[{"id":3684038,"web_url":"http://patchwork.ozlabs.org/comment/3684038/","msgid":"","list_archive_url":null,"date":"2026-04-29T12:55:34","subject":"Re: [PATCH] hw/cxl: bound remaining Set Feature writes","submitter":{"id":5111,"url":"http://patchwork.ozlabs.org/api/people/5111/","name":"Peter Maydell","email":"peter.maydell@linaro.org"},"content":"On Wed, 29 Apr 2026 at 13:46, Jia Jia wrote:\n>\n> Commit c1c4d6b38b13 added offset + length checks for the\n> patrol_scrub and ecs Set Feature branches, but the remaining\n> branches still copy mailbox payload data into fixed-size\n> write-attribute objects without the same validation.\n>\n> A full mailbox payload can still reach rank_sparing and overrun\n> CXLMemSparingWriteAttrs on current master. With an ASan build\n> this aborts the host process with:\n>\n> ERROR: AddressSanitizer: heap-buffer-overflow\n> WRITE of size 2016\n> #0 __interceptor_memcpy\n> #1 cmd_features_set_feature ../hw/cxl/cxl-mailbox-utils.c:1908\n> #2 cxl_process_cci_message ../hw/cxl/cxl-mailbox-utils.c:4622\n> #3 mailbox_reg_write ../hw/cxl/cxl-device-utils.c:209\n>\n> Apply the same offset + length validation to soft_ppr,\n> hard_ppr, cacheline_sparing, row_sparing, bank_sparing, and\n> rank_sparing so oversized requests fail with\n> CXL_MBOX_INVALID_PAYLOAD_LENGTH instead of overflowing the\n> write-attribute buffers.\n>\n> Add a qtest covering the rank_sparing path.\n>\n> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3458\n> Signed-off-by: Jia Jia \n\nI don't think we should mix refactoring with this bug fix,\nbut I do notice there's a lot of very repetitive looking\ncode in this function, which is why the patch has to add a\nlength check in six different places, and any new feature\ntype will have to add another one. maybe there's a way to make\nit less awkwardly repetitive...\n\nthanks\n-- PMM","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=wHlL5Y5p;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5HPM3zbSz1yHX\n\tfor ; Wed, 29 Apr 2026 22:56:37 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wI4SH-0006Al-N2; Wed, 29 Apr 2026 08:55:53 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wI4SF-00069n-Fw\n for qemu-devel@nongnu.org; Wed, 29 Apr 2026 08:55:51 -0400","from mail-yx1-xb12a.google.com ([2607:f8b0:4864:20::b12a])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from )\n id 1wI4SD-0005VA-PR\n for qemu-devel@nongnu.org; Wed, 29 Apr 2026 08:55:51 -0400","by mail-yx1-xb12a.google.com with SMTP id\n 956f58d0204a3-651b4d09141so1386803d50.1\n for ; Wed, 29 Apr 2026 05:55:48 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; t=1777467348; cv=none;\n d=google.com; s=arc-20240605;\n b=KSG8g+o1xIJGdof+a70DvezcNV8azKapIqRH9OmPFjwCqivG4ksXA3BMawwkIMccv8\n oE0aNFGQw5Oi8KJnLthTlB6fhxTpoqnQ+7yrXbsFx/IwIEKqKBYdDxz/FVOMMEuQiGKS\n BcEQFfzt8uBQCpQ1B8j3oGVWMEMvJyZli+vXa2273UBe3npLyW7Cr9TB+W3EvCCam98P\n +u2A+bWxcGSpIwYcPgKywb9vrnf4LKCWKyXEN56aAGoXd2/vBYNa3XWcFS0PIYz+eiQX\n X/WceVoWzSgZQRfODSiQ+YeGjL4F19MIqnC0Ba9SNiyMvkar8bpNLlk7GkgBnJlf5/l9\n OEUw==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:dkim-signature;\n bh=fkMCORstw1q/GpjWOTwzVTaXdmkD/VRw81ImyyOInAk=;\n fh=Mz2y12wzJJW1Rmbmc0KL1Q2SaGBmA6oT2H9N5PtSfoA=;\n b=H5KsZ/Yx+Oc7E25Oipx42ykXbxen7hQDZotFS9/Q5oaH43hjLOj1mCbrjmLfl+bX4s\n zjkC92KunfZVTYp31KHDXg9QABJN4B1feRH4/f2+EE9OFBGZTmBPiKGxw/yjBkkulWE6\n N3YAQCDPadEGya1caTRBWjWvekmCdhCj1abMoOyfbhZV1IR4F591xY4LgTe6JxJgvigE\n K1GmmxHeBv787RK/lMcjXUpd8QzWoLhzNeA/8Uzy0puMGlvnrnN2y9n8aJQEb2Tub+3u\n hqDUlZIOlUgfqwWJKgYgUodfnvYCz/YPVH+9NS2ZTB2ust/zPinx6EZ18dOLcD2x/7G1\n IQPw==; darn=nongnu.org","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1777467348; x=1778072148; darn=nongnu.org;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:from:to:cc:subject:date:message-id:reply-to;\n bh=fkMCORstw1q/GpjWOTwzVTaXdmkD/VRw81ImyyOInAk=;\n b=wHlL5Y5pG4VOJRB7MG0hlevPWkQCFziQLudEZHfvvu6wC0VRNezM9ELtwOSHn8+1Wm\n LxklsKUpJvAmPsNTWeOMEieGk/EU3RVNWt4WKu0QyA+0BHoONBz/MNwiZ6Ivt4Ena4Em\n aKYk02bk7NqJgsW79utk1rxRbhZ6npM60FBxjQea9a9scau1iTWrMFpwv8UgsQk57YC5\n gcKwgv+kg0X1hLI3nrEMvkvc8CkvWs88oVETdk7HD999N3XbjPvmYljgarM2Ga2+qn4l\n xR3evBIeKTNfWEG9tXY30I2BIhLxZa9fQM8j6EFSa6QhBoEzsf5Blt8Q+m09UUfCZoLz\n 91UA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777467348; x=1778072148;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=fkMCORstw1q/GpjWOTwzVTaXdmkD/VRw81ImyyOInAk=;\n b=diLrK3/XdV7JP4j83C8H7XOPBLUNc9+0F4Yd9nchq8WAwj/jIa4boMpSC4a4CtKUKf\n N9tWRq81KcJgdzUQtpcboJQeMKRfTvZsOEctaiL9B3I2Y6Fs7HmzPQzJ3B/EVEfW+GAr\n k5nVPr+5LOMM+M/wgiOC1fCTicvAkoYlxvDjLDFZf97LP28SeyWMpsU56jqqZZ+DLxMa\n 4obhMlucQ0cO78uV0VpB09pvQU8Nierhboxr+VNOY4O2dwYwJ6HzZVmZsMeOAniWYfmI\n Z5s9i91nor0jjs5Hf5YvQGWmHZ+1/5DP+SxeRZpO8Qgrhute2DdOTbbBPq8TTKyFObBY\n IRPw==","X-Gm-Message-State":"AOJu0Yx48U4RE3GBVzDz3gLniVoHV7D6LbjI1rTAG8FMh85xQrk0xYom\n Y37cNieIPyTHe+1MRQrX6u4eCJSCAPHzX2ru3At7Mut8JcmZg8oE2WkIts3CcoJ/Z8gQ7VRNSCq\n 4rmWSzzw284PzOSCL7XDysNmFA6n5mdHlv5qjn/4ZPQ==","X-Gm-Gg":"AeBDiet49Nutk6tYzcZL8jWAfPiMoGc+MfsKxVQuP7at0PRlx13CXUSRDJi1c02srOR\n 3uj37Lkc3Nup/kAZe9coIgSrGeOQrhlp8E7DAUj8l8bHSwYzSgBjukI9KJJ/1fVhh6HbUA98itT\n iqdDOAwK/hTxKSoSOdQnwavpZuYPIQuN0sb+WLWcT3v3uwfr7QXx2OpvWbgUfIwNwNleUVO2T4q\n TvZFEhHU/3pj0xjVyP8By4oiDEFoyjBcR99qtAUg9XIrg+Le7iONUQUfX36dkdyLvNFOWHECFEO\n 0Sz0IEJvBPJZnNvF0Cv/4RZTZcOHi+HYExGjMyZuP4QH3X3BFA1lSgD1Qy4JzDu/yliRYhdUVUN\n /rg==","X-Received":"by 2002:a05:690e:4091:b0:657:a0f4:ac7b with SMTP id\n 956f58d0204a3-65bff4263d9mr2028601d50.34.1777467347695; Wed, 29 Apr 2026\n 05:55:47 -0700 (PDT)","MIME-Version":"1.0","References":"<20260429122845.2119072-1-physicalmtea@gmail.com>","In-Reply-To":"<20260429122845.2119072-1-physicalmtea@gmail.com>","From":"Peter Maydell ","Date":"Wed, 29 Apr 2026 13:55:34 +0100","X-Gm-Features":"AVHnY4KaeB9L-D9V76cFF0OT_CHNlLnwjglyxnEfzHvm20Q7xDJxEAcTxBwiNsw","Message-ID":"\n ","Subject":"Re: [PATCH] hw/cxl: bound remaining Set Feature writes","To":"Jia Jia ","Cc":"qemu-devel@nongnu.org, jonathan.cameron@huawei.com, fan.ni@samsung.com,\n farosas@suse.de, lvivier@redhat.com, pbonzini@redhat.com","Content-Type":"text/plain; charset=\"UTF-8\"","Received-SPF":"pass client-ip=2607:f8b0:4864:20::b12a;\n envelope-from=peter.maydell@linaro.org; helo=mail-yx1-xb12a.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}}]