Re: [PATCH] cxl/mbox: Bound the output payload allocation to mailbox payload size

[Dan Williams (nvidia)]

Richard Cheng wrote:
> CXL_MEM_SEND_COMMAND bounds the user's in.size to the mailbox payload
> size but leaves out.size unbounded, then cxl_mbox_cmd_ctor() calls
> kvzalloc(out.size). A large out.size drives a huge allocation, even
> above INT_MAX it WARNS and taints, on kernel with panic_on_warn=1, it
> will panic.
> The transport __cxl_pci_mbox_send_cmd() already clamps the response copy
> to min(out.size, payload_size, device len), so the bound buffer is never
> written beyond payload_size. Clamp the allocation to payload_size too,
> matching the RAW path.

Patch looks good, just comments on Fixes and formatting:

> With the following reproducer[1] , we'll get error logs [2].
> [1]:
> """
[ .. snip reproducer, yes a new test would be welcome .. ]
> """
> [2]:

Trim reports to the relevant information, I usually drop timestamps and
all but the Call Trace:

>   WARNING: mm/slub.c:6841 at __kvmalloc_node_noprof+0x534/0x818,
>   CPU#131: cxl_repro_outsi/4668
>    Tainted: [W]=WARN
>    Call trace:
>     __kvmalloc_node_noprof+0x534/0x818 (P)
>     cxl_send_cmd+0x514/0x7e0
>     cxl_memdev_ioctl+0x7c/0xe0
>     __arm64_sys_ioctl+0x4a4/0xbc8
>     invoke_syscall.constprop.0+0xac/0x100
>     do_el0_svc+0x4c/0x100
>     el0_svc+0x50/0x2b0
>     el0t_64_sync_handler+0xc0/0x108
>     el0t_64_sync+0x1b8/0x1c0
>    ---[ end trace 0000000000000000 ]---
> 
> Fixes: 4faf31b43468 ("cxl/mbox: Move mailbox and other non-PCI specific infrastructure to the core")

Looks like the correct Fixes would be:

Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface")

...as unbounded input was mistakenly allowed from the outset.