[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] hw/cxl: Fix read from bogus memory
|
From: |
Ira Weiny |
|
Subject: |
[PATCH] hw/cxl: Fix read from bogus memory |
|
Date: |
Fri, 31 May 2024 11:22:05 -0500 |
Peter and coverity report:
We've passed '&data' to address_space_write(), which means "read
from the address on the stack where the function argument 'data'
lives", so instead of writing 64 bytes of data to the guest ,
we'll write 64 bytes which start with a host pointer value and
then continue with whatever happens to be on the host stack
after that.
Indeed the intention was to write 64 bytes of data at the address given.
Fix the parameter to address_space_write().
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Link:
CAFEAcA-u4sytGwTKsb__Y+_+0O2-WwARntm3x8WNhvL1WfHOBg@mail.gmail.com/">https://lore.kernel.org/all/CAFEAcA-u4sytGwTKsb__Y+_+0O2-WwARntm3x8WNhvL1WfHOBg@mail.gmail.com/
Fixes: 6bda41a69bdc ("hw/cxl: Add clear poison mailbox command support.")
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
---
Compile tested only. Jonathan please double check me.
---
hw/mem/cxl_type3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
index 3e42490b6ce8..582412d9925f 100644
--- a/hw/mem/cxl_type3.c
+++ b/hw/mem/cxl_type3.c
@@ -1025,7 +1025,7 @@ static bool set_cacheline(CXLType3Dev *ct3d, uint64_t
dpa_offset, uint8_t *data)
as = &ct3d->hostpmem_as;
}
- address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, &data,
+ address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, data,
CXL_CACHE_LINE_SIZE);
return true;
}
---
base-commit: 3b2fe44bb7f605f179e5e7feb2c13c2eb3abbb80
change-id: 20240531-fix-poison-set-cacheline-e32bc1e74b27
Best regards,
--
Ira Weiny <ira.weiny@intel.com>
- [PATCH] hw/cxl: Fix read from bogus memory,
Ira Weiny <=