All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dave Jiang <dave.jiang@intel.com>
To: Richard Cheng <icheng@nvidia.com>
Cc: dave@stgolabs.net, jic23@kernel.org, alison.schofield@intel.com,
	vishal.l.verma@intel.com, djbw@kernel.org,
	danwilliams@nvidia.com, iweiny@kernel.org, ming.li@zohomail.com,
	gourry@gourry.net, rrichter@amd.com, linux-cxl@vger.kernel.org,
	linux-kernel@vger.kernel.org, kees@kernel.org,
	newtonl@nvidia.com, kristinc@nvidia.com, mochs@nvidia.com,
	kaihengf@nvidia.com, kobak@nvidia.com
Subject: Re: [PATCH 1/3] cxl/features: Reject feature offset that overflows 16-bit field
Date: Mon, 6 Jul 2026 09:52:53 -0700	[thread overview]
Message-ID: <de755f91-4d2b-4a47-945a-b8f360a6c4a1@intel.com> (raw)
In-Reply-To: <akYddc2XRTz7Jywh@MWDK4CY14F>



On 7/2/26 1:15 AM, Richard Cheng wrote:
> On Tue, Jun 30, 2026 at 08:54:29AM +0800, Dave Jiang wrote:
>>
>>
>> On 6/30/26 12:46 AM, Richard Cheng wrote:
>>> cxl_get_feature() and cxl_set_feature() build the mailbox command's
>>> offset as cpu_to_le16(offset + data_rcvd_size/data_sent_size), but never
>>> check the sum fits in the 16-bit field. Via fwctl, a user-supplied
>>> offset plus count/op_size summing over 65535 silently wraps, steering
>>> the device to the wrong feature offset.
>>>
>>> Fixes: 5e5ac21f629d ("cxl/mbox: Add GET_FEATURE mailbox command")
>>> Fixes: 14d502cc2718 ("cxl/mbox: Add SET_FEATURE mailbox command")
>>> Signed-off-by: Richard Cheng <icheng@nvidia.com>
>>> ---
>>>  drivers/cxl/core/features.c | 6 ++++++
>>>  1 file changed, 6 insertions(+)
>>>
>>> diff --git a/drivers/cxl/core/features.c b/drivers/cxl/core/features.c
>>> index 85185af46b72..db5964ea184f 100644
>>> --- a/drivers/cxl/core/features.c
>>> +++ b/drivers/cxl/core/features.c
>>> @@ -237,6 +237,9 @@ size_t cxl_get_feature(struct cxl_mailbox *cxl_mbox, const uuid_t *feat_uuid,
>>>  	if (!feat_out || !feat_out_size)
>>>  		return 0;
>>>  
>>> +	if (offset + feat_out_size > U16_MAX)
>>> +		return 0;
>>
>> Should this return -EINVAL?
>>
> 
> I don't think so, the function's signature is size_t cxl_get_feature() , it returns the number
> of bytes received from the device, not an errno.
> If you really want this we need to change the signature.
> 
> But I agree that we shouldn't silently fail here, maybe move the check into cxlctl_get_feature()
> and return ERR_PTR(-EINVAL) ? would that work for you ?

We definitely do not want to silently fail. Given that the function has more than one checks that can fail, not sure if pulling this up is the right way to go. Also it gets called numerous times in core/edac.c. We can either change the return to ssize_t or return SIZE_MAX? Will need to fix up all the calling sites in cxl_edac code though. 

DJ

> 
> Btw, for sashiko-bot's review, I think it stands, I'll send v2 with the fix.
> 
> --Richard
>  
>>> +
>>>  	size_out = min(feat_out_size, cxl_mbox->payload_size);
>>>  	uuid_copy(&pi.uuid, feat_uuid);
>>>  	pi.selection = selection;
>>> @@ -287,6 +290,9 @@ int cxl_set_feature(struct cxl_mailbox *cxl_mbox,
>>>  	if (return_code)
>>>  		*return_code = CXL_MBOX_CMD_RC_INPUT;
>>>  
>>> +	if (offset + feat_data_size > U16_MAX)
>>> +		return -EINVAL;
>>> +
>>>  	struct cxl_mbox_set_feat_in *pi __free(kfree) =
>>>  			kzalloc(cxl_mbox->payload_size, GFP_KERNEL);
>>>  	if (!pi)
>>


  reply	other threads:[~2026-07-06 16:52 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30  7:46 [PATCH 0/3] cxl: Sashiko bug fixes Richard Cheng
2026-06-30  7:46 ` [PATCH 1/3] cxl/features: Reject feature offset that overflows 16-bit field Richard Cheng
2026-06-30  8:14   ` sashiko-bot
2026-06-30  9:46     ` Richard Cheng
2026-06-30 15:54   ` Dave Jiang
2026-07-02  8:15     ` Richard Cheng
2026-07-06 16:52       ` Dave Jiang [this message]
2026-06-30  7:46 ` [PATCH 2/3] cxl/region: Scan all partitions for unmapped poison Richard Cheng
2026-06-30 15:56   ` Dave Jiang
2026-07-01  4:48   ` Alison Schofield
2026-06-30  7:46 ` [PATCH 3/3] cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan Richard Cheng
2026-06-30 10:00   ` sashiko-bot
2026-06-30 16:04   ` Dave Jiang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=de755f91-4d2b-4a47-945a-b8f360a6c4a1@intel.com \
    --to=dave.jiang@intel.com \
    --cc=alison.schofield@intel.com \
    --cc=danwilliams@nvidia.com \
    --cc=dave@stgolabs.net \
    --cc=djbw@kernel.org \
    --cc=gourry@gourry.net \
    --cc=icheng@nvidia.com \
    --cc=iweiny@kernel.org \
    --cc=jic23@kernel.org \
    --cc=kaihengf@nvidia.com \
    --cc=kees@kernel.org \
    --cc=kobak@nvidia.com \
    --cc=kristinc@nvidia.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ming.li@zohomail.com \
    --cc=mochs@nvidia.com \
    --cc=newtonl@nvidia.com \
    --cc=rrichter@amd.com \
    --cc=vishal.l.verma@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.