Re: [PULL 04/53] hw/cxl: Add clear poison mailbox command support.
Peter Maydell wrote: > Ping! This looks like it should be an easy one-liner fix > for a Coverity-detected read-from-bogus-memory bug -- > could one of the CXL folks have a look at it and send > a patch, please ? Done. Jonathan could you double check I only compile tested. I think you are correct and apologies for not seeing your report earlier. Ira
Re: [PULL 04/53] hw/cxl: Add clear poison mailbox command support.
Ping! This looks like it should be an easy one-liner fix for a Coverity-detected read-from-bogus-memory bug -- could one of the CXL folks have a look at it and send a patch, please ? thanks -- PMM On Fri, 3 May 2024 at 13:45, Peter Maydell wrote: > > On Mon, 26 Jun 2023 at 13:28, Michael S. Tsirkin wrote: > > > > From: Jonathan Cameron > > > > Current implementation is very simple so many of the corner > > cases do not exist (e.g. fragmenting larger poison list entries) > > Hi; Coverity has just spotted what looks like a bug in this > function (CID 1544772) where we write bogus data from the host > stack into guest memory): > > > diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c > > index ab600735eb..d751803188 100644 > > --- a/hw/mem/cxl_type3.c > > +++ b/hw/mem/cxl_type3.c > > @@ -947,6 +947,42 @@ static void set_lsa(CXLType3Dev *ct3d, const void > > *buf, uint64_t size, > > */ > > } > > > > +static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t > > *data) > > +{ > > +MemoryRegion *vmr = NULL, *pmr = NULL; > > +AddressSpace *as; > > + > > +if (ct3d->hostvmem) { > > +vmr = host_memory_backend_get_memory(ct3d->hostvmem); > > +} > > +if (ct3d->hostpmem) { > > +pmr = host_memory_backend_get_memory(ct3d->hostpmem); > > +} > > + > > +if (!vmr && !pmr) { > > +return false; > > +} > > + > > +if (dpa_offset + CXL_CACHE_LINE_SIZE > ct3d->cxl_dstate.mem_size) { > > +return false; > > +} > > + > > +if (vmr) { > > +if (dpa_offset < memory_region_size(vmr)) { > > +as = >hostvmem_as; > > +} else { > > +as = >hostpmem_as; > > +dpa_offset -= memory_region_size(vmr); > > +} > > +} else { > > +as = >hostpmem_as; > > +} > > + > > +address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, , > > +CXL_CACHE_LINE_SIZE); > > We've passed '' to address_space_write(), which means > "read from the address on the stack where the function > argument 'data' lives", so instead of writing 64 bytes of > data to the guest , we'll write 64 bytes which start with > a host pointer value and then continue with whatever happens > to be on the host stack after that. > > I assume the intention was "data", not ""... thanks -- PMM
Re: [PULL 04/53] hw/cxl: Add clear poison mailbox command support.
On Mon, 26 Jun 2023 at 13:28, Michael S. Tsirkin wrote: > > From: Jonathan Cameron > > Current implementation is very simple so many of the corner > cases do not exist (e.g. fragmenting larger poison list entries) Hi; Coverity has just spotted what looks like a bug in this function (CID 1544772) where we write bogus data from the host stack into guest memory): > diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c > index ab600735eb..d751803188 100644 > --- a/hw/mem/cxl_type3.c > +++ b/hw/mem/cxl_type3.c > @@ -947,6 +947,42 @@ static void set_lsa(CXLType3Dev *ct3d, const void *buf, > uint64_t size, > */ > } > > +static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t > *data) > +{ > +MemoryRegion *vmr = NULL, *pmr = NULL; > +AddressSpace *as; > + > +if (ct3d->hostvmem) { > +vmr = host_memory_backend_get_memory(ct3d->hostvmem); > +} > +if (ct3d->hostpmem) { > +pmr = host_memory_backend_get_memory(ct3d->hostpmem); > +} > + > +if (!vmr && !pmr) { > +return false; > +} > + > +if (dpa_offset + CXL_CACHE_LINE_SIZE > ct3d->cxl_dstate.mem_size) { > +return false; > +} > + > +if (vmr) { > +if (dpa_offset < memory_region_size(vmr)) { > +as = >hostvmem_as; > +} else { > +as = >hostpmem_as; > +dpa_offset -= memory_region_size(vmr); > +} > +} else { > +as = >hostpmem_as; > +} > + > +address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, , > +CXL_CACHE_LINE_SIZE); We've passed '' to address_space_write(), which means "read from the address on the stack where the function argument 'data' lives", so instead of writing 64 bytes of data to the guest , we'll write 64 bytes which start with a host pointer value and then continue with whatever happens to be on the host stack after that. I assume the intention was "data", not ""... thanks -- PMM
[PULL 04/53] hw/cxl: Add clear poison mailbox command support.
From: Jonathan Cameron Current implementation is very simple so many of the corner cases do not exist (e.g. fragmenting larger poison list entries) Reviewed-by: Fan Ni Reviewed-by: Ira Weiny Signed-off-by: Jonathan Cameron Message-Id: <20230526170010.574-5-jonathan.came...@huawei.com> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- include/hw/cxl/cxl_device.h | 1 + hw/cxl/cxl-mailbox-utils.c | 82 + hw/mem/cxl_type3.c | 37 + 3 files changed, 120 insertions(+) diff --git a/include/hw/cxl/cxl_device.h b/include/hw/cxl/cxl_device.h index 32c234ea91..73328a52cf 100644 --- a/include/hw/cxl/cxl_device.h +++ b/include/hw/cxl/cxl_device.h @@ -298,6 +298,7 @@ struct CXLType3Class { uint64_t offset); void (*set_lsa)(CXLType3Dev *ct3d, const void *buf, uint64_t size, uint64_t offset); +bool (*set_cacheline)(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t *data); }; MemTxResult cxl_type3_read(PCIDevice *d, hwaddr host_addr, uint64_t *data, diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 6c476ad7f4..e3401b6be8 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -65,6 +65,7 @@ enum { MEDIA_AND_POISON = 0x43, #define GET_POISON_LIST0x0 #define INJECT_POISON 0x1 +#define CLEAR_POISON 0x2 }; /* 8.2.8.4.5.1 Command Return Codes */ @@ -512,6 +513,85 @@ static CXLRetCode cmd_media_inject_poison(struct cxl_cmd *cmd, return CXL_MBOX_SUCCESS; } +static CXLRetCode cmd_media_clear_poison(struct cxl_cmd *cmd, + CXLDeviceState *cxl_dstate, + uint16_t *len_unused) +{ +CXLType3Dev *ct3d = container_of(cxl_dstate, CXLType3Dev, cxl_dstate); +CXLPoisonList *poison_list = >poison_list; +CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d); +struct clear_poison_pl { +uint64_t dpa; +uint8_t data[64]; +}; +CXLPoison *ent; +uint64_t dpa; + +struct clear_poison_pl *in = (void *)cmd->payload; + +dpa = ldq_le_p(>dpa); +if (dpa + CXL_CACHE_LINE_SIZE > cxl_dstate->mem_size) { +return CXL_MBOX_INVALID_PA; +} + +/* Clearing a region with no poison is not an error so always do so */ +if (cvc->set_cacheline) { +if (!cvc->set_cacheline(ct3d, dpa, in->data)) { +return CXL_MBOX_INTERNAL_ERROR; +} +} + +QLIST_FOREACH(ent, poison_list, node) { +/* + * Test for contained in entry. Simpler than general case + * as clearing 64 bytes and entries 64 byte aligned + */ +if ((dpa >= ent->start) && (dpa < ent->start + ent->length)) { +break; +} +} +if (!ent) { +return CXL_MBOX_SUCCESS; +} + +QLIST_REMOVE(ent, node); +ct3d->poison_list_cnt--; + +if (dpa > ent->start) { +CXLPoison *frag; +/* Cannot overflow as replacing existing entry */ + +frag = g_new0(CXLPoison, 1); + +frag->start = ent->start; +frag->length = dpa - ent->start; +frag->type = ent->type; + +QLIST_INSERT_HEAD(poison_list, frag, node); +ct3d->poison_list_cnt++; +} + +if (dpa + CXL_CACHE_LINE_SIZE < ent->start + ent->length) { +CXLPoison *frag; + +if (ct3d->poison_list_cnt == CXL_POISON_LIST_LIMIT) { +cxl_set_poison_list_overflowed(ct3d); +} else { +frag = g_new0(CXLPoison, 1); + +frag->start = dpa + CXL_CACHE_LINE_SIZE; +frag->length = ent->start + ent->length - frag->start; +frag->type = ent->type; +QLIST_INSERT_HEAD(poison_list, frag, node); +ct3d->poison_list_cnt++; +} +} +/* Any fragments have been added, free original entry */ +g_free(ent); + +return CXL_MBOX_SUCCESS; +} + #define IMMEDIATE_CONFIG_CHANGE (1 << 1) #define IMMEDIATE_DATA_CHANGE (1 << 2) #define IMMEDIATE_POLICY_CHANGE (1 << 3) @@ -543,6 +623,8 @@ static struct cxl_cmd cxl_cmd_set[256][256] = { cmd_media_get_poison_list, 16, 0 }, [MEDIA_AND_POISON][INJECT_POISON] = { "MEDIA_AND_POISON_INJECT_POISON", cmd_media_inject_poison, 8, 0 }, +[MEDIA_AND_POISON][CLEAR_POISON] = { "MEDIA_AND_POISON_CLEAR_POISON", +cmd_media_clear_poison, 72, 0 }, }; void cxl_process_mailbox(CXLDeviceState *cxl_dstate) diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c index ab600735eb..d751803188 100644 --- a/hw/mem/cxl_type3.c +++ b/hw/mem/cxl_type3.c @@ -947,6 +947,42 @@ static void set_lsa(CXLType3Dev *ct3d, const void *buf, uint64_t size, */ } +static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t *data) +{ +MemoryRegion *vmr = NULL, *pmr = NULL; +AddressSpace *as; + +if (ct3d->hostvmem) { +vmr =