From: "Dan Williams (nvidia)" <djbw@kernel.org>
To: Richard Cheng <icheng@nvidia.com>,
dave@stgolabs.net, jic23@kernel.org, dave.jiang@intel.com,
alison.schofield@intel.com, vishal.l.verma@intel.com,
ira.weiny@intel.com, djbw@kernel.org
Cc: shiju.jose@huawei.com, ming.li@zohomail.com, alucerop@amd.com,
linux-cxl@vger.kernel.org, linux-kernel@vger.kernel.org,
newtonl@nvidia.com, kristinc@nvidia.com, kaihengf@nvidia.com,
kobak@nvidia.com, Richard Cheng <icheng@nvidia.com>
Subject: Re: [PATCH] cxl/mbox: Bound the output payload allocation to mailbox payload size
Date: Tue, 16 Jun 2026 13:41:49 -0700 [thread overview]
Message-ID: <6a31b50d3d5da_9b855100d9@djbw-dev.notmuch> (raw)
In-Reply-To: <20260611094546.31496-1-icheng@nvidia.com>
Richard Cheng wrote:
> CXL_MEM_SEND_COMMAND bounds the user's in.size to the mailbox payload
> size but leaves out.size unbounded, then cxl_mbox_cmd_ctor() calls
> kvzalloc(out.size). A large out.size drives a huge allocation, even
> above INT_MAX it WARNS and taints, on kernel with panic_on_warn=1, it
> will panic.
> The transport __cxl_pci_mbox_send_cmd() already clamps the response copy
> to min(out.size, payload_size, device len), so the bound buffer is never
> written beyond payload_size. Clamp the allocation to payload_size too,
> matching the RAW path.
Patch looks good, just comments on Fixes and formatting:
> With the following reproducer[1] , we'll get error logs [2].
> [1]:
> """
[ .. snip reproducer, yes a new test would be welcome .. ]
> """
> [2]:
Trim reports to the relevant information, I usually drop timestamps and
all but the Call Trace:
> WARNING: mm/slub.c:6841 at __kvmalloc_node_noprof+0x534/0x818,
> CPU#131: cxl_repro_outsi/4668
> Tainted: [W]=WARN
> Call trace:
> __kvmalloc_node_noprof+0x534/0x818 (P)
> cxl_send_cmd+0x514/0x7e0
> cxl_memdev_ioctl+0x7c/0xe0
> __arm64_sys_ioctl+0x4a4/0xbc8
> invoke_syscall.constprop.0+0xac/0x100
> do_el0_svc+0x4c/0x100
> el0_svc+0x50/0x2b0
> el0t_64_sync_handler+0xc0/0x108
> el0t_64_sync+0x1b8/0x1c0
> ---[ end trace 0000000000000000 ]---
>
> Fixes: 4faf31b43468 ("cxl/mbox: Move mailbox and other non-PCI specific infrastructure to the core")
Looks like the correct Fixes would be:
Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface")
...as unbounded input was mistakenly allowed from the outset.
prev parent reply other threads:[~2026-06-16 20:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 9:45 [PATCH] cxl/mbox: Bound the output payload allocation to mailbox payload size Richard Cheng
2026-06-11 15:30 ` Dave Jiang
2026-06-16 20:41 ` Dan Williams (nvidia) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a31b50d3d5da_9b855100d9@djbw-dev.notmuch \
--to=djbw@kernel.org \
--cc=alison.schofield@intel.com \
--cc=alucerop@amd.com \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=icheng@nvidia.com \
--cc=ira.weiny@intel.com \
--cc=jic23@kernel.org \
--cc=kaihengf@nvidia.com \
--cc=kobak@nvidia.com \
--cc=kristinc@nvidia.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.li@zohomail.com \
--cc=newtonl@nvidia.com \
--cc=shiju.jose@huawei.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox