All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Dave Jiang" <dave.jiang@intel.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH] cxl/mbox: Break poison list loop on an empty payload
Date: Thu, 09 Jul 2026 16:08:21 +0000	[thread overview]
Message-ID: <20260709160822.284991F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709155714.1893280-1-dave.jiang@intel.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Out-of-bounds read of kernel memory due to unvalidated `po->count` from device payload.
--

--- Patch [1]: [PATCH] cxl/mbox: Break poison list loop on an empty payload ---
commit bae9e2badcecd54aec9a327464ba99a57b005a54
Author: Dave Jiang <dave.jiang@intel.com>
cxl/mbox: Break poison list loop on an empty payload

This commit prevents an infinite loop when a device returns count == 0
with CXL_POISON_FLAG_MORE set by breaking the poison list loop on an
empty payload.

Link: https://sashiko.dev/#/patchset/20260702090849.47501-1-icheng@nvidia.com?part=3

> diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
> --- a/drivers/cxl/core/mbox.c
> +++ b/drivers/cxl/core/mbox.c
[ ... ]
> @@ -1455,6 +1455,11 @@ int cxl_mem_get_poison(struct cxl_memdev *cxlmd, u64 offset, u64 len,
>  		if (rc)
>  			break;
>  
> +		if (!le16_to_cpu(po->count)) {
> +			dev_dbg(&cxlmd->dev, "Poison empty payload!\n");
> +			break;
> +		}
> +
>  		for (int i = 0; i < le16_to_cpu(po->count); i++)
>  			trace_cxl_poison(cxlmd, cxlr, &po->record[i],

[Severity: High]
This is a pre-existing issue, but does this loop blindly trust the device
provided count without validating it against the actual payload size?

If a malicious or malfunctioning device returns a small payload but
specifies a large po->count, iterating up to le16_to_cpu(po->count) could
read out of bounds of the allocated cxl_mbox->payload_size. The
unvalidated memory is then passed to trace_cxl_poison().

Could we add a bounds check in cxl_mem_get_poison() to ensure the payload
actually contains the expected number of records?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260709155714.1893280-1-dave.jiang@intel.com?part=1

  reply	other threads:[~2026-07-09 16:08 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 15:57 [PATCH] cxl/mbox: Break poison list loop on an empty payload Dave Jiang
2026-07-09 16:08 ` sashiko-bot [this message]
2026-07-14  2:37 ` Alison Schofield
2026-07-14 16:51 ` Dave Jiang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709160822.284991F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dave.jiang@intel.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.