Linux CXL
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Richard Cheng" <icheng@nvidia.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH v3 3/5] cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan
Date: Wed, 08 Jul 2026 07:53:44 +0000	[thread overview]
Message-ID: <20260708075345.7A5F61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260708074228.43654-4-icheng@nvidia.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] Unbounded infinite loop in cxl_mem_get_poison() if the device returns 0 records but leaves FLAG_MORE set.
- [Medium] cxl_get_poison_by_memdev() does not abort on failure, silently overwriting earlier errors if subsequent partitions succeed.
--

--- Patch [3]: [PATCH v3 3/5] cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan ---
commit 9b48fd52ca70c063c7f4e5fc8516877eba1fee39
Author: Richard Cheng <icheng@nvidia.com>

cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan

cxl_get_poison_unmapped() tolerates the -EFAULT a RAM partition returns
for Get Poison List by skipping that partition, but left rc holding the
error. Reset rc to 0 when tolerating the fault, matching poison_by_decoder().

> diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
> index be246fb09c999..52ba8e9e42885 100644
> --- a/drivers/cxl/core/region.c
> +++ b/drivers/cxl/core/region.c
> @@ -2933,8 +2933,10 @@ static int cxl_get_poison_unmapped(struct cxl_memdev *cxlmd,
>  		if (!length)
>  			continue;
>  		rc = cxl_mem_get_poison(cxlmd, offset, length, NULL);
> -		if (rc == -EFAULT && cxlds->part[i].mode == CXL_PARTMODE_RAM)
> +		if (rc == -EFAULT && cxlds->part[i].mode == CXL_PARTMODE_RAM) {
> +			rc = 0;
>  			continue;
> +		}
>  		if (rc)
>  			break;
>  	}

While reviewing this change, I noticed a couple of related pre-existing
issues in other poison handling functions:

drivers/cxl/core/memdev.c:cxl_get_poison_by_memdev()

> 		rc = cxl_mem_get_poison(cxlmd, offset, length, NULL);
> 		/*
> 		 * Invalid Physical Address is not an error for
> 		 * volatile addresses. Device support is optional.
> 		 */
> 		if (rc == -EFAULT && cxlds->part[i].mode == CXL_PARTMODE_RAM)
> 			rc = 0;
> 	}
> 	return rc;

[Severity: Medium]
This is a pre-existing issue, but does cxl_get_poison_by_memdev() overwrite
previous error codes?

If an early partition fails (for example, returning -EIO) but a subsequent
partition succeeds, the loop lacks an if (rc) break; check. The rc variable
is overwritten with 0, masking the earlier failure from userspace.


drivers/cxl/core/mbox.c:cxl_mem_get_poison()

> 		nr_records = nr_records + le16_to_cpu(po->count);
> 		if (nr_records >= mds->poison.max_errors) {
> 			dev_dbg(&cxlmd->dev, "Max Error Records reached: %d\n",
> 				nr_records);
> 			break;
> 		}
> 	} while (po->flags & CXL_POISON_FLAG_MORE);

[Severity: High]
This is a pre-existing issue, but can this loop in cxl_mem_get_poison()
spin infinitely?

If a hardware device returns a payload with po->count == 0 and the
CXL_POISON_FLAG_MORE flag set, nr_records won't increment. The safety bound
nr_records >= mds->poison.max_errors is never reached, which could cause a
kernel hang while holding mds->poison.mutex.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260708074228.43654-1-icheng@nvidia.com?part=3

  reply	other threads:[~2026-07-08  7:53 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08  7:42 [PATCH v3 0/5] cxl: Sashiko bug fixes Richard Cheng
2026-07-08  7:42 ` [PATCH v3 1/5] cxl/features: Reject feature offset that overflows 16-bit field Richard Cheng
2026-07-08  7:58   ` sashiko-bot
2026-07-08  7:42 ` [PATCH v3 2/5] cxl/region: Scan all partitions for unmapped poison Richard Cheng
2026-07-08  7:42 ` [PATCH v3 3/5] cxl/region: Don't leak tolerated RAM -EFAULT from unmapped poison scan Richard Cheng
2026-07-08  7:53   ` sashiko-bot [this message]
2026-07-08  7:42 ` [PATCH v3 4/5] cxl/region: Start unmapped poison scan at the committed decoder boundary Richard Cheng
2026-07-08  7:58   ` sashiko-bot
2026-07-08  7:42 ` [PATCH v3 5/5] cxl/memdev: Don't overwrite the error from an earlier partition poison query Richard Cheng
2026-07-08  7:55   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260708075345.7A5F61F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=icheng@nvidia.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox