All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] cxl/mbox: Break poison list loop on an empty payload
@ 2026-07-09 15:57 Dave Jiang
  2026-07-09 16:08 ` sashiko-bot
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Dave Jiang @ 2026-07-09 15:57 UTC (permalink / raw)
  To: linux-cxl; +Cc: djbw, dave, jic23, alison.schofield, vishal.l.verma

A device that returns count == 0 with CXL_POISON_FLAG_MORE set on every
iteration never advances nr_records, so the max_errors guard never
trips and the do/while loops forever while holding poison.mutex. That
hangs the sysfs-triggered scan thread and blocks all subsequent poison
operations on the device. The existing "Protect against an uncleared
_FLAG_MORE" guard was intended to bound a misbehaving device but does
not cover the count == 0 case.

Stop the loop on an empty payload so a malfunctioning or malicious
device cannot wedge the poison scan.

Link: https://sashiko.dev/#/patchset/20260702090849.47501-1-icheng@nvidia.com?part=3
Fixes: ed83f7ca398b ("cxl/mbox: Add GET_POISON_LIST mailbox command")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
---
 drivers/cxl/core/mbox.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
index 7c6c5b7450a5..c09fae2cae9f 100644
--- a/drivers/cxl/core/mbox.c
+++ b/drivers/cxl/core/mbox.c
@@ -1455,6 +1455,11 @@ int cxl_mem_get_poison(struct cxl_memdev *cxlmd, u64 offset, u64 len,
 		if (rc)
 			break;
 
+		if (!le16_to_cpu(po->count)) {
+			dev_dbg(&cxlmd->dev, "Poison empty payload!\n");
+			break;
+		}
+
 		for (int i = 0; i < le16_to_cpu(po->count); i++)
 			trace_cxl_poison(cxlmd, cxlr, &po->record[i],
 					 po->flags, po->overflow_ts,

base-commit: 8cdeaa50eae8dad34885515f62559ee83e7e8dda
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] cxl/mbox: Break poison list loop on an empty payload
  2026-07-09 15:57 [PATCH] cxl/mbox: Break poison list loop on an empty payload Dave Jiang
@ 2026-07-09 16:08 ` sashiko-bot
  2026-07-14  2:37 ` Alison Schofield
  2026-07-14 16:51 ` Dave Jiang
  2 siblings, 0 replies; 4+ messages in thread
From: sashiko-bot @ 2026-07-09 16:08 UTC (permalink / raw)
  To: Dave Jiang; +Cc: linux-cxl

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Out-of-bounds read of kernel memory due to unvalidated `po->count` from device payload.
--

--- Patch [1]: [PATCH] cxl/mbox: Break poison list loop on an empty payload ---
commit bae9e2badcecd54aec9a327464ba99a57b005a54
Author: Dave Jiang <dave.jiang@intel.com>
cxl/mbox: Break poison list loop on an empty payload

This commit prevents an infinite loop when a device returns count == 0
with CXL_POISON_FLAG_MORE set by breaking the poison list loop on an
empty payload.

Link: https://sashiko.dev/#/patchset/20260702090849.47501-1-icheng@nvidia.com?part=3

> diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
> --- a/drivers/cxl/core/mbox.c
> +++ b/drivers/cxl/core/mbox.c
[ ... ]
> @@ -1455,6 +1455,11 @@ int cxl_mem_get_poison(struct cxl_memdev *cxlmd, u64 offset, u64 len,
>  		if (rc)
>  			break;
>  
> +		if (!le16_to_cpu(po->count)) {
> +			dev_dbg(&cxlmd->dev, "Poison empty payload!\n");
> +			break;
> +		}
> +
>  		for (int i = 0; i < le16_to_cpu(po->count); i++)
>  			trace_cxl_poison(cxlmd, cxlr, &po->record[i],

[Severity: High]
This is a pre-existing issue, but does this loop blindly trust the device
provided count without validating it against the actual payload size?

If a malicious or malfunctioning device returns a small payload but
specifies a large po->count, iterating up to le16_to_cpu(po->count) could
read out of bounds of the allocated cxl_mbox->payload_size. The
unvalidated memory is then passed to trace_cxl_poison().

Could we add a bounds check in cxl_mem_get_poison() to ensure the payload
actually contains the expected number of records?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260709155714.1893280-1-dave.jiang@intel.com?part=1

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] cxl/mbox: Break poison list loop on an empty payload
  2026-07-09 15:57 [PATCH] cxl/mbox: Break poison list loop on an empty payload Dave Jiang
  2026-07-09 16:08 ` sashiko-bot
@ 2026-07-14  2:37 ` Alison Schofield
  2026-07-14 16:51 ` Dave Jiang
  2 siblings, 0 replies; 4+ messages in thread
From: Alison Schofield @ 2026-07-14  2:37 UTC (permalink / raw)
  To: Dave Jiang; +Cc: linux-cxl, djbw, dave, jic23, vishal.l.verma

On Thu, Jul 09, 2026 at 08:57:14AM -0700, Dave Jiang wrote:
> A device that returns count == 0 with CXL_POISON_FLAG_MORE set on every
> iteration never advances nr_records, so the max_errors guard never
> trips and the do/while loops forever while holding poison.mutex. That
> hangs the sysfs-triggered scan thread and blocks all subsequent poison
> operations on the device. The existing "Protect against an uncleared
> _FLAG_MORE" guard was intended to bound a misbehaving device but does
> not cover the count == 0 case.
> 
> Stop the loop on an empty payload so a malfunctioning or malicious
> device cannot wedge the poison scan.


I'm guessing Sashiko's new pre-existing complaint will appear as
a new patch in the future, so for this one, let's get it merged:

Reviewed-by: Alison Schofield <alison.schofield@intel.com>


> 
> Link: https://sashiko.dev/#/patchset/20260702090849.47501-1-icheng@nvidia.com?part=3
> Fixes: ed83f7ca398b ("cxl/mbox: Add GET_POISON_LIST mailbox command")
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Dave Jiang <dave.jiang@intel.com>
> ---
>  drivers/cxl/core/mbox.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
> index 7c6c5b7450a5..c09fae2cae9f 100644
> --- a/drivers/cxl/core/mbox.c
> +++ b/drivers/cxl/core/mbox.c
> @@ -1455,6 +1455,11 @@ int cxl_mem_get_poison(struct cxl_memdev *cxlmd, u64 offset, u64 len,
>  		if (rc)
>  			break;
>  
> +		if (!le16_to_cpu(po->count)) {
> +			dev_dbg(&cxlmd->dev, "Poison empty payload!\n");
> +			break;
> +		}
> +
>  		for (int i = 0; i < le16_to_cpu(po->count); i++)
>  			trace_cxl_poison(cxlmd, cxlr, &po->record[i],
>  					 po->flags, po->overflow_ts,
> 
> base-commit: 8cdeaa50eae8dad34885515f62559ee83e7e8dda
> -- 
> 2.54.0
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] cxl/mbox: Break poison list loop on an empty payload
  2026-07-09 15:57 [PATCH] cxl/mbox: Break poison list loop on an empty payload Dave Jiang
  2026-07-09 16:08 ` sashiko-bot
  2026-07-14  2:37 ` Alison Schofield
@ 2026-07-14 16:51 ` Dave Jiang
  2 siblings, 0 replies; 4+ messages in thread
From: Dave Jiang @ 2026-07-14 16:51 UTC (permalink / raw)
  To: linux-cxl; +Cc: djbw, dave, jic23, alison.schofield, vishal.l.verma



On 7/9/26 8:57 AM, Dave Jiang wrote:
> A device that returns count == 0 with CXL_POISON_FLAG_MORE set on every
> iteration never advances nr_records, so the max_errors guard never
> trips and the do/while loops forever while holding poison.mutex. That
> hangs the sysfs-triggered scan thread and blocks all subsequent poison
> operations on the device. The existing "Protect against an uncleared
> _FLAG_MORE" guard was intended to bound a misbehaving device but does
> not cover the count == 0 case.
> 
> Stop the loop on an empty payload so a malfunctioning or malicious
> device cannot wedge the poison scan.
> 
> Link: https://sashiko.dev/#/patchset/20260702090849.47501-1-icheng@nvidia.com?part=3
> Fixes: ed83f7ca398b ("cxl/mbox: Add GET_POISON_LIST mailbox command")
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Dave Jiang <dave.jiang@intel.com>

Applied to cxl/next
8b301c4afbce


> ---
>  drivers/cxl/core/mbox.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
> index 7c6c5b7450a5..c09fae2cae9f 100644
> --- a/drivers/cxl/core/mbox.c
> +++ b/drivers/cxl/core/mbox.c
> @@ -1455,6 +1455,11 @@ int cxl_mem_get_poison(struct cxl_memdev *cxlmd, u64 offset, u64 len,
>  		if (rc)
>  			break;
>  
> +		if (!le16_to_cpu(po->count)) {
> +			dev_dbg(&cxlmd->dev, "Poison empty payload!\n");
> +			break;
> +		}
> +
>  		for (int i = 0; i < le16_to_cpu(po->count); i++)
>  			trace_cxl_poison(cxlmd, cxlr, &po->record[i],
>  					 po->flags, po->overflow_ts,
> 
> base-commit: 8cdeaa50eae8dad34885515f62559ee83e7e8dda


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-14 16:51 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-09 15:57 [PATCH] cxl/mbox: Break poison list loop on an empty payload Dave Jiang
2026-07-09 16:08 ` sashiko-bot
2026-07-14  2:37 ` Alison Schofield
2026-07-14 16:51 ` Dave Jiang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.