_POISON] = { "MEDIA_AND_POISON_INJECT_POISON",
 cmd_media_inject_poison, 8, 0 },
+[MEDIA_AND_POISON][CLEAR_POISON] = { "MEDIA_AND_POISON_CLEAR_POISON",
+cmd_media_clear_poison, 72, 0 },
 };
 
 void cxl_process_mailbox(CXLDeviceState *cxl_dstate)
diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
index ab600735eb..d751803188 100644
--- a/hw/mem/cxl_type3.c
+++ b/hw/mem/cxl_type3.c
@@ -947,6 +947,42 @@ static void set_lsa(CXLType3Dev *ct3d, const void *buf, 
uint64_t size,
  */
 }
 
+static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t 
*data)
+{
+MemoryRegion *vmr = NULL, *pmr = NULL;
+AddressSpace *as;
+
+if (ct3d->hostvmem) {
+vmr =

Re: [PULL 04/53] hw/cxl: Add clear poison mailbox command support.

Re: [PULL 04/53] hw/cxl: Add clear poison mailbox command support.

Re: [PULL 04/53] hw/cxl: Add clear poison mailbox command support.

[PULL 04/53] hw/cxl: Add clear poison mailbox command support.

4 matches

Site Navigation

Mail list logo

Footer information