From: sashiko-bot@kernel.org
To: "John Groves" <john@jagalactic.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH V3 6/9] dax/fsdev: fail probe on invalid pgmap offset
Date: Sat, 30 May 2026 17:57:49 +0000 [thread overview]
Message-ID: <20260530175749.D22751F00898@smtp.kernel.org> (raw)
In-Reply-To: <0100019e79cbfeba-7b2cf549-f869-4572-bc78-b32ebf16eb7c-000000@email.amazonses.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Late Validation / Out-of-Bounds Memory Access
--
commit a9f4bec62b4b3e100b1ed11c3e4fa29bdbf57a95
Author: John Groves <John@Groves.net>
dax/fsdev: fail probe on invalid pgmap offset
This commit converts the WARN_ON when pgmap_phys > phys into a fatal error,
failing the probe with -EINVAL. This prevents the probe from continuing with
a misaligned virt_addr when the remapped region starts after the data region.
> diff --git a/drivers/dax/fsdev.c b/drivers/dax/fsdev.c
> index a2d2eb20fb4d0..aac0130ab2833 100644
> --- a/drivers/dax/fsdev.c
> +++ b/drivers/dax/fsdev.c
> @@ -310,8 +310,13 @@ static int fsdev_dax_probe(struct dev_dax *dev_dax)
> u64 phys = dev_dax->ranges[0].range.start;
> u64 pgmap_phys = dev_dax->pgmap[0].range.start;
>
> - if (!WARN_ON(pgmap_phys > phys))
> - data_offset = phys - pgmap_phys;
> + if (pgmap_phys > phys) {
> + dev_err(dev, "pgmap start %#llx exceeds data start %#llx\n",
> + pgmap_phys, phys);
> + rc = -EINVAL;
> + goto err_pgmap;
> + }
[Severity: High]
This is a pre-existing issue, but does adding this explicit validation check
here occur too late to prevent a kernel panic?
Looking at fsdev_dax_probe(), devm_memremap_pages() populates the vmemmap
starting at pgmap_phys. Just before this block, the code unconditionally
calls fsdev_clear_folio_state(), which iterates over dev_dax->ranges
starting at phys.
If pgmap_phys > phys (the invalid state checked here), phys falls before
the region where the vmemmap is populated. Accessing unpopulated memory
during the folio state cleanup would panic before we even reach this new
validation check.
Additionally, the devres cleanup action is registered immediately before
this check. If this new check fails and jumps to err_pgmap, the devres
unrolling will execute on the error path:
fsdev_dax_probe()
fsdev_clear_folio_state(dev_dax);
devm_add_action_or_reset(..., fsdev_clear_folio_state_action, ...);
if (pgmap_phys > phys) {
...
goto err_pgmap;
}
Would this trigger the unsafe memory access again during cleanup?
Should the validation of pgmap_phys vs phys be moved earlier in the probe
sequence, before clearing the folio state?
> + data_offset = phys - pgmap_phys;
>
> pr_debug("%s: offset detected phys=%llx pgmap_phys=%llx offset=%llx\n",
> __func__, phys, pgmap_phys, data_offset);
--
Sashiko AI review · https://sashiko.dev/#/patchset/0100019e79caead2-5795328c-af48-4a93-b147-c11df7446e1a-000000@email.amazonses.com?part=6
next prev parent reply other threads:[~2026-05-30 17:57 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260530164953.6578-1-john@jagalactic.com>
2026-05-30 16:50 ` [PATCH V3 0/9] Fixes to the previously-merged drivers/dax/fsdev series John Groves
2026-05-30 16:50 ` [PATCH V3 1/9] dax: fix misleading comment about share/index union in dax_folio_reset_order() John Groves
2026-06-01 21:51 ` Dave Jiang
2026-06-03 0:12 ` Alison Schofield
2026-05-30 16:50 ` [PATCH V3 2/9] dax/fsdev: fix multi-range offset in memory_failure handler John Groves
2026-05-30 17:13 ` sashiko-bot
2026-06-03 0:12 ` Alison Schofield
2026-06-03 0:17 ` Dave Jiang
2026-05-30 16:50 ` [PATCH V3 3/9] dax/fsdev: clear vmemmap_shift when binding static pgmap John Groves
2026-05-30 17:28 ` sashiko-bot
2026-06-01 22:06 ` Dave Jiang
2026-06-03 0:13 ` Alison Schofield
2026-05-30 16:50 ` [PATCH V3 4/9] dax/fsdev: clear dev_dax->pgmap on probe failure John Groves
2026-05-30 17:37 ` sashiko-bot
2026-06-01 23:10 ` Dave Jiang
2026-06-03 0:14 ` Alison Schofield
2026-05-30 16:51 ` [PATCH V3 5/9] dax/fsdev: use __va(phys) for kaddr in direct_access John Groves
2026-05-30 17:48 ` sashiko-bot
2026-06-01 23:24 ` Dave Jiang
2026-06-03 0:14 ` Alison Schofield
2026-05-30 16:51 ` [PATCH V3 6/9] dax/fsdev: fail probe on invalid pgmap offset John Groves
2026-05-30 17:57 ` sashiko-bot [this message]
2026-06-03 0:15 ` Alison Schofield
2026-05-30 16:51 ` [PATCH V3 7/9] dax: fix holder_ops race in fs_put_dax() John Groves
2026-05-30 18:08 ` sashiko-bot
2026-06-02 0:03 ` Dave Jiang
2026-05-30 16:51 ` [PATCH V3 8/9] dax: replace exported dax_dev_get() with non-allocating dax_dev_find() John Groves
2026-05-30 18:20 ` sashiko-bot
2026-06-02 0:13 ` Dave Jiang
2026-06-03 0:15 ` Alison Schofield
2026-05-30 16:51 ` [PATCH V3 9/9] dax: fsdev.c minor formatting cleanup John Groves
2026-06-03 0:16 ` Alison Schofield
2026-06-03 0:11 ` [PATCH V3 0/9] Fixes to the previously-merged drivers/dax/fsdev series Alison Schofield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260530175749.D22751F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=john@jagalactic.com \
--cc=linux-cxl@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.