Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2195043/?format=api
{ "id": 2195043, "url": "http://patchwork.ozlabs.org/api/patches/2195043/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260210121438.67781-18-mjt@tls.msk.ru/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260210121438.67781-18-mjt@tls.msk.ru>", "list_archive_url": null, "date": "2026-02-10T12:14:27", "name": "[Stable-10.2.1,74/78] hw/cxl: Check for overflow on santize media as both base and offset 64bit.", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "fb086fa95b80d9a2544f7781a312851feca6fd6c", "submitter": { "id": 183, "url": "http://patchwork.ozlabs.org/api/people/183/?format=api", "name": "Michael Tokarev", "email": "mjt@tls.msk.ru" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260210121438.67781-18-mjt@tls.msk.ru/mbox/", "series": [ { "id": 491661, "url": "http://patchwork.ozlabs.org/api/series/491661/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=491661", "date": "2026-02-10T12:14:13", "name": "Patch Round-up for stable 10.2.1, freeze on 2026-02-10 (frozen)", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/491661/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2195043/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2195043/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)", "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4f9LDQ1nL2z1xvb\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 10 Feb 2026 23:17:42 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1vpmgH-0002wL-0z; Tue, 10 Feb 2026 07:17:27 -0500", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)\n id 1vpmf1-0001ez-Ek; Tue, 10 Feb 2026 07:16:08 -0500", "from isrv.corpit.ru ([212.248.84.144])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)\n id 1vpmex-0000Kw-DW; Tue, 10 Feb 2026 07:16:06 -0500", "from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])\n by isrv.corpit.ru (Postfix) with ESMTP id DC63D187DAC;\n Tue, 10 Feb 2026 15:13:52 +0300 (MSK)", "from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])\n by tsrv.corpit.ru (Postfix) with ESMTP id 789E9360CCE;\n Tue, 10 Feb 2026 15:14:48 +0300 (MSK)" ], "From": "Michael Tokarev <mjt@tls.msk.ru>", "To": "qemu-devel@nongnu.org", "Cc": "qemu-stable@nongnu.org, Jonathan Cameron <Jonathan.Cameron@huawei.com>,\n Peter Maydell <peter.maydell@linaro.org>,\n \"Michael S. Tsirkin\" <mst@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>", "Subject": "[Stable-10.2.1 74/78] hw/cxl: Check for overflow on santize media as\n both base and offset 64bit.", "Date": "Tue, 10 Feb 2026 15:14:27 +0300", "Message-ID": "<20260210121438.67781-18-mjt@tls.msk.ru>", "X-Mailer": "git-send-email 2.47.3", "In-Reply-To": "<qemu-stable-10.2.1-20260210151332@cover.tls.msk.ru>", "References": "<qemu-stable-10.2.1-20260210151332@cover.tls.msk.ru>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Received-SPF": "pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;\n helo=isrv.corpit.ru", "X-Spam_score_int": "-18", "X-Spam_score": "-1.9", "X-Spam_bar": "-", "X-Spam_report": "(-1.9 / 5.0 requ) BAYES_00=-1.9,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "From: Jonathan Cameron <Jonathan.Cameron@huawei.com>\n\nThe both the size and base of a media sanitize operation are both provided\nby the VM, an overflow is possible which may result in checks on valid\nrange passing when they should not. Close that by checking for overflow\non the addition.\n\nFixes: 40ab4ed10775 (\"hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)\")\nCloses: https://lore.kernel.org/qemu-devel/CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com/\nReported-by: Peter Maydell <peter.maydell@linaro.org>\nSigned-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>\nReviewed-by: Michael S. Tsirkin <mst@redhat.com>\nSigned-off-by: Michael S. Tsirkin <mst@redhat.com>\nMessage-Id: <20260102154731.474859-2-Jonathan.Cameron@huawei.com>\n(cherry picked from commit 87f8e5a71d061964c9bfa4d6e02db47f54dd61f7)\nSigned-off-by: Michael Tokarev <mjt@tls.msk.ru>", "diff": "diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c\nindex 6cfdd98168..cf1d048d99 100644\n--- a/hw/cxl/cxl-mailbox-utils.c\n+++ b/hw/cxl/cxl-mailbox-utils.c\n@@ -1875,7 +1875,7 @@ static uint64_t get_dc_size(CXLType3Dev *ct3d, MemoryRegion **dc_mr)\n static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,\n size_t length)\n {\n- uint64_t vmr_size, pmr_size, dc_size;\n+ uint64_t vmr_size, pmr_size, dc_size, dpa_end;\n \n if ((dpa_addr % CXL_CACHE_LINE_SIZE) ||\n (length % CXL_CACHE_LINE_SIZE) ||\n@@ -1887,7 +1887,12 @@ static int validate_dpa_addr(CXLType3Dev *ct3d, uint64_t dpa_addr,\n pmr_size = get_pmr_size(ct3d, NULL);\n dc_size = get_dc_size(ct3d, NULL);\n \n- if (dpa_addr + length > vmr_size + pmr_size + dc_size) {\n+ /* sanitize 64 bit values coming from guest */\n+ if (uadd64_overflow(dpa_addr, length, &dpa_end)) {\n+ return -EINVAL;\n+ }\n+\n+ if (dpa_end > vmr_size + pmr_size + dc_size) {\n return -EINVAL;\n }\n \n", "prefixes": [ "Stable-10.2.1", "74/78" ] }