Xen project Mailing List

Re: [PATCH 3/4] q35: Fix incorrect values for PCIEXBAR masks

To: Thierry Escande <thierry.escande@xxxxxxxxxx>

From: "Michael S. Tsirkin" <mst@xxxxxxxxxx>

Date: Sun, 24 May 2026 03:43:47 -0400

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=mimecast20190719 header.d=redhat.com header.i="@redhat.com" header.h="From:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:In-Reply-To:References"

Cc: qemu-devel@xxxxxxxxxx, Alexey Gerasimenko <x1917x@xxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Richard Henderson <richard.henderson@xxxxxxxxxx>, Eduardo Habkost <eduardo@xxxxxxxxxxx>, Anthony PERARD <anthony@xxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Sun, 24 May 2026 07:44:23 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Mar 13, 2026 at 04:47:16PM +0000, Thierry Escande wrote: > From: Alexey Gerasimenko <x1917x@xxxxxxxxx> > > There are two small issues in PCIEXBAR address mask handling: > - wrong bit positions for address mask bits (see PCIEXBAR description > in Q35 datasheet) > - incorrect usage of 64ADR_MASK > > Due to this, attempting to write a valid PCIEXBAR address may cause it > to shift to another address, causing memory layout corruption where > emulated MMIO regions may overlap real (passed through) MMIO ranges. Fix > this by providing correct values. > > Signed-off-by: Alexey Gerasimenko <x1917x@xxxxxxxxx> > Signed-off-by: Thierry Escande <thierry.escande@xxxxxxxxxx> Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx> > --- > hw/pci-host/q35.c | 6 +++--- > include/hw/pci-host/q35.h | 4 ++-- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c > index e85e4227b3..7368e3c598 100644 > --- a/hw/pci-host/q35.c > +++ b/hw/pci-host/q35.c > @@ -306,12 +306,12 @@ static void mch_update_pciexbar(MCHPCIState *mch) > break; > case MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_128M: > length = 128 * 1024 * 1024; > - addr_mask |= MCH_HOST_BRIDGE_PCIEXBAR_128ADMSK | > - MCH_HOST_BRIDGE_PCIEXBAR_64ADMSK; > + addr_mask |= MCH_HOST_BRIDGE_PCIEXBAR_128ADMSK; > break; > case MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_64M: > length = 64 * 1024 * 1024; > - addr_mask |= MCH_HOST_BRIDGE_PCIEXBAR_64ADMSK; > + addr_mask |= MCH_HOST_BRIDGE_PCIEXBAR_64ADMSK | > + MCH_HOST_BRIDGE_PCIEXBAR_128ADMSK; > break; > case MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_RVD: > qemu_log_mask(LOG_GUEST_ERROR, "Q35: Reserved PCIEXBAR LENGTH\n"); > diff --git a/include/hw/pci-host/q35.h b/include/hw/pci-host/q35.h > index ddafc3f2e3..f31a71010b 100644 > --- a/include/hw/pci-host/q35.h > +++ b/include/hw/pci-host/q35.h > @@ -100,8 +100,8 @@ struct Q35PCIHost { > #define MCH_HOST_BRIDGE_PCIEXBAR_DEFAULT 0xb0000000 > #define MCH_HOST_BRIDGE_PCIEXBAR_MAX (0x10000000) /* 256M */ > #define MCH_HOST_BRIDGE_PCIEXBAR_ADMSK Q35_MASK(64, 35, 28) > -#define MCH_HOST_BRIDGE_PCIEXBAR_128ADMSK ((uint64_t)(1 << 26)) > -#define MCH_HOST_BRIDGE_PCIEXBAR_64ADMSK ((uint64_t)(1 << 25)) > +#define MCH_HOST_BRIDGE_PCIEXBAR_128ADMSK ((uint64_t)(1 << 27)) > +#define MCH_HOST_BRIDGE_PCIEXBAR_64ADMSK ((uint64_t)(1 << 26)) > #define MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_MASK ((uint64_t)(0x3 << 1)) > #define MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_256M ((uint64_t)(0x0 << 1)) > #define MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_128M ((uint64_t)(0x1 << 1)) > -- > 2.51.0 > > > > -- > Thierry Escande | Vates XCP-ng Developer > > XCP-ng & Xen Orchestra - Vates solutions > > web: https://vates.tech

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.