All of lore.kernel.org
 help / color / mirror / Atom feed
From: Richard Cheng <icheng@nvidia.com>
To: dave@stgolabs.net, jic23@kernel.org, dave.jiang@intel.com,
	alison.schofield@intel.com, vishal.l.verma@intel.com,
	djbw@kernel.org, danwilliams@nvidia.com
Cc: iweiny@kernel.org, ming.li@zohomail.com, gourry@gourry.net,
	rrichter@amd.com, linux-cxl@vger.kernel.org,
	linux-kernel@vger.kernel.org, kees@kernel.org,
	newtonl@nvidia.com, kristinc@nvidia.com, mochs@nvidia.com,
	kaihengf@nvidia.com, kobak@nvidia.com,
	Richard Cheng <icheng@nvidia.com>
Subject: [PATCH 0/3] cxl: Sashiko bug fixes
Date: Tue, 30 Jun 2026 15:46:54 +0800	[thread overview]
Message-ID: <20260630074657.43077-1-icheng@nvidia.com> (raw)

Three independent, pre-existing bugs in the CXL core, reported by sashiko.

Patch 1: Get/Set Feature stored offset + transfer-size into a 16-bit
field via cpu_to_le16() with no bounds check, so a large offset/count
from the fwctl interface silently wrapped and steered the device to the
wrong feature offset. Reject offset + size > U16_MAX up front.

Patch 2: cxl_get_poison_unmapped() aborted its whole partition sweep on
the first fully-mapped partition, silently skipping unmapped poison in
all later partitions. Skip that partition instead.

Patch 3: the same function tolerated the -EFAULT a RAM partition returns
for Get Poison List but left it in rc, so a benign fault on the last
scanned partition surfaced as a spurious read failure. Clear rc, as
poison_by_decoder() already does.

Richard Cheng (3):
  cxl/features: Reject feature offset that overflows 16-bit field
  cxl/region: Scan all partitions for unmapped poison
  cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan

 drivers/cxl/core/features.c | 6 ++++++
 drivers/cxl/core/region.c   | 6 ++++--
 2 files changed, 10 insertions(+), 2 deletions(-)


base-commit: dc59e4fea9d83f03bad6bddf3fa2e52491777482
-- 
2.43.0


             reply	other threads:[~2026-06-30  7:47 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30  7:46 Richard Cheng [this message]
2026-06-30  7:46 ` [PATCH 1/3] cxl/features: Reject feature offset that overflows 16-bit field Richard Cheng
2026-06-30  8:14   ` sashiko-bot
2026-06-30  9:46     ` Richard Cheng
2026-06-30 15:54   ` Dave Jiang
2026-07-02  8:15     ` Richard Cheng
2026-07-06 16:52       ` Dave Jiang
2026-06-30  7:46 ` [PATCH 2/3] cxl/region: Scan all partitions for unmapped poison Richard Cheng
2026-06-30 15:56   ` Dave Jiang
2026-07-01  4:48   ` Alison Schofield
2026-06-30  7:46 ` [PATCH 3/3] cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan Richard Cheng
2026-06-30 10:00   ` sashiko-bot
2026-06-30 16:04   ` Dave Jiang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630074657.43077-1-icheng@nvidia.com \
    --to=icheng@nvidia.com \
    --cc=alison.schofield@intel.com \
    --cc=danwilliams@nvidia.com \
    --cc=dave.jiang@intel.com \
    --cc=dave@stgolabs.net \
    --cc=djbw@kernel.org \
    --cc=gourry@gourry.net \
    --cc=iweiny@kernel.org \
    --cc=jic23@kernel.org \
    --cc=kaihengf@nvidia.com \
    --cc=kees@kernel.org \
    --cc=kobak@nvidia.com \
    --cc=kristinc@nvidia.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ming.li@zohomail.com \
    --cc=mochs@nvidia.com \
    --cc=newtonl@nvidia.com \
    --cc=rrichter@amd.com \
    --cc=vishal.l.verma@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.