From: sashiko-bot@kernel.org
To: "Anisa Su" <anisa.su887@gmail.com>
Cc: linux-cxl@vger.kernel.org, nvdimm@lists.linux.dev
Subject: Re: [PATCH v11 30/31] tools/testing/cxl: Add DC Regions to mock mem data
Date: Thu, 25 Jun 2026 18:34:26 +0000 [thread overview]
Message-ID: <20260625183426.6217E1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625112638.550691-31-anisa.su@samsung.com>
Thank you for your contribution! Sashiko AI review found 8 potential issue(s) to consider:
- [Medium] Missing bounds validation on `cmd->size_out` causes out-of-bounds writes in `mock_get_dc_extent_list`.
- [Medium] `mock_get_dc_extent_list` fails to update `cmd->size_out` to the actual response size.
- [Medium] Unconditionally clearing sent extents in `mock_add_dc_response` breaks the host's ability to issue multi-part responses.
- [Medium] Missing bounds validation on `cmd->size_in` causes out-of-bounds reads in mailbox commands.
- [Medium] Missing `devm_kfree()` calls cause unbounded memory accumulation of devres structures when extents are removed.
- [Medium] Validation failures mid-command leave the mock device in a torn state due to partial state mutation.
- [Medium] Flawed overlap validation in `new_extent_valid()` allows injection of overlapping extents.
- [Medium] Concurrent sysfs operations create a race condition resulting in orphaned mock events.
--
commit 8e9b7fc74b6af2c32bcba55480acc53f67c13c08
Author: Ira Weiny <iweiny@kernel.org>
tools/testing/cxl: Add DC Regions to mock mem data
This commit enhances cxl_test by introducing mock memory data for Dynamic
Capacity (DC) regions. It provides simulated sysfs interfaces to inject and
delete extents, alongside emulated mailbox commands to interact with them.
> diff --git a/tools/testing/cxl/test/mem.c b/tools/testing/cxl/test/mem.c
> index a2bfd52db0762..455f8a50d5818 100644
> --- a/tools/testing/cxl/test/mem.c
> +++ b/tools/testing/cxl/test/mem.c
[ ... ]
> @@ -1594,6 +1861,215 @@ static int mock_get_supported_features(struct cxl_mockmem_data *mdata,
> return 0;
> }
>
> +static int mock_get_dc_config(struct device *dev,
[ ... ]
> +static int mock_get_dc_extent_list(struct device *dev,
> + struct cxl_mbox_cmd *cmd)
> +{
> + struct cxl_mbox_get_extent_out *resp = cmd->payload_out;
> + struct cxl_mockmem_data *mdata = dev_get_drvdata(dev);
> + struct cxl_mbox_get_extent_in *get = cmd->payload_in;
> + u32 total_avail = 0, total_ret = 0, idx = 0;
> + struct cxl_extent_data *ext;
> + u32 ext_count, start_idx;
> + unsigned long i;
> +
> + ext_count = le32_to_cpu(get->extent_cnt);
> + start_idx = le32_to_cpu(get->start_extent_index);
> +
> + memset(resp, 0, sizeof(*resp));
> +
> + guard(mutex)(&mdata->ext_lock);
[Severity: Medium]
Does `cmd->size_out` need to be validated against the expected output size
before we `memset` and write into the flexible array? If the caller provides
a buffer smaller than `sizeof(*resp) + total_ret * sizeof(struct cxl_extent)`,
could this overflow the output buffer?
> + /*
> + * Total available needs to be calculated and returned regardless of
> + * how many can actually be returned.
> + */
> + xa_for_each(&mdata->dc_accepted_exts, i, ext)
> + total_avail++;
> +
> + if (start_idx > total_avail)
> + return -EINVAL;
> +
> + xa_for_each(&mdata->dc_accepted_exts, i, ext) {
> + if (total_ret >= ext_count)
> + break;
> +
> + if (idx++ >= start_idx) {
> + resp->extent[total_ret].start_dpa =
> + cpu_to_le64(ext->dpa_start);
> + resp->extent[total_ret].length =
> + cpu_to_le64(ext->length);
> + export_uuid(resp->extent[total_ret].uuid, &ext->uuid);
> + resp->extent[total_ret].shared_extn_seq =
> + cpu_to_le16(ext->shared_extn_seq);
> + total_ret++;
> + }
> + }
> +
> + resp->returned_extent_count = cpu_to_le32(total_ret);
> + resp->total_extent_count = cpu_to_le32(total_avail);
> + resp->generation_num = cpu_to_le32(mdata->dc_ext_generation);
> +
> + dev_dbg(dev, "Returning %d extents of %d total\n",
> + total_ret, total_avail);
> +
> + return 0;
> +}
[Severity: Medium]
Is it expected that `cmd->size_out` is left unmodified on success here? Other
mock mailbox commands update this field to reflect the actual response payload
size (e.g., setting it to `struct_size(resp, extent, total_ret)`).
> +
> +static void dc_clear_sent(struct device *dev)
> +{
> + struct cxl_mockmem_data *mdata = dev_get_drvdata(dev);
> + struct cxl_extent_data *ext;
> + unsigned long index;
> +
> + lockdep_assert_held(&mdata->ext_lock);
> +
> + /* Any extents not accepted must be cleared */
> + xa_for_each(&mdata->dc_sent_extents, index, ext) {
> + dev_dbg(dev, "Host rejected extent %#llx\n", ext->dpa_start);
> + xa_erase(&mdata->dc_sent_extents, ext->dpa_start);
> + }
> +}
[Severity: Medium]
Does removing the extent from the XArray via `xa_erase()` leak the underlying
`cxl_extent_data` structure? Since it was originally allocated with
`devm_kzalloc()`, it appears this memory will accumulate indefinitely over
repeated insert/erase cycles unless `devm_kfree()` is explicitly called.
This identical pattern exists in `dc_delete_extent()` and
`release_accepted_extent()` as well.
> +
> +static int mock_add_dc_response(struct device *dev,
> + struct cxl_mbox_cmd *cmd)
> +{
> + struct cxl_mbox_dc_response *req = cmd->payload_in;
> + u32 list_size = le32_to_cpu(req->extent_list_size);
> + struct cxl_mockmem_data *mdata = dev_get_drvdata(dev);
> + u32 last_offer_seq = 0;
> + bool first = true;
> +
> + guard(mutex)(&mdata->ext_lock);
> + for (int i = 0; i < list_size; i++) {
> + u64 start = le64_to_cpu(req->extent_list[i].dpa_start);
> + u64 length = le64_to_cpu(req->extent_list[i].length);
[Severity: Medium]
Is it safe to iterate up to `list_size` without first validating that
`cmd->size_in` is large enough to contain
`struct_size(req, extent_list, list_size)`? Could a malformed request read
out-of-bounds memory here?
> + struct cxl_extent_data *ext;
> + int rc;
> +
> + /*
> + * CXL r4.0 8.2.10.9.9.3: the host must list extents in the
> + * order the device offered them (Add Capacity events); reject
> + * an out-of-order response as Invalid Input.
> + */
> + ext = xa_load(&mdata->dc_sent_extents, start);
> + if (!ext)
> + ext = xa_load(&mdata->dc_accepted_exts, start);
> + if (ext) {
> + if (!first && ext->offer_seq < last_offer_seq) {
> + dev_err(dev, "Add-DC-Response out of order at extent %#llx\n",
> + start);
> + return -EINVAL;
> + }
> + last_offer_seq = ext->offer_seq;
> + first = false;
> + }
> +
> + rc = dc_accept_extent(dev, start, length);
> + if (rc)
> + return rc;
> + }
[Severity: Medium]
Could returning an error midway through this loop leave the mock device in a
torn state? If an extent midway through the list fails validation (like the
out-of-order check), previous extents in the iteration have already been
irrevocably transitioned to the accepted state via `dc_accept_extent()`.
> +
> + dc_clear_sent(dev);
> + return 0;
> +}
[Severity: Medium]
Will unconditionally calling `dc_clear_sent(dev)` break host responses that are
split into multiple parts? If the host sets `req->flags & CXL_DCD_EVENT_MORE`,
this clears the remaining pending extents before the host can acknowledge them.
> +
> +static void dc_delete_extent(struct device *dev, unsigned long long start,
> + unsigned long long length)
> +{
[ ... ]
> +static int mock_dc_release(struct device *dev,
> + struct cxl_mbox_cmd *cmd)
> +{
> + struct cxl_mbox_dc_response *req = cmd->payload_in;
> + u32 list_size = le32_to_cpu(req->extent_list_size);
> +
> + for (int i = 0; i < list_size; i++) {
> + u64 start = le64_to_cpu(req->extent_list[i].dpa_start);
> + u64 length = le64_to_cpu(req->extent_list[i].length);
[Severity: Medium]
Similarly to `mock_add_dc_response()`, does `mock_dc_release()` need to
validate that `cmd->size_in` is large enough to hold `list_size` entries before
iterating over `req->extent_list[i]`?
> +
> + dev_dbg(dev, "Extent %#llx released by host\n", start);
> + release_accepted_extent(dev, start, length);
> + }
> +
> + return 0;
> +}
[ ... ]
> @@ -1936,11 +2442,328 @@ static ssize_t sanitize_timeout_store(struct device *dev,
>
> static DEVICE_ATTR_RW(sanitize_timeout);
>
> +/* Return if the proposed extent would break the test code */
> +static bool new_extent_valid(struct device *dev, size_t new_start,
> + size_t new_len)
> +{
> + struct cxl_mockmem_data *mdata = dev_get_drvdata(dev);
> + struct cxl_extent_data *extent;
> + size_t new_end, i;
> +
> + if (!new_len)
> + return false;
> +
> + new_end = new_start + new_len;
> +
> + dev_dbg(dev, "New extent %zx-%zx\n", new_start, new_end);
> +
> + guard(mutex)(&mdata->ext_lock);
> + dev_dbg(dev, "Checking extents starts...\n");
> + xa_for_each(&mdata->dc_fm_extents, i, extent) {
> + if (extent->dpa_start == new_start)
> + return false;
> + }
[Severity: Medium]
Is it intentional that the overlap validation only checks exact starting
addresses? The iteration calculates `new_end` but doesn't check
`extent->length`, which seems to permit injecting extents that partially overlap
in physical DPA ranges.
> +
> + dev_dbg(dev, "Checking sent extents starts...\n");
> + xa_for_each(&mdata->dc_sent_extents, i, extent) {
> + if (extent->dpa_start == new_start)
> + return false;
> + }
> +
> + dev_dbg(dev, "Checking accepted extents starts...\n");
> + xa_for_each(&mdata->dc_accepted_exts, i, extent) {
> + if (extent->dpa_start == new_start)
> + return false;
> + }
> +
> + return true;
> +}
[ ... ]
> +static ssize_t __dc_inject_extent_store(struct device *dev,
> + struct device_attribute *attr,
> + const char *buf, size_t count,
> + bool shared)
> +{
[ ... ]
> + if (!new_extent_valid(dev, start, length))
> + return -EINVAL;
> +
> + rc = devm_add_fm_extent(dev, start, length, uuid_str, shared_extn_seq,
> + shared);
> + if (rc) {
> + dev_err(dev, "Failed to add extent DPA:%#llx LEN:%#llx; %d\n",
> + start, length, rc);
> + return rc;
> + }
> +
> + mark_extent_sent(dev, start);
> + rc = log_dc_event(mdata, DCD_ADD_CAPACITY, start, length, uuid_str,
> + shared_extn_seq, more);
> + if (rc) {
[Severity: Medium]
Could concurrent sysfs operations result in orphaned events here?
`mark_extent_sent()` aborts silently if the extent was deleted concurrently
(e.g., from a sysfs delete executing at the same time), but
`__dc_inject_extent_store()` will still unconditionally queue a
`DCD_ADD_CAPACITY` event via `log_dc_event()`.
> + dev_err(dev, "Failed to add event %d\n", rc);
> + return rc;
> + }
> +
> + return count;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625112638.550691-1-anisa.su@samsung.com?part=30
next prev parent reply other threads:[~2026-06-25 18:34 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 11:04 DCD: Add support for Dynamic Capacity Devices (DCD) Anisa Su
2026-06-25 11:04 ` [PATCH v11 01/31] cxl/mbox: Flag " Anisa Su
2026-06-26 21:43 ` Dave Jiang
2026-06-25 11:04 ` [PATCH v11 02/31] cxl/mem: Read dynamic capacity configuration from the device Anisa Su
2026-06-25 18:16 ` sashiko-bot
2026-06-26 22:26 ` Dave Jiang
2026-06-25 11:04 ` [PATCH v11 04/31] cxl/core: Enforce partition order/simplify partition calls Anisa Su
2026-06-26 22:37 ` Dave Jiang
2026-06-25 11:04 ` [PATCH v11 05/31] cxl/mem: Expose dynamic ram 1 partition in sysfs Anisa Su
2026-06-25 18:12 ` sashiko-bot
2026-06-26 23:08 ` Dave Jiang
2026-06-25 11:04 ` [PATCH v11 06/31] cxl/port: Add 'dynamic_ram_1' to endpoint decoder mode Anisa Su
2026-06-25 11:04 ` [PATCH v11 07/31] cxl/region: Add DC DAX region support Anisa Su
2026-06-25 18:16 ` sashiko-bot
2026-06-26 23:18 ` Dave Jiang
2026-06-25 11:04 ` [PATCH v11 08/31] cxl/events: Split event msgnum configuration from irq setup Anisa Su
2026-06-25 11:04 ` [PATCH v11 09/31] cxl/pci: Factor out interrupt policy check Anisa Su
2026-06-25 11:04 ` [PATCH v11 10/31] cxl/mem: Configure dynamic capacity interrupts Anisa Su
2026-06-25 18:14 ` sashiko-bot
2026-07-07 21:51 ` Cheatham, Benjamin
2026-06-25 11:04 ` [PATCH v11 11/31] cxl/core: Return endpoint decoder information from region search Anisa Su
2026-06-25 11:04 ` [PATCH v11 12/31] cxl/mem: Set up framework for handling DC Events Anisa Su
2026-06-25 18:12 ` sashiko-bot
2026-06-26 21:54 ` Dave Jiang
2026-06-25 11:04 ` [PATCH v11 13/31] cxl/mem: Add 20 second timeout for stalled DC_ADD_CAPACITY chains Anisa Su
2026-06-25 18:15 ` sashiko-bot
2026-06-30 21:11 ` Dave Jiang
2026-06-25 11:04 ` [PATCH v11 14/31] cxl/extent: Handle DC Add Capacity events Anisa Su
2026-06-25 18:16 ` sashiko-bot
2026-06-25 11:04 ` [PATCH v11 15/31] cxl/mem: Drop misaligned DCD extent groups Anisa Su
2026-06-25 18:19 ` sashiko-bot
2026-06-30 21:23 ` Dave Jiang
2026-06-25 11:04 ` [PATCH v11 16/31] cxl/extent: Validate DC extent partition Anisa Su
2026-06-25 18:20 ` sashiko-bot
2026-06-30 22:49 ` Dave Jiang
2026-06-25 11:04 ` [PATCH v11 17/31] cxl/mem: Enforce tag-group semantics Anisa Su
2026-06-25 18:24 ` sashiko-bot
2026-06-25 11:04 ` [PATCH v11 18/31] cxl/extent: Handle DC Release Capacity events Anisa Su
2026-06-25 18:23 ` sashiko-bot
2026-06-25 11:04 ` [PATCH v11 19/31] cxl/extent: Enforce cross-region tag uniqueness Anisa Su
2026-06-25 18:23 ` sashiko-bot
2026-06-25 11:04 ` [PATCH v11 20/31] cxl/region/extent: Expose dc_extent information in sysfs Anisa Su
2026-06-25 18:33 ` sashiko-bot
2026-06-25 11:04 ` [PATCH v11 21/31] cxl + dax: Surface dax_resources on DCD Add Capacity events Anisa Su
2026-06-25 18:29 ` sashiko-bot
2026-06-25 11:04 ` [PATCH v11 22/31] cxl + dax: Release dax_resources on DCD Release " Anisa Su
2026-06-25 18:36 ` sashiko-bot
2026-06-25 11:05 ` [PATCH v11 23/31] dax/bus: Factor out dev dax resize logic Anisa Su
2026-06-25 18:27 ` sashiko-bot
2026-06-25 11:05 ` [PATCH v11 24/31] dax/bus: Add uuid sysfs attribute to dax devices Anisa Su
2026-06-30 23:21 ` Dave Jiang
2026-06-25 11:05 ` [PATCH v11 25/31] dax/bus: Reject resize on DC dax devices and enforce 0-size creation Anisa Su
2026-06-25 11:05 ` [PATCH v11 26/31] dax/bus: Tag-aware uuid claim and show on DC dax devices Anisa Su
2026-06-25 18:26 ` sashiko-bot
2026-06-25 11:05 ` [PATCH v11 27/31] cxl/region: Read existing extents on region creation Anisa Su
2026-06-25 18:32 ` sashiko-bot
2026-06-25 11:05 ` [PATCH v11 28/31] cxl/mem: Trace Dynamic capacity Event Record Anisa Su
2026-06-25 18:29 ` sashiko-bot
2026-06-25 11:05 ` [PATCH v11 29/31] tools/testing/cxl: Make event logs dynamic Anisa Su
2026-06-25 18:31 ` sashiko-bot
2026-06-25 11:05 ` [PATCH v11 30/31] tools/testing/cxl: Add DC Regions to mock mem data Anisa Su
2026-06-25 18:34 ` sashiko-bot [this message]
2026-06-25 11:05 ` [PATCH v11 31/31] Documentation/cxl: Document DCD extent handling and DC-backed DAX regions Anisa Su
2026-06-25 18:24 ` sashiko-bot
2026-06-25 18:00 ` [PATCH v11 03/31] cxl/cdat: Gather DSMAS data for DCD partitions Anisa Su
2026-06-26 22:30 ` Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625183426.6217E1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=anisa.su887@gmail.com \
--cc=linux-cxl@vger.kernel.org \
--cc=nvdimm@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox