Linux CXL
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: alejandro.lucero-palau@amd.com
Cc: linux-cxl@vger.kernel.org
Subject: Re: [RFC PATCH v1 1/1] acpi/hmat: preserve hmat_adist_nb notifier block
Date: Tue, 30 Jun 2026 13:51:51 +0000	[thread overview]
Message-ID: <20260630135151.D07021F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630143507.30193-2-alejandro.lucero-palau@amd.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Integer overflow during the ACPI HMAT locality table size calculation bypasses bounds checking and allows out-of-bounds memory reads.
--

commit 69d5452dda77c729836d9ff08f4b38f9cff8d91b
Author: Alejandro Lucero <alucerop@amd.com>

acpi/hmat: preserve hmat_adist_nb notifier block

Remove __meminitdata from hmat_adist_nb declaration preserving it even
when CONFIG_MEMORY_HOTPLUG is not set. Otherwise further notifier
registrations using register_mt_adistance_algorithm() will find a
notifier chain likely corrupted. This is the case when a CXL Type2
driver will load after kernel initialization and a CXL region created from
its committed HDM decoders registers an mt_adistance_algorithm notifier.

> diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c
> index 9792dc3947561..3006789ae31fe 100644
> --- a/drivers/acpi/numa/hmat.c
> +++ b/drivers/acpi/numa/hmat.c

[ ... ]

[Severity: High]
This is a pre-existing issue, but I noticed a regression where an integer
overflow during the ACPI HMAT locality table size calculation could bypass
bounds checking.

When parsing the locality table, total_size is declared as a 32-bit unsigned
integer:

drivers/acpi/numa/hmat.c:hmat_parse_locality() {
	...
	unsigned int init, targ, total_size, ipds, tpds;
	...
	ipds = hmat_loc->number_of_initiator_Pds;
	tpds = hmat_loc->number_of_target_Pds;
	total_size = sizeof(*hmat_loc) + sizeof(*entries) * ipds * tpds +
		     sizeof(*inits) * ipds + sizeof(*targs) * tpds;
	if (hmat_loc->header.length < total_size) {
		pr_notice("Unexpected locality header length:%u, minimum required:%u\n",
			 hmat_loc->header.length, total_size);
		return -EINVAL;
	}
	...

If abnormally large values are provided for ipds and tpds, could the
intermediate arithmetic be truncated when assigned to total_size?

If this wraps around 32-bit boundaries, wouldn't it result in a small
total_size that bypasses the hmat_loc->header.length check?

Later loops use the unbounded ipds and tpds variables:

drivers/acpi/numa/hmat.c:hmat_parse_locality() {
	...
	for (init = 0; init < ipds; init++) {
		alloc_memory_initiator(inits[init]);
		for (targ = 0; targ < tpds; targ++) {
			value = hmat_normalize(entries[init * tpds + targ],
					       hmat_loc->entry_base_unit,
					       type);
	...
}

Does this lead to out-of-bounds memory reads if the total_size calculation
overflows?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260630143507.30193-1-alejandro.lucero-palau@amd.com?part=1

  reply	other threads:[~2026-06-30 13:51 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 14:35 [RFC PATCH v1 0/1] Fix hmat_adist_nb for coming CXL Type2 alejandro.lucero-palau
2026-06-30 14:35 ` [RFC PATCH v1 1/1] acpi/hmat: preserve hmat_adist_nb notifier block alejandro.lucero-palau
2026-06-30 13:51   ` sashiko-bot [this message]
2026-06-30 16:18   ` Dave Jiang
2026-07-02  7:20   ` Richard Cheng
2026-07-06  6:57     ` Alejandro Lucero Palau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630135151.D07021F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=alejandro.lucero-palau@amd.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox