hw/cxl: Fix read from bogus memory

Peter and coverity report: We've passed '&data' to address_space_write(), which means "read from the address on the stack where the function argument 'data' lives", so instead of writing 64 bytes of data to the guest , we'll write 64 bytes which start with a host pointer value and then continue with whatever happens to be on the host stack after that. Indeed the intention was to write 64 bytes of data at the address given. Fix the parameter to address_space_write(). Reported-by: Peter Maydell <peter.maydell@linaro.org> Link: https://lore.kernel.org/all/CAFEAcA-u4sytGwTKsb__Y+_+0O2-WwARntm3x8WNhvL1WfHOBg@mail.gmail.com/ Fixes: 6bda41a69bdc ("hw/cxl: Add clear poison mailbox command support.") Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Ira Weiny <ira.weiny@intel.com> Message-Id: <20240531-fix-poison-set-cacheline-v1-1-e3bc7e8f1158@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
2024-05-31 11:22:05 -05:00 · 2024-05-31 11:22:05 -05:00 · e6c9c9e7f4
commit e6c9c9e7f4
parent a113d041e8
1 changed files with 1 additions and 1 deletions
--- a/hw/mem/cxl_type3.c
+++ b/hw/mem/cxl_type3.c
@ -1292,7 +1292,7 @@ static bool set_cacheline(CXLType3Dev *ct3d, uint64_t dpa_offset, uint8_t *data)
        dpa_offset -= (vmr_size + pmr_size);
    }

-    address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, &data,
+    address_space_write(as, dpa_offset, MEMTXATTRS_UNSPECIFIED, data,
                        CXL_CACHE_LINE_SIZE);
    return true;
 }