All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Alison Schofield" <alison.schofield@intel.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH v2 1/3] cxl/hdm: Reject switch decoder interleave ways that overflow targets
Date: Wed, 15 Jul 2026 22:04:33 +0000	[thread overview]
Message-ID: <20260715220434.500451F000E9@smtp.kernel.org> (raw)
In-Reply-To: <0d7618c36e20bfda585699f8641d62928b23f6d5.1784150131.git.alison.schofield@intel.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] Extracting target IDs from the target list register assumes little-endian byte ordering, causing incorrect target mapping on big-endian architectures.
- [High] Failure during decoder initialization leaves `port->commit_end` in a dirty state, permanently breaking subsequent device probe attempts.
--

--- Patch [1]: [PATCH v2 1/3] cxl/hdm: Reject switch decoder interleave ways that overflow targets ---
commit 4660ad9cd44e7b73b9a24a494a4fb73e7c2f2eaa
Author: Alison Schofield <alison.schofield@intel.com>

cxl/hdm: Reject switch decoder interleave ways that overflow targets

Switch decoder enumeration validates that the interleave ways encoding
is legal, but not that the resulting number of ways fits the available
targets. This can overrun the target arrays during enumeration.

Link: https://sashiko.dev/#/patchset/20260711180755.1779002-1-alison.schofield@intel.com?part=1

> diff --git a/drivers/cxl/core/hdm.c b/drivers/cxl/core/hdm.c
> index 0c80b76a5f9b4..9f005f3193e2f 100644
> --- a/drivers/cxl/core/hdm.c
> +++ b/drivers/cxl/core/hdm.c

[ ... ]

> @@ -1084,6 +1086,30 @@ static int init_hdm_decoder(struct cxl_port *port, struct cxl_decoder *cxld,
>  		cxld->interleave_ways, cxld->interleave_granularity);
>  
>  	if (!cxled) {
> +		struct cxl_switch_decoder *cxlsd =
> +			to_cxl_switch_decoder(&cxld->dev);
> +
> +		if (!committed) {
> +			/* Ignore interleave ways until commit */
> +			cxld->interleave_ways = 1;
> +			return 0;
> +		}
> +
> +		if (cxld->interleave_ways > CXL_HDM_DECODER0_TL_TARGETS) {
> +			dev_err(&port->dev,
> +				"decoder%d.%d: interleave ways: %d exceeds target list capacity: %d\n",
> +				port->id, cxld->id, cxld->interleave_ways,
> +				CXL_HDM_DECODER0_TL_TARGETS);
> +			return -ENXIO;
> +		}
> +		if (cxld->interleave_ways > cxlsd->nr_targets) {
> +			dev_err(&port->dev,
> +				"decoder%d.%d: interleave ways: %d exceeds targets: %d\n",
> +				port->id, cxld->id, cxld->interleave_ways,
> +				cxlsd->nr_targets);
> +			return -ENXIO;
               ^^^^^^^^^^^^^^

[Severity: High]
This isn't a bug introduced by this patch, but will this early return leave
port->commit_end permanently modified?

Looking at init_hdm_decoder() earlier in the function, port->commit_end is
updated when the decoder is committed:

	if (committed) {
		...
		port->commit_end = cxld->id;
	}

If the initialization fails here due to exceeding hardware capacity, it returns
-ENXIO and aborts the port probe. However, port->commit_end is never reverted.

If the driver is re-probed, the next initialization attempt will falsely reject
the first decoder as 'Committed out of order'. This happens because
cxl_num_decoders_committed() uses the leaked commit_end state.

Should this error path revert port->commit_end before returning?

> +		}
> +
>  		lo = readl(hdm + CXL_HDM_DECODER0_TL_LOW(which));
>  		hi = readl(hdm + CXL_HDM_DECODER0_TL_HIGH(which));
>  		target_list.value = (hi << 32) + lo;
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[Severity: High]
This is a pre-existing issue, but does extracting target IDs from the target
list register using a union byte array overlay cause incorrect target mapping
on big-endian architectures?

When init_hdm_decoder() reads hardware registers TL_LOW and TL_HIGH, it
converts them to native CPU endianness via readl() and stores them in a native
64-bit integer.

The function then extracts target IDs using target_list.target_id[i]. On
big-endian systems, byte 0 is the most significant byte of the 64-bit value,
rather than the least significant byte.

This could route CXL transactions to the wrong switch ports.

Does this logic need to be adjusted to avoid endianness issues?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1784150131.git.alison.schofield@intel.com?part=1

  reply	other threads:[~2026-07-15 22:04 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-15 21:45 [PATCH v2 0/3] Harden HDM decoder enumeration Alison Schofield
2026-07-15 21:45 ` [PATCH v2 1/3] cxl/hdm: Reject switch decoder interleave ways that overflow targets Alison Schofield
2026-07-15 22:04   ` sashiko-bot [this message]
2026-07-15 21:45 ` [PATCH v2 2/3] cxl/hdm: Make switch decoder target parsing endian-safe Alison Schofield
2026-07-15 21:45 ` [PATCH v2 3/3] cxl/hdm: Restore commit_end when decoder enumeration fails Alison Schofield
2026-07-15 21:57   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260715220434.500451F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=alison.schofield@intel.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.