From: sashiko-bot@kernel.org
To: "Terry Bowman" <terry.bowman@amd.com>
Cc: linux-cxl@vger.kernel.org, linux-pci@vger.kernel.org
Subject: Re: [PATCH v18 01/13] cxl/ras: Fix cxl_rch_get_aer_severity() wrong severity register
Date: Fri, 17 Jul 2026 22:43:04 +0000 [thread overview]
Message-ID: <20260717224305.3EEE61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260717222706.3540281-2-terry.bowman@amd.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] cxl_rch_get_aer_info() uses sizeof(struct aer_capability_regs) to perform a linear MMIO read block copy, but the struct contains software-defined fields that break physical hardware layout parity, causing out-of-bounds MMIO reads and a stack data leak.
- [Medium] Correctable errors are silently dropped and permanently lost if uncorrectable errors are simultaneously present.
--
--- Patch [1]: [PATCH v18 01/13] cxl/ras: Fix cxl_rch_get_aer_severity() wrong severity register ---
commit 900d8b615c2219573e44e775aca2f70550afbe9a
Author: Terry Bowman <terry.bowman@amd.com>
cxl/ras: Fix cxl_rch_get_aer_severity() wrong severity register
This commit fixes the AER severity classification for RCH Downstream
Port uncorrectable errors by correctly checking the unmasked uncor_status
against uncor_severity.
Cc: stable@vger.kernel.org
> diff --git a/drivers/cxl/core/ras_rch.c b/drivers/cxl/core/ras_rch.c
> index 0a8b3b9b63884..44b335d560708 100644
> --- a/drivers/cxl/core/ras_rch.c
> +++ b/drivers/cxl/core/ras_rch.c
> @@ -80,7 +80,8 @@ static bool cxl_rch_get_aer_severity(struct aer_capability_regs *aer_regs,
> int *severity)
> {
> if (aer_regs->uncor_status & ~aer_regs->uncor_mask) {
> - if (aer_regs->uncor_status & PCI_ERR_ROOT_FATAL_RCV)
> + if ((aer_regs->uncor_status & ~aer_regs->uncor_mask) &
> + aer_regs->uncor_severity)
> *severity = AER_FATAL;
> else
> *severity = AER_NONFATAL;
[Severity: Medium]
This isn't a bug introduced by this patch, but does this logic permanently
lose correctable errors if both types are logged simultaneously?
Looking at cxl_rch_get_aer_info(), it reads the entire AER capability and
clears both error types in hardware:
drivers/cxl/core/ras_rch.c:cxl_rch_get_aer_info() {
...
writel(aer_regs->uncor_status, aer_base + PCI_ERR_UNCOR_STATUS);
writel(aer_regs->cor_status, aer_base + PCI_ERR_COR_STATUS);
...
}
Then here in cxl_rch_get_aer_severity(), it evaluates the uncorrectable
error, assigns the severity, and returns early without checking for
correctable errors:
drivers/cxl/core/ras_rch.c:cxl_rch_get_aer_severity() {
if (aer_regs->uncor_status & ~aer_regs->uncor_mask) {
...
return true;
}
...
}
Returning true immediately bypasses the correctable error check, preventing
cxl_handle_cor_ras() from being called on the same pass.
[Severity: High]
This is a pre-existing issue, but do the MMIO reads in the related
cxl_rch_get_aer_info() perform out-of-bounds hardware access?
drivers/cxl/core/ras_rch.c:cxl_rch_get_aer_info() {
int read_cnt = sizeof(struct aer_capability_regs) / sizeof(u32);
...
for (n = 0; n < read_cnt; n++)
aer_regs_buf[n] = readl(aer_base + n * sizeof(u32));
}
Since struct aer_capability_regs includes struct pcie_tlp_log, recent
additions to struct pcie_tlp_log (such as header_len and flit) increase
the size of the software struct well beyond the standard physical AER
capability size.
Would this loop copy unmapped PCIe config space (typically returning
0xFFFFFFFF) into software fields like header_len, leading
pcie_print_tlp_log() to later loop over an inflated log->header_len value
and trigger an out-of-bounds read on the kernel stack?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260717222706.3540281-1-terry.bowman@amd.com?part=1
next prev parent reply other threads:[~2026-07-17 22:43 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-17 22:26 [PATCH v18 00/13] Enable CXL PCIe Port Protocol Error handling and logging Terry Bowman
2026-07-17 22:26 ` [PATCH v18 01/13] cxl/ras: Fix cxl_rch_get_aer_severity() wrong severity register Terry Bowman
2026-07-17 22:43 ` sashiko-bot [this message]
2026-07-17 22:26 ` [PATCH v18 02/13] acpi/apei/ghes: Use raw_spinlock_t for CXL CPER work locks Terry Bowman
2026-07-17 22:49 ` sashiko-bot
2026-07-17 22:26 ` [PATCH v18 03/13] cxl: Tighten CPER kfifo registration API and symbol visibility Terry Bowman
2026-07-17 22:37 ` sashiko-bot
2026-07-17 22:26 ` [PATCH v18 04/13] cxl: Rename find_cxl_port() to find_cxl_port_by_dport() Terry Bowman
2026-07-17 22:34 ` sashiko-bot
2026-07-17 22:26 ` [PATCH v18 05/13] PCI/AER: Introduce AER-CXL protocol error kfifo Terry Bowman
2026-07-17 22:35 ` sashiko-bot
2026-07-17 22:26 ` [PATCH v18 06/13] PCI: Establish common CXL Port protocol error flow Terry Bowman
2026-07-17 22:43 ` sashiko-bot
2026-07-17 22:27 ` [PATCH v18 07/13] PCI/CXL: Add RCH support to CXL handlers Terry Bowman
2026-07-17 22:43 ` sashiko-bot
2026-07-17 22:27 ` [PATCH v18 08/13] cxl/pci: Thread port and dport through RAS handling helpers Terry Bowman
2026-07-17 22:40 ` sashiko-bot
2026-07-17 22:27 ` [PATCH v18 09/13] cxl: Update CXL Endpoint AER handler Terry Bowman
2026-07-17 22:53 ` sashiko-bot
2026-07-17 22:27 ` [PATCH v18 10/13] cxl: Add port and dport identifiers to CXL AER trace events Terry Bowman
2026-07-17 22:53 ` sashiko-bot
2026-07-17 22:27 ` [PATCH v18 11/13] PCI: Cache PCI DSN into pci_dev->dsn during probe Terry Bowman
2026-07-17 22:44 ` sashiko-bot
2026-07-17 22:27 ` [PATCH v18 12/13] PCI/CXL: Mask/Unmask CXL protocol errors Terry Bowman
2026-07-17 22:58 ` sashiko-bot
2026-07-17 22:27 ` [PATCH v18 13/13] Documentation: cxl: Document CXL protocol error handling Terry Bowman
2026-07-17 22:43 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260717224305.3EEE61F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=terry.bowman@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox