* [PATCH] cxl/mbox: Break poison list loop on an empty payload
@ 2026-07-09 15:57 Dave Jiang
2026-07-09 16:08 ` sashiko-bot
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Dave Jiang @ 2026-07-09 15:57 UTC (permalink / raw)
To: linux-cxl; +Cc: djbw, dave, jic23, alison.schofield, vishal.l.verma
A device that returns count == 0 with CXL_POISON_FLAG_MORE set on every
iteration never advances nr_records, so the max_errors guard never
trips and the do/while loops forever while holding poison.mutex. That
hangs the sysfs-triggered scan thread and blocks all subsequent poison
operations on the device. The existing "Protect against an uncleared
_FLAG_MORE" guard was intended to bound a misbehaving device but does
not cover the count == 0 case.
Stop the loop on an empty payload so a malfunctioning or malicious
device cannot wedge the poison scan.
Link: https://sashiko.dev/#/patchset/20260702090849.47501-1-icheng@nvidia.com?part=3
Fixes: ed83f7ca398b ("cxl/mbox: Add GET_POISON_LIST mailbox command")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
---
drivers/cxl/core/mbox.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
index 7c6c5b7450a5..c09fae2cae9f 100644
--- a/drivers/cxl/core/mbox.c
+++ b/drivers/cxl/core/mbox.c
@@ -1455,6 +1455,11 @@ int cxl_mem_get_poison(struct cxl_memdev *cxlmd, u64 offset, u64 len,
if (rc)
break;
+ if (!le16_to_cpu(po->count)) {
+ dev_dbg(&cxlmd->dev, "Poison empty payload!\n");
+ break;
+ }
+
for (int i = 0; i < le16_to_cpu(po->count); i++)
trace_cxl_poison(cxlmd, cxlr, &po->record[i],
po->flags, po->overflow_ts,
base-commit: 8cdeaa50eae8dad34885515f62559ee83e7e8dda
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] cxl/mbox: Break poison list loop on an empty payload
2026-07-09 15:57 [PATCH] cxl/mbox: Break poison list loop on an empty payload Dave Jiang
@ 2026-07-09 16:08 ` sashiko-bot
2026-07-14 2:37 ` Alison Schofield
2026-07-14 16:51 ` Dave Jiang
2 siblings, 0 replies; 4+ messages in thread
From: sashiko-bot @ 2026-07-09 16:08 UTC (permalink / raw)
To: Dave Jiang; +Cc: linux-cxl
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Out-of-bounds read of kernel memory due to unvalidated `po->count` from device payload.
--
--- Patch [1]: [PATCH] cxl/mbox: Break poison list loop on an empty payload ---
commit bae9e2badcecd54aec9a327464ba99a57b005a54
Author: Dave Jiang <dave.jiang@intel.com>
cxl/mbox: Break poison list loop on an empty payload
This commit prevents an infinite loop when a device returns count == 0
with CXL_POISON_FLAG_MORE set by breaking the poison list loop on an
empty payload.
Link: https://sashiko.dev/#/patchset/20260702090849.47501-1-icheng@nvidia.com?part=3
> diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
> --- a/drivers/cxl/core/mbox.c
> +++ b/drivers/cxl/core/mbox.c
[ ... ]
> @@ -1455,6 +1455,11 @@ int cxl_mem_get_poison(struct cxl_memdev *cxlmd, u64 offset, u64 len,
> if (rc)
> break;
>
> + if (!le16_to_cpu(po->count)) {
> + dev_dbg(&cxlmd->dev, "Poison empty payload!\n");
> + break;
> + }
> +
> for (int i = 0; i < le16_to_cpu(po->count); i++)
> trace_cxl_poison(cxlmd, cxlr, &po->record[i],
[Severity: High]
This is a pre-existing issue, but does this loop blindly trust the device
provided count without validating it against the actual payload size?
If a malicious or malfunctioning device returns a small payload but
specifies a large po->count, iterating up to le16_to_cpu(po->count) could
read out of bounds of the allocated cxl_mbox->payload_size. The
unvalidated memory is then passed to trace_cxl_poison().
Could we add a bounds check in cxl_mem_get_poison() to ensure the payload
actually contains the expected number of records?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260709155714.1893280-1-dave.jiang@intel.com?part=1
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] cxl/mbox: Break poison list loop on an empty payload
2026-07-09 15:57 [PATCH] cxl/mbox: Break poison list loop on an empty payload Dave Jiang
2026-07-09 16:08 ` sashiko-bot
@ 2026-07-14 2:37 ` Alison Schofield
2026-07-14 16:51 ` Dave Jiang
2 siblings, 0 replies; 4+ messages in thread
From: Alison Schofield @ 2026-07-14 2:37 UTC (permalink / raw)
To: Dave Jiang; +Cc: linux-cxl, djbw, dave, jic23, vishal.l.verma
On Thu, Jul 09, 2026 at 08:57:14AM -0700, Dave Jiang wrote:
> A device that returns count == 0 with CXL_POISON_FLAG_MORE set on every
> iteration never advances nr_records, so the max_errors guard never
> trips and the do/while loops forever while holding poison.mutex. That
> hangs the sysfs-triggered scan thread and blocks all subsequent poison
> operations on the device. The existing "Protect against an uncleared
> _FLAG_MORE" guard was intended to bound a misbehaving device but does
> not cover the count == 0 case.
>
> Stop the loop on an empty payload so a malfunctioning or malicious
> device cannot wedge the poison scan.
I'm guessing Sashiko's new pre-existing complaint will appear as
a new patch in the future, so for this one, let's get it merged:
Reviewed-by: Alison Schofield <alison.schofield@intel.com>
>
> Link: https://sashiko.dev/#/patchset/20260702090849.47501-1-icheng@nvidia.com?part=3
> Fixes: ed83f7ca398b ("cxl/mbox: Add GET_POISON_LIST mailbox command")
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Dave Jiang <dave.jiang@intel.com>
> ---
> drivers/cxl/core/mbox.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
> index 7c6c5b7450a5..c09fae2cae9f 100644
> --- a/drivers/cxl/core/mbox.c
> +++ b/drivers/cxl/core/mbox.c
> @@ -1455,6 +1455,11 @@ int cxl_mem_get_poison(struct cxl_memdev *cxlmd, u64 offset, u64 len,
> if (rc)
> break;
>
> + if (!le16_to_cpu(po->count)) {
> + dev_dbg(&cxlmd->dev, "Poison empty payload!\n");
> + break;
> + }
> +
> for (int i = 0; i < le16_to_cpu(po->count); i++)
> trace_cxl_poison(cxlmd, cxlr, &po->record[i],
> po->flags, po->overflow_ts,
>
> base-commit: 8cdeaa50eae8dad34885515f62559ee83e7e8dda
> --
> 2.54.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] cxl/mbox: Break poison list loop on an empty payload
2026-07-09 15:57 [PATCH] cxl/mbox: Break poison list loop on an empty payload Dave Jiang
2026-07-09 16:08 ` sashiko-bot
2026-07-14 2:37 ` Alison Schofield
@ 2026-07-14 16:51 ` Dave Jiang
2 siblings, 0 replies; 4+ messages in thread
From: Dave Jiang @ 2026-07-14 16:51 UTC (permalink / raw)
To: linux-cxl; +Cc: djbw, dave, jic23, alison.schofield, vishal.l.verma
On 7/9/26 8:57 AM, Dave Jiang wrote:
> A device that returns count == 0 with CXL_POISON_FLAG_MORE set on every
> iteration never advances nr_records, so the max_errors guard never
> trips and the do/while loops forever while holding poison.mutex. That
> hangs the sysfs-triggered scan thread and blocks all subsequent poison
> operations on the device. The existing "Protect against an uncleared
> _FLAG_MORE" guard was intended to bound a misbehaving device but does
> not cover the count == 0 case.
>
> Stop the loop on an empty payload so a malfunctioning or malicious
> device cannot wedge the poison scan.
>
> Link: https://sashiko.dev/#/patchset/20260702090849.47501-1-icheng@nvidia.com?part=3
> Fixes: ed83f7ca398b ("cxl/mbox: Add GET_POISON_LIST mailbox command")
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Applied to cxl/next
8b301c4afbce
> ---
> drivers/cxl/core/mbox.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
> index 7c6c5b7450a5..c09fae2cae9f 100644
> --- a/drivers/cxl/core/mbox.c
> +++ b/drivers/cxl/core/mbox.c
> @@ -1455,6 +1455,11 @@ int cxl_mem_get_poison(struct cxl_memdev *cxlmd, u64 offset, u64 len,
> if (rc)
> break;
>
> + if (!le16_to_cpu(po->count)) {
> + dev_dbg(&cxlmd->dev, "Poison empty payload!\n");
> + break;
> + }
> +
> for (int i = 0; i < le16_to_cpu(po->count); i++)
> trace_cxl_poison(cxlmd, cxlr, &po->record[i],
> po->flags, po->overflow_ts,
>
> base-commit: 8cdeaa50eae8dad34885515f62559ee83e7e8dda
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-14 16:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-09 15:57 [PATCH] cxl/mbox: Break poison list loop on an empty payload Dave Jiang
2026-07-09 16:08 ` sashiko-bot
2026-07-14 2:37 ` Alison Schofield
2026-07-14 16:51 ` Dave Jiang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.