From: Dave Jiang <dave.jiang@intel.com>
To: linux-acpi@vger.kernel.org, linux-cxl@vger.kernel.org
Cc: rafael@kernel.org, tony.luck@intel.com, bp@alien8.de,
guohanjun@huawei.com, mchehab@kernel.org,
xueshuai@linux.alibaba.com, terry.bowman@amd.com,
Ben Cheatham <benjamin.cheatham@amd.com>
Subject: [PATCH v3 00/10] ACPI: APEI: GHES: Collection of fixes for issues reported by sashiko
Date: Fri, 17 Jul 2026 09:16:37 -0700 [thread overview]
Message-ID: <20260717161647.1493259-1-dave.jiang@intel.com> (raw)
A collection of fixes for pre-existing issues reported by sashiko-bot while
reviewing patches.
The v1 posting fixed a first batch of these issues, and v2 grew the set as
sashiko-bot's review surfaced more problems in the same CPER/extlog paths.
sashiko-bot's review of v2 flagged yet more of the same class of bug in
neighbouring code, so v3 adds those as well: an out-of-range section length
that defeats cper_estatus_check(), the same unvalidated AER buffer handling
in ghes_handle_aer() that was already fixed for extlog, and an unbounded
walk of the extlog record.
1/10: Bound the CXL event record copy to the firmware section length.
2/10: Reject CPER records with an out-of-range error_data_length.
3/10: Validate the CXL protocol error section length before the RAS cap copy.
4/10: Avoid populating software AER metadata from the raw hardware buffer.
5/10: Validate the PCIe error section length before payload access.
6/10: Fix the CONFIG_ACPI_APEI_PCIEAER guard typo in extlog.c.
7/10: Defer CXL protocol error handling to avoid a lock inversion.
8/10: Validate the memory error section length before payload access.
9/10: Bound the AER info copy and sanitize software metadata in ghes.c.
10/10: Validate the extlog record length before walking sections.
Note patch 2 touches drivers/firmware/efi/cper.c; it closes the length
validation hole at the shared choke point that the per-section guards in the
rest of the series rely on.
sashiko-bot's review of v2 also flagged a few related issues that are not
addressed here because they live in other subsystems.
- cxl_cper_print_prot_err() in drivers/firmware/efi/cper_cxl.c uses the
firmware-controlled dvsec_len without bounding it against the section
length.
- cxl_rch_get_aer_info() in drivers/cxl/core/ras_rch.c reads the RCH AER
capability from MMIO into a struct aer_capability_regs without clearing
the software-only header_len/flit fields, the same class of issue as
patches 4 and 9.
v1: https://lore.kernel.org/linux-cxl/20260709162807.1957783-1-dave.jiang@intel.com/
v2: https://lore.kernel.org/linux-cxl/20260714231835.303081-1-dave.jiang@intel.com/
Changes since v2
----------------
- Dropped the standalone spin_lock_irqsave() change; it is a separate issue
being handled by Terry Bowman.
- New patch 2: reject a section whose error_data_length is out of range in
cper_estatus_check(), closing the signed-int overflow that let a crafted
section bypass the check and defeat the per-caller size guards (sashiko).
- New patch 9: apply the same AER buffer sanitization to ghes_handle_aer()
that patch 4 applies to extlog (sashiko).
- New patch 10: bound the extlog record and run cper_estatus_check() before
walking its sections, which extlog did not do (sashiko).
- Patch 8: move the memory error length check into ghes_do_proc() so the
report chain and arch reporter are covered too, and bound against the
older UEFI 2.1/2.2 layout rather than the full struct (sashiko).
- Reordered so the extlog PCIe path is hardened, and the CXL protocol error
handling is deferred to the workqueue, before the typo fix that activates
that code.
Changes since v1
----------------
- See the v2 posting for the full v1 -> v2 changelog.
Dave Jiang (10):
ACPI: APEI: GHES: Bound CXL event record copy to the firmware section
length
efi/cper: Reject CPER records with an out-of-range error_data_length
ACPI: APEI: GHES: Validate CXL protocol error section length before
RAS cap copy
ACPI: extlog: Avoid populating software AER metadata from raw hardware
buffer
ACPI: extlog: Validate PCIe error section length before payload access
ACPI: extlog: Defer CXL protocol error handling to avoid lock
inversion
ACPI: extlog: Fix CONFIG_ACPI_APEI_PCIEAER guard typo
ACPI: APEI: GHES: Validate memory error section length before payload
access
ACPI: APEI: GHES: Bound AER info copy and sanitize software metadata
ACPI: extlog: Validate elog record length before walking sections
drivers/acpi/acpi_extlog.c | 47 ++++++++++++-------------
drivers/acpi/apei/ghes.c | 59 +++++++++++++++++++++++++-------
drivers/acpi/apei/ghes_helpers.c | 21 +++++++++++-
drivers/firmware/efi/cper.c | 10 ++++++
include/acpi/ghes.h | 4 +++
include/cxl/event.h | 4 +--
6 files changed, 106 insertions(+), 39 deletions(-)
base-commit: a13c140cc289c0b7b3770bce5b3ad42ab35074aa
--
2.55.0
next reply other threads:[~2026-07-17 16:16 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-17 16:16 Dave Jiang [this message]
2026-07-17 16:16 ` [PATCH v3 01/10] ACPI: APEI: GHES: Bound CXL event record copy to the firmware section length Dave Jiang
2026-07-17 17:09 ` sashiko-bot
2026-07-17 16:16 ` [PATCH v3 02/10] efi/cper: Reject CPER records with an out-of-range error_data_length Dave Jiang
2026-07-17 17:26 ` sashiko-bot
2026-07-17 16:16 ` [PATCH v3 03/10] ACPI: APEI: GHES: Validate CXL protocol error section length before RAS cap copy Dave Jiang
2026-07-17 17:41 ` sashiko-bot
2026-07-17 16:16 ` [PATCH v3 04/10] ACPI: extlog: Avoid populating software AER metadata from raw hardware buffer Dave Jiang
2026-07-17 17:58 ` sashiko-bot
2026-07-17 16:16 ` [PATCH v3 05/10] ACPI: extlog: Validate PCIe error section length before payload access Dave Jiang
2026-07-17 18:29 ` sashiko-bot
2026-07-17 16:16 ` [PATCH v3 06/10] ACPI: extlog: Defer CXL protocol error handling to avoid lock inversion Dave Jiang
2026-07-17 18:44 ` sashiko-bot
2026-07-17 16:16 ` [PATCH v3 07/10] ACPI: extlog: Fix CONFIG_ACPI_APEI_PCIEAER guard typo Dave Jiang
2026-07-17 19:07 ` sashiko-bot
2026-07-17 21:24 ` Dave Jiang
2026-07-17 16:16 ` [PATCH v3 08/10] ACPI: APEI: GHES: Validate memory error section length before payload access Dave Jiang
2026-07-17 19:23 ` sashiko-bot
2026-07-17 16:16 ` [PATCH v3 09/10] ACPI: APEI: GHES: Bound AER info copy and sanitize software metadata Dave Jiang
2026-07-17 19:39 ` sashiko-bot
2026-07-17 16:16 ` [PATCH v3 10/10] ACPI: extlog: Validate elog record length before walking sections Dave Jiang
2026-07-17 19:57 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260717161647.1493259-1-dave.jiang@intel.com \
--to=dave.jiang@intel.com \
--cc=benjamin.cheatham@amd.com \
--cc=bp@alien8.de \
--cc=guohanjun@huawei.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=rafael@kernel.org \
--cc=terry.bowman@amd.com \
--cc=tony.luck@intel.com \
--cc=xueshuai@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.