From: "Dan Williams (nvidia)" <djbw@kernel.org>
To: Richard Cheng <icheng@nvidia.com>,
dave@stgolabs.net, jic23@kernel.org, dave.jiang@intel.com,
alison.schofield@intel.com, vishal.l.verma@intel.com,
ira.weiny@intel.com, djbw@kernel.org
Cc: shiju.jose@huawei.com, ming.li@zohomail.com, alucerop@amd.com,
linux-cxl@vger.kernel.org, linux-kernel@vger.kernel.org,
newtonl@nvidia.com, kristinc@nvidia.com, kaihengf@nvidia.com,
kobak@nvidia.com, Richard Cheng <icheng@nvidia.com>
Subject: Re: [PATCH] cxl/mbox: Bound the output payload allocation to mailbox payload size
Date: Tue, 16 Jun 2026 13:41:49 -0700 [thread overview]
Message-ID: <6a31b50d3d5da_9b855100d9@djbw-dev.notmuch> (raw)
In-Reply-To: <20260611094546.31496-1-icheng@nvidia.com>
Richard Cheng wrote:
> CXL_MEM_SEND_COMMAND bounds the user's in.size to the mailbox payload
> size but leaves out.size unbounded, then cxl_mbox_cmd_ctor() calls
> kvzalloc(out.size). A large out.size drives a huge allocation, even
> above INT_MAX it WARNS and taints, on kernel with panic_on_warn=1, it
> will panic.
> The transport __cxl_pci_mbox_send_cmd() already clamps the response copy
> to min(out.size, payload_size, device len), so the bound buffer is never
> written beyond payload_size. Clamp the allocation to payload_size too,
> matching the RAW path.
Patch looks good, just comments on Fixes and formatting:
> With the following reproducer[1] , we'll get error logs [2].
> [1]:
> """
[ .. snip reproducer, yes a new test would be welcome .. ]
> """
> [2]:
Trim reports to the relevant information, I usually drop timestamps and
all but the Call Trace:
> WARNING: mm/slub.c:6841 at __kvmalloc_node_noprof+0x534/0x818,
> CPU#131: cxl_repro_outsi/4668
> Tainted: [W]=WARN
> Call trace:
> __kvmalloc_node_noprof+0x534/0x818 (P)
> cxl_send_cmd+0x514/0x7e0
> cxl_memdev_ioctl+0x7c/0xe0
> __arm64_sys_ioctl+0x4a4/0xbc8
> invoke_syscall.constprop.0+0xac/0x100
> do_el0_svc+0x4c/0x100
> el0_svc+0x50/0x2b0
> el0t_64_sync_handler+0xc0/0x108
> el0t_64_sync+0x1b8/0x1c0
> ---[ end trace 0000000000000000 ]---
>
> Fixes: 4faf31b43468 ("cxl/mbox: Move mailbox and other non-PCI specific infrastructure to the core")
Looks like the correct Fixes would be:
Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface")
...as unbounded input was mistakenly allowed from the outset.
prev parent reply other threads:[~2026-06-16 20:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 9:45 [PATCH] cxl/mbox: Bound the output payload allocation to mailbox payload size Richard Cheng
2026-06-11 15:30 ` Dave Jiang
2026-06-16 20:41 ` Dan Williams (nvidia) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a31b50d3d5da_9b855100d9@djbw-dev.notmuch \
--to=djbw@kernel.org \
--cc=alison.schofield@intel.com \
--cc=alucerop@amd.com \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=icheng@nvidia.com \
--cc=ira.weiny@intel.com \
--cc=jic23@kernel.org \
--cc=kaihengf@nvidia.com \
--cc=kobak@nvidia.com \
--cc=kristinc@nvidia.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.li@zohomail.com \
--cc=newtonl@nvidia.com \
--cc=shiju.jose@huawei.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.