Re: [PATCH v28 5/5] sfc: support pio mapping based on cxl

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: alejandro.lucero-palau@amd.com
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH v28 5/5] sfc: support pio mapping based on cxl
Date: Fri, 19 Jun 2026 17:24:45 +0000	[thread overview]
Message-ID: <20260619172445.74CC31F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260618181806.118745-6-alejandro.lucero-palau@amd.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Incorrect Address Calculation / Out-of-Bounds Memory Write in CXL PIO Buffer Mapping
--

commit 7aab6942f29d4c0369d1d6d644627cf376efd5b7
Author: Alejandro Lucero <alucerop@amd.com>

sfc: support pio mapping based on cxl

This commit introduces support for mapping PIO buffers via a CXL memory
region to lower transmit latency. It uses the CXL region to map the memory
range when a CXL device is successfully initialized.

> diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
> index 7e04f115bbaaa..73bc064929f63 100644
> --- a/drivers/net/ethernet/sfc/ef10.c
> +++ b/drivers/net/ethernet/sfc/ef10.c
[ ... ]
> @@ -1263,8 +1273,23 @@ static int efx_ef10_dimension_resources(struct efx_nic *efx)
[ ... ]
> -	/* Set up the WC mapping if needed */
> -	if (wc_mem_map_size) {
> +	if (!wc_mem_map_size)
> +		goto skip_pio;
> +
> +	/* Set up the WC mapping */
> +
> +#ifdef CONFIG_SFC_CXL
> +	probe_data = container_of(efx, struct efx_probe_data, efx);
> +	if ((nic_data->datapath_caps3 &
> +	    (1 << MC_CMD_GET_CAPABILITIES_V7_OUT_CXL_CONFIG_ENABLE_LBN)) &&
> +	    probe_data->cxl_pio_initialised) {
> +		/* Using PIO through CXL mapping */
> +		nic_data->pio_write_base = probe_data->cxl->ctpio_cxl;

[Severity: Critical]
Does this assignment miss the VI stride and PIO buffer offsets?

In efx_ef10_dimension_resources(), the raw CXL memory base is assigned 
directly to pio_write_base. In the legacy path below, the base is adjusted
by the VI stride and PIO buffer offset:

nic_data->pio_write_base =
        nic_data->wc_membase +
        (pio_write_vi_base * efx->vi_stride + ER_DZ_TX_PIOBUF -
         uc_mem_map_size);

Without these adjustments in the CXL path, subsequent PIO buffer address
computations seem to resolve to offset 0 of the VI, which corresponds to
the hardware doorbell registers like ER_DZ_TX_DESC_UPD.

Could this cause untrusted network packet payloads to be written directly
into the active RX/TX doorbell registers instead of the PIO buffer area?

> +		nic_data->pio_write_vi_base = pio_write_vi_base;
> +	} else
> +#endif
> +	{
> +		/* Using legacy PIO BAR mapping */
>  		nic_data->wc_membase = ioremap_wc(efx->membase_phys +
>  						  uc_mem_map_size,
>  						  wc_mem_map_size);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260618181806.118745-1-alejandro.lucero-palau@amd.com?part=5

     prev parent reply	other threads:[~2026-06-19 17:24 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-18 18:18 [PATCH v28 0/5] Type2 device basic support alejandro.lucero-palau
2026-06-18 18:18 ` [PATCH v28 1/5] sfc: add cxl support alejandro.lucero-palau
2026-06-19 13:12   ` Edward Cree
2026-06-19 17:24   ` sashiko-bot
2026-06-18 18:18 ` [PATCH v28 2/5] cxl/sfc: Map cxl regs alejandro.lucero-palau
2026-06-19 13:14   ` Edward Cree
2026-06-19 17:24   ` sashiko-bot
2026-06-18 18:18 ` [PATCH v28 3/5] cxl/sfc: Initialize dpa without a mailbox alejandro.lucero-palau
2026-06-19 13:15   ` Edward Cree
2026-06-19 17:24   ` sashiko-bot
2026-06-18 18:18 ` [PATCH v28 4/5] sfc: obtain and map cxl range using devm_cxl_probe_mem alejandro.lucero-palau
2026-06-18 23:05   ` Dave Jiang
2026-06-19 13:20   ` Edward Cree
2026-06-19 17:24   ` sashiko-bot
2026-06-18 18:18 ` [PATCH v28 5/5] sfc: support pio mapping based on cxl alejandro.lucero-palau
2026-06-18 23:06   ` Dave Jiang
2026-06-19 13:23   ` Edward Cree
2026-06-19 17:24   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260619172445.74CC31F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=alejandro.lucero-palau@amd.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.