Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2230348,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2230348/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260429152750.2409174-1-physicalmtea@gmail.com/",
    "project": {
        "id": 14,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/14/?format=api",
        "name": "QEMU Development",
        "link_name": "qemu-devel",
        "list_id": "qemu-devel.nongnu.org",
        "list_email": "qemu-devel@nongnu.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<20260429152750.2409174-1-physicalmtea@gmail.com>",
    "date": "2026-04-29T15:27:50",
    "name": "[v2] hw/cxl: bound Set Feature writes",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "2d39225ed6585623595904e8f4e567172fd24b64",
    "submitter": {
        "id": 93269,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/93269/?format=api",
        "name": "Jia Jia",
        "email": "physicalmtea@gmail.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260429152750.2409174-1-physicalmtea@gmail.com/mbox/",
    "series": [
        {
            "id": 502096,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/502096/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502096",
            "date": "2026-04-29T15:27:50",
            "name": "[v2] hw/cxl: bound Set Feature writes",
            "version": 2,
            "mbox": "http://patchwork.ozlabs.org/series/502096/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2230348/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2230348/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=eJVAcCSd;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5Lnd5bT8z1yHZ\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 01:29:24 +1000 (AEST)",
            "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wI6q9-0001ru-26; Wed, 29 Apr 2026 11:28:41 -0400",
            "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <physicalmtea@gmail.com>)\n id 1wI6q6-0001rd-RE\n for qemu-devel@nongnu.org; Wed, 29 Apr 2026 11:28:38 -0400",
            "from mail-pl1-x62a.google.com ([2607:f8b0:4864:20::62a])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <physicalmtea@gmail.com>)\n id 1wI6q4-0006iq-3l\n for qemu-devel@nongnu.org; Wed, 29 Apr 2026 11:28:38 -0400",
            "by mail-pl1-x62a.google.com with SMTP id\n d9443c01a7336-2adbfab4501so59553665ad.2\n for <qemu-devel@nongnu.org>; Wed, 29 Apr 2026 08:28:35 -0700 (PDT)",
            "from localhost.localdomain ([114.249.134.218])\n by smtp.gmail.com with ESMTPSA id\n d9443c01a7336-2b988990e4csm26106465ad.83.2026.04.29.08.28.30\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 29 Apr 2026 08:28:33 -0700 (PDT)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777476514; x=1778081314; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=/oaj7TdntV4BbKlicNCDnibmbfLlIXWSzMFxlbQXRV0=;\n b=eJVAcCSdisCHVDPJPhhah5H1m5se+yue09/FFItiNrBDIR/0eBld4aGy3TzTBrIfA5\n a4G5UMEkRsstdkmqOfPPdQZkVdRZhc/NJHgfEFdIdpPvNNPyMtn5o8N1J9DokY0/vql9\n 791jJ30hedlRkU5wQIyB/EjiafllLy49TGJSrlvf8oFPmWv/Z/RNFUewYs5WTtYcGVZF\n 5AYZ4tYtncxjj+hpRXtsX27RTPhItx+LQZHpn9qYysUxikvIfsoRiWd/+PosRoijgUX/\n jk78X6ZcU850bJaz5Owz1/GqaUzLAf7ULJ/6LeRAxrUc1XonVDoNJnCZKERNhs/pI6tq\n hoGA==",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777476514; x=1778081314;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=/oaj7TdntV4BbKlicNCDnibmbfLlIXWSzMFxlbQXRV0=;\n b=Ezx3IU1RxMfyro8v2ekYQzBnSOt2YBKcMKF8sANnPopRi2Hp6P3ZTqh4y32k/kP3Zu\n VN3cLty3WBIhoHdBa/g9pFXlrTsQnjcv5QBixm4adcNsBiJS3LyZggI6R5xagmDoEIPF\n HUoLZsJvUAeOzTGN/zGXRnS7ebCEs75m6MXOZ5fjjsXhYskF/SL+uhOMq07XBTL+NB/e\n QcWcsrr/mHNyyD8pwj0qcNpfXh13AoJEIXcPlYr0PczttSO5jVuUBiSIB/IfTtHjyWE4\n 6Ogodznz8K8RHpKPvaVt+AXBed5vFz/y6VDGHsAvZgwdqABuvtkNZhLS0dnXA2UMQYkr\n kLZw==",
        "X-Gm-Message-State": "AOJu0YxZOifk8LIugWyUJKfhrRAL1/W47Nww58iwlRw3tQ+0rW5uqKwh\n 9qpluu6bqESD0zzUnfC2KVugXu7yQIXWUySXA18snBXewQzBZLX587zn+gJslgN9u7xypg==",
        "X-Gm-Gg": "AeBDiesJyvqeAPvMvcrnoQTeXqM8WG3tautgT1g3roMG4CNCkv75XqB/Sk0x26I1dqs\n bWnHTE/xcu7+jmUf71bt92QGVE4YBEQPwxM0mb5rxluULJjwYNg8721JvFKIPhGIWh8IXS8Sq7+\n 2NzcMq/2az3cUP0EH4wnB7+8mfnMs8oPi3iFjten21yDQC1yGPNpGHJ1O2kjj/A7lCdJsZ1nrsD\n De0uY/UFluPvAJh0DXw9S0/xSLBtUA6V8tIxkwK2pEG32l5aLAu2R9Vc8uZQ/lekomW8bvhvLrK\n 7EiWPfGztmStCtoYTgsEVjPI6o8Iu4j/7Tue/yPeYbO1AqAa7k6At2OFXVdsxnLppFl6vK43gcx\n DXLtqzjOqCn/lnS5Q7teNQZ47iSW9Qz2BiOg2XqJQ5Ilo8BWvlEphTDhG7zEEYJB7Pq5+Bn7JHd\n CedxrM7divLbhALchlFAfCZpyDE8MQH0srPESK/849nJ/apj+fMy9lZV9gK6eYSA==",
        "X-Received": "by 2002:a17:903:90b:b0:2b2:dca5:101b with SMTP id\n d9443c01a7336-2b97c4061b1mr86423935ad.12.1777476513488;\n Wed, 29 Apr 2026 08:28:33 -0700 (PDT)",
        "From": "Jia Jia <physicalmtea@gmail.com>",
        "To": "qemu-devel@nongnu.org",
        "Cc": "peter.maydell@linaro.org, jic23@kernel.org, linux-cxl@vger.kernel.org,\n farosas@suse.de, lvivier@redhat.com, pbonzini@redhat.com",
        "Subject": "[PATCH v2] hw/cxl: bound Set Feature writes",
        "Date": "Wed, 29 Apr 2026 23:27:50 +0800",
        "Message-Id": "<20260429152750.2409174-1-physicalmtea@gmail.com>",
        "X-Mailer": "git-send-email 2.34.1",
        "In-Reply-To": "\n <CAFEAcA_DnrvSCVY3f2q=3OnXt0+708BcwSJ=KhMn1t3sbbXQbg@mail.gmail.com>",
        "References": "\n <CAFEAcA_DnrvSCVY3f2q=3OnXt0+708BcwSJ=KhMn1t3sbbXQbg@mail.gmail.com>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "Received-SPF": "pass client-ip=2607:f8b0:4864:20::62a;\n envelope-from=physicalmtea@gmail.com; helo=mail-pl1-x62a.google.com",
        "X-Spam_score_int": "-20",
        "X-Spam_score": "-2.1",
        "X-Spam_bar": "--",
        "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no",
        "X-Spam_action": "no action",
        "X-BeenThere": "qemu-devel@nongnu.org",
        "X-Mailman-Version": "2.1.29",
        "Precedence": "list",
        "List-Id": "qemu development <qemu-devel.nongnu.org>",
        "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>",
        "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>",
        "List-Post": "<mailto:qemu-devel@nongnu.org>",
        "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>",
        "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>",
        "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org",
        "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"
    },
    "content": "Commit c1c4d6b38b13 added offset + length checks for the\npatrol_scrub and ecs Set Feature branches, but the remaining\nbranches still copy mailbox payload data into fixed-size\nwrite-attribute objects without the same validation.\n\nA full mailbox payload can still reach rank_sparing and overrun\nCXLMemSparingWriteAttrs on current master. With an ASan build\nthis aborts the host process with:\n\n  ERROR: AddressSanitizer: heap-buffer-overflow\n  WRITE of size 2016\n      #0 __interceptor_memcpy\n      #1 cmd_features_set_feature ../hw/cxl/cxl-mailbox-utils.c:1908\n      #2 cxl_process_cci_message ../hw/cxl/cxl-mailbox-utils.c:4622\n      #3 mailbox_reg_write ../hw/cxl/cxl-device-utils.c:209\n\nFold the bounds checking into a small helper and use it for\nall Set Feature write-attribute branches, so oversized\nrequests fail with CXL_MBOX_INVALID_PAYLOAD_LENGTH instead\nof overflowing the target buffers.\n\nAdd a qtest covering the rank_sparing path.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/work_items/3458\nSigned-off-by: Jia Jia <physicalmtea@gmail.com>\n---\nHi Peter,\n\nThanks, that makes sense.\n\nI've folded the repeated bounds checking into a small helper and respun\nthe patch as v2.\n\nThanks\n\nv2:\n- fold the repeated Set Feature bounds checks into a helper\n- use the helper for all Set Feature write-attribute branches\n\n hw/cxl/cxl-mailbox-utils.c | 94 ++++++++++++++++++++++++------\n tests/qtest/cxl-test.c     | 99 ++++++++++++++++++++++++++++++++++++++\n 2 files changed, 169 insertions(+), 24 deletions(-)",
    "diff": "diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c\nindex d8ba7e8625..4c7a083e4c 100644\n--- a/hw/cxl/cxl-mailbox-utils.c\n+++ b/hw/cxl/cxl-mailbox-utils.c\n@@ -1702,6 +1702,21 @@ static CXLRetCode cmd_features_get_feature(const struct cxl_cmd *cmd,\n     return CXL_MBOX_SUCCESS;\n }\n \n+static CXLRetCode cxl_set_feature_copy(void *write_attrs,\n+                                       size_t write_attrs_size,\n+                                       uint16_t offset,\n+                                       const void *payload,\n+                                       uint16_t bytes_to_copy)\n+{\n+    if ((uint32_t)offset + bytes_to_copy > write_attrs_size) {\n+        return CXL_MBOX_INVALID_PAYLOAD_LENGTH;\n+    }\n+\n+    memcpy((uint8_t *)write_attrs + offset, payload, bytes_to_copy);\n+\n+    return CXL_MBOX_SUCCESS;\n+}\n+\n /* CXL r3.1 section 8.2.9.6.3: Set Feature (Opcode 0502h) */\n static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n                                            uint8_t *payload_in,\n@@ -1713,6 +1728,7 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n     CXLSetFeatureInHeader *hdr = (void *)payload_in;\n     CXLSetFeatureInfo *set_feat_info;\n     uint16_t bytes_to_copy = 0;\n+    CXLRetCode ret;\n     uint8_t data_transfer_flag;\n     CXLType3Dev *ct3d;\n     uint16_t count;\n@@ -1760,13 +1776,13 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n             return CXL_MBOX_UNSUPPORTED;\n         }\n \n-        if ((uint32_t)hdr->offset + bytes_to_copy >\n-            sizeof(ct3d->patrol_scrub_wr_attrs)) {\n-            return CXL_MBOX_INVALID_PAYLOAD_LENGTH;\n-        }\n-        memcpy((uint8_t *)&ct3d->patrol_scrub_wr_attrs + hdr->offset,\n-               ps_write_attrs,\n-               bytes_to_copy);\n+        ret = cxl_set_feature_copy(&ct3d->patrol_scrub_wr_attrs,\n+                                   sizeof(ct3d->patrol_scrub_wr_attrs),\n+                                   hdr->offset, ps_write_attrs,\n+                                   bytes_to_copy);\n+        if (ret) {\n+            return ret;\n+        }\n         set_feat_info->data_size += bytes_to_copy;\n \n         if (data_transfer_flag == CXL_SET_FEATURE_FLAG_FULL_DATA_TRANSFER ||\n@@ -1787,13 +1803,13 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n             return CXL_MBOX_UNSUPPORTED;\n         }\n \n-        if ((uint32_t)hdr->offset + bytes_to_copy >\n-            sizeof(ct3d->ecs_wr_attrs)) {\n-            return CXL_MBOX_INVALID_PAYLOAD_LENGTH;\n-        }\n-        memcpy((uint8_t *)&ct3d->ecs_wr_attrs + hdr->offset,\n-               ecs_write_attrs,\n-               bytes_to_copy);\n+        ret = cxl_set_feature_copy(&ct3d->ecs_wr_attrs,\n+                                   sizeof(ct3d->ecs_wr_attrs),\n+                                   hdr->offset, ecs_write_attrs,\n+                                   bytes_to_copy);\n+        if (ret) {\n+            return ret;\n+        }\n         set_feat_info->data_size += bytes_to_copy;\n \n         if (data_transfer_flag == CXL_SET_FEATURE_FLAG_FULL_DATA_TRANSFER ||\n@@ -1813,8 +1829,13 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n             return CXL_MBOX_UNSUPPORTED;\n         }\n \n-        memcpy((uint8_t *)&ct3d->soft_ppr_wr_attrs + hdr->offset,\n-               sppr_write_attrs, bytes_to_copy);\n+        ret = cxl_set_feature_copy(&ct3d->soft_ppr_wr_attrs,\n+                                   sizeof(ct3d->soft_ppr_wr_attrs),\n+                                   hdr->offset, sppr_write_attrs,\n+                                   bytes_to_copy);\n+        if (ret) {\n+            return ret;\n+        }\n         set_feat_info->data_size += bytes_to_copy;\n \n         if (data_transfer_flag == CXL_SET_FEATURE_FLAG_FULL_DATA_TRANSFER ||\n@@ -1832,8 +1853,13 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n             return CXL_MBOX_UNSUPPORTED;\n         }\n \n-        memcpy((uint8_t *)&ct3d->hard_ppr_wr_attrs + hdr->offset,\n-               hppr_write_attrs, bytes_to_copy);\n+        ret = cxl_set_feature_copy(&ct3d->hard_ppr_wr_attrs,\n+                                   sizeof(ct3d->hard_ppr_wr_attrs),\n+                                   hdr->offset, hppr_write_attrs,\n+                                   bytes_to_copy);\n+        if (ret) {\n+            return ret;\n+        }\n         set_feat_info->data_size += bytes_to_copy;\n \n         if (data_transfer_flag == CXL_SET_FEATURE_FLAG_FULL_DATA_TRANSFER ||\n@@ -1851,8 +1877,13 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n             return CXL_MBOX_UNSUPPORTED;\n         }\n \n-        memcpy((uint8_t *)&ct3d->cacheline_sparing_wr_attrs + hdr->offset,\n-               mem_sparing_write_attrs, bytes_to_copy);\n+        ret = cxl_set_feature_copy(&ct3d->cacheline_sparing_wr_attrs,\n+                                   sizeof(ct3d->cacheline_sparing_wr_attrs),\n+                                   hdr->offset, mem_sparing_write_attrs,\n+                                   bytes_to_copy);\n+        if (ret) {\n+            return ret;\n+        }\n         set_feat_info->data_size += bytes_to_copy;\n \n         if (data_transfer_flag == CXL_SET_FEATURE_FLAG_FULL_DATA_TRANSFER ||\n@@ -1869,8 +1900,13 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n             return CXL_MBOX_UNSUPPORTED;\n         }\n \n-        memcpy((uint8_t *)&ct3d->row_sparing_wr_attrs + hdr->offset,\n-               mem_sparing_write_attrs, bytes_to_copy);\n+        ret = cxl_set_feature_copy(&ct3d->row_sparing_wr_attrs,\n+                                   sizeof(ct3d->row_sparing_wr_attrs),\n+                                   hdr->offset, mem_sparing_write_attrs,\n+                                   bytes_to_copy);\n+        if (ret) {\n+            return ret;\n+        }\n         set_feat_info->data_size += bytes_to_copy;\n \n         if (data_transfer_flag == CXL_SET_FEATURE_FLAG_FULL_DATA_TRANSFER ||\n@@ -1887,8 +1923,13 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n             return CXL_MBOX_UNSUPPORTED;\n         }\n \n-        memcpy((uint8_t *)&ct3d->bank_sparing_wr_attrs + hdr->offset,\n-               mem_sparing_write_attrs, bytes_to_copy);\n+        ret = cxl_set_feature_copy(&ct3d->bank_sparing_wr_attrs,\n+                                   sizeof(ct3d->bank_sparing_wr_attrs),\n+                                   hdr->offset, mem_sparing_write_attrs,\n+                                   bytes_to_copy);\n+        if (ret) {\n+            return ret;\n+        }\n         set_feat_info->data_size += bytes_to_copy;\n \n         if (data_transfer_flag == CXL_SET_FEATURE_FLAG_FULL_DATA_TRANSFER ||\n@@ -1905,8 +1946,13 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,\n             return CXL_MBOX_UNSUPPORTED;\n         }\n \n-        memcpy((uint8_t *)&ct3d->rank_sparing_wr_attrs + hdr->offset,\n-               mem_sparing_write_attrs, bytes_to_copy);\n+        ret = cxl_set_feature_copy(&ct3d->rank_sparing_wr_attrs,\n+                                   sizeof(ct3d->rank_sparing_wr_attrs),\n+                                   hdr->offset, mem_sparing_write_attrs,\n+                                   bytes_to_copy);\n+        if (ret) {\n+            return ret;\n+        }\n         set_feat_info->data_size += bytes_to_copy;\n \n         if (data_transfer_flag == CXL_SET_FEATURE_FLAG_FULL_DATA_TRANSFER ||\n             data_transfer_flag == CXL_SET_FEATURE_FLAG_FINISH_DATA_TRANSFER) {\ndiff --git a/tests/qtest/cxl-test.c b/tests/qtest/cxl-test.c\nindex 8fb7e58d4f..a9fcd98736 100644\n--- a/tests/qtest/cxl-test.c\n+++ b/tests/qtest/cxl-test.c\n@@ -7,6 +7,7 @@\n \n #include \"qemu/osdep.h\"\n #include \"libqtest-single.h\"\n+#include \"hw/cxl/cxl_device.h\"\n \n #define QEMU_PXB_CMD \\\n     \"-machine q35,cxl=on \" \\\n@@ -59,6 +60,12 @@\n     \"-object memory-backend-file,id=lsa0,mem-path=%s,size=256M \" \\\n     \"-device cxl-type3,bus=rp0,volatile-memdev=cxl-mem0,lsa=lsa0,id=mem0 \"\n \n+#define QEMU_T3D_DIRECT_PMEM \\\n+    \"-machine q35,cxl=on -nodefaults \" \\\n+    \"-object memory-backend-file,id=cxl-mem0,mem-path=%s,size=256M \" \\\n+    \"-object memory-backend-file,id=lsa0,mem-path=%s,size=1M \" \\\n+    \"-device cxl-type3,bus=pcie.0,persistent-memdev=cxl-mem0,lsa=lsa0,id=pmem0 \"\n+\n #define QEMU_2T3D \\\n     \"-object memory-backend-file,id=cxl-mem0,mem-path=%s,size=256M \" \\\n     \"-object memory-backend-file,id=lsa0,mem-path=%s,size=256M \" \\\n@@ -81,6 +88,17 @@\n     \"-object memory-backend-file,id=lsa3,mem-path=%s,size=256M \" \\\n     \"-device cxl-type3,bus=rp3,persistent-memdev=cxl-mem3,lsa=lsa3,id=pmem3 \"\n \n+#define CXL_T3D_DEVFN 0x08\n+#define CXL_T3D_BAR2_ADDR 0x10000000ULL\n+\n+typedef struct QEMU_PACKED CXLSetFeatureInHeaderTest {\n+    uint8_t uuid[16];\n+    uint32_t flags;\n+    uint16_t offset;\n+    uint8_t version;\n+    uint8_t rsvd[9];\n+} CXLSetFeatureInHeaderTest;\n+\n static void cxl_basic_hb(void)\n {\n     qtest_start(\"-machine q35,cxl=on\");\n@@ -118,6 +136,85 @@ static void cxl_2root_port(void)\n }\n \n #ifdef CONFIG_POSIX\n+static uint32_t cxl_test_pci_config_addr(uint8_t devfn, uint8_t offset)\n+{\n+    return 0x80000000U | (devfn << 8) | offset;\n+}\n+\n+static void cxl_test_t3d_enable_bar2(void)\n+{\n+    outl(0xcf8, cxl_test_pci_config_addr(CXL_T3D_DEVFN, 0x18));\n+    outl(0xcfc, CXL_T3D_BAR2_ADDR);\n+    outl(0xcf8, cxl_test_pci_config_addr(CXL_T3D_DEVFN, 0x1c));\n+    outl(0xcfc, 0);\n+    outl(0xcf8, cxl_test_pci_config_addr(CXL_T3D_DEVFN, 0x04));\n+    outl(0xcfc, 0x2);\n+}\n+\n+static uint64_t cxl_test_t3d_mailbox_base(void)\n+{\n+    return CXL_T3D_BAR2_ADDR + CXL_MAILBOX_REGISTERS_OFFSET;\n+}\n+\n+static uint64_t cxl_test_t3d_payload_base(void)\n+{\n+    return cxl_test_t3d_mailbox_base() + A_CXL_DEV_CMD_PAYLOAD;\n+}\n+\n+static void cxl_test_t3d_submit_set_feature(const void *payload, size_t len)\n+{\n+    memwrite(cxl_test_t3d_payload_base(), payload, len);\n+    writeq(cxl_test_t3d_mailbox_base() + A_CXL_DEV_MAILBOX_CMD,\n+           ((uint64_t)len << 16) | (0x05 << 8) | 0x02);\n+    writel(cxl_test_t3d_mailbox_base() + A_CXL_DEV_MAILBOX_CTRL, 1);\n+}\n+\n+static uint16_t cxl_test_t3d_mailbox_errno(void)\n+{\n+    return (readq(cxl_test_t3d_mailbox_base() + A_CXL_DEV_MAILBOX_STS) >>\n+            32) & 0xffff;\n+}\n+\n+static void cxl_test_fill_set_feature_header(CXLSetFeatureInHeaderTest *hdr,\n+                                             const uint8_t uuid[16],\n+                                             uint16_t offset,\n+                                             uint8_t version)\n+{\n+    memset(hdr, 0, sizeof(*hdr));\n+    memcpy(hdr->uuid, uuid, 16);\n+    hdr->offset = cpu_to_le16(offset);\n+    hdr->version = version;\n+}\n+\n+static void cxl_t3d_set_feature_rejects_oversized_rank_sparing(void)\n+{\n+    static const uint8_t rank_sparing_uuid[16] = {\n+        0x34, 0xdb, 0xaf, 0xf5, 0x05, 0x52, 0x42, 0x81,\n+        0x8f, 0x76, 0xda, 0x0b, 0x5e, 0x7a, 0x76, 0xa7,\n+    };\n+    g_autoptr(GString) cmdline = g_string_new(NULL);\n+    g_autofree const char *tmpfs = NULL;\n+    uint8_t payload[CXL_MAILBOX_MAX_PAYLOAD_SIZE] = { 0 };\n+    CXLSetFeatureInHeaderTest *hdr = (void *)payload;\n+\n+    tmpfs = g_dir_make_tmp(\"cxl-test-XXXXXX\", NULL);\n+    g_string_printf(cmdline, QEMU_T3D_DIRECT_PMEM, tmpfs, tmpfs);\n+\n+    qtest_start(cmdline->str);\n+    cxl_test_t3d_enable_bar2();\n+\n+    cxl_test_fill_set_feature_header(hdr, rank_sparing_uuid, 0,\n+                                     CXL_MEMDEV_SPARING_SET_FEATURE_VERSION);\n+    memset(payload + sizeof(*hdr), 0x41,\n+           sizeof(payload) - sizeof(*hdr));\n+    cxl_test_t3d_submit_set_feature(payload, sizeof(payload));\n+    g_assert_cmphex(cxl_test_t3d_mailbox_errno(), ==,\n+                    CXL_MBOX_INVALID_PAYLOAD_LENGTH);\n+\n+    qtest_end();\n+    rmdir(tmpfs);\n+}\n+\n static void cxl_t3d_deprecated(void)\n {\n     g_autoptr(GString) cmdline = g_string_new(NULL);\n@@ -238,6 +335,8 @@ int main(int argc, char **argv)\n         qtest_add_func(\"/pci/cxl/type3_device_pmem\", cxl_t3d_persistent);\n         qtest_add_func(\"/pci/cxl/type3_device_vmem\", cxl_t3d_volatile);\n         qtest_add_func(\"/pci/cxl/type3_device_vmem_lsa\", cxl_t3d_volatile_lsa);\n+        qtest_add_func(\"/pci/cxl/type3_device_set_feature_rank_sparing_bounds\",\n+                       cxl_t3d_set_feature_rejects_oversized_rank_sparing);\n         qtest_add_func(\"/pci/cxl/rp_x2_type3_x2\", cxl_1pxb_2rp_2t3d);\n         qtest_add_func(\"/pci/cxl/pxb_x2_root_port_x4_type3_x4\",\n                        cxl_2pxb_4rp_4t3d);\n",
    "prefixes": [
        "v2"
    ]
}