All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Richard Cheng" <icheng@nvidia.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH v3 3/5] cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan
Date: Wed, 08 Jul 2026 07:53:44 +0000	[thread overview]
Message-ID: <20260708075345.7A5F61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260708074228.43654-4-icheng@nvidia.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] Unbounded infinite loop in cxl_mem_get_poison() if the device returns 0 records but leaves FLAG_MORE set.
- [Medium] cxl_get_poison_by_memdev() does not abort on failure, silently overwriting earlier errors if subsequent partitions succeed.
--

--- Patch [3]: [PATCH v3 3/5] cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan ---
commit 9b48fd52ca70c063c7f4e5fc8516877eba1fee39
Author: Richard Cheng <icheng@nvidia.com>

cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan

cxl_get_poison_unmapped() tolerates the -EFAULT a RAM partition returns
for Get Poison List by skipping that partition, but left rc holding the
error. Reset rc to 0 when tolerating the fault, matching poison_by_decoder().

> diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
> index be246fb09c999..52ba8e9e42885 100644
> --- a/drivers/cxl/core/region.c
> +++ b/drivers/cxl/core/region.c
> @@ -2933,8 +2933,10 @@ static int cxl_get_poison_unmapped(struct cxl_memdev *cxlmd,
>  		if (!length)
>  			continue;
>  		rc = cxl_mem_get_poison(cxlmd, offset, length, NULL);
> -		if (rc == -EFAULT && cxlds->part[i].mode == CXL_PARTMODE_RAM)
> +		if (rc == -EFAULT && cxlds->part[i].mode == CXL_PARTMODE_RAM) {
> +			rc = 0;
>  			continue;
> +		}
>  		if (rc)
>  			break;
>  	}

While reviewing this change, I noticed a couple of related pre-existing
issues in other poison handling functions:

drivers/cxl/core/memdev.c:cxl_get_poison_by_memdev()

> 		rc = cxl_mem_get_poison(cxlmd, offset, length, NULL);
> 		/*
> 		 * Invalid Physical Address is not an error for
> 		 * volatile addresses. Device support is optional.
> 		 */
> 		if (rc == -EFAULT && cxlds->part[i].mode == CXL_PARTMODE_RAM)
> 			rc = 0;
> 	}
> 	return rc;

[Severity: Medium]
This is a pre-existing issue, but does cxl_get_poison_by_memdev() overwrite
previous error codes?

If an early partition fails (for example, returning -EIO) but a subsequent
partition succeeds, the loop lacks an if (rc) break; check. The rc variable
is overwritten with 0, masking the earlier failure from userspace.


drivers/cxl/core/mbox.c:cxl_mem_get_poison()

> 		nr_records = nr_records + le16_to_cpu(po->count);
> 		if (nr_records >= mds->poison.max_errors) {
> 			dev_dbg(&cxlmd->dev, "Max Error Records reached: %d\n",
> 				nr_records);
> 			break;
> 		}
> 	} while (po->flags & CXL_POISON_FLAG_MORE);

[Severity: High]
This is a pre-existing issue, but can this loop in cxl_mem_get_poison()
spin infinitely?

If a hardware device returns a payload with po->count == 0 and the
CXL_POISON_FLAG_MORE flag set, nr_records won't increment. The safety bound
nr_records >= mds->poison.max_errors is never reached, which could cause a
kernel hang while holding mds->poison.mutex.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260708074228.43654-1-icheng@nvidia.com?part=3

  reply	other threads:[~2026-07-08  7:53 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08  7:42 [PATCH v3 0/5] cxl: Sashiko bug fixes Richard Cheng
2026-07-08  7:42 ` [PATCH v3 1/5] cxl/features: Reject feature offset that overflows 16-bit field Richard Cheng
2026-07-08  7:58   ` sashiko-bot
2026-07-08  7:42 ` [PATCH v3 2/5] cxl/region: Scan all partitions for unmapped poison Richard Cheng
2026-07-08  7:42 ` [PATCH v3 3/5] cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan Richard Cheng
2026-07-08  7:53   ` sashiko-bot [this message]
2026-07-08  7:42 ` [PATCH v3 4/5] cxl/region: Start unmapped poison scan at the committed decoder boundary Richard Cheng
2026-07-08  7:58   ` sashiko-bot
2026-07-08  7:42 ` [PATCH v3 5/5] cxl/memdev: Don't overwrite the error from an earlier partition poison query Richard Cheng
2026-07-08  7:55   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260708075345.7A5F61F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=icheng@nvidia.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.