Re: [PATCH] cxl/mbox: Bound the output payload allocation to mailbox payload size

[Richard Cheng]

On Tue, Jun 16, 2026 at 01:41:49PM +0800, Dan Williams (nvidia) wrote:
> Richard Cheng wrote:
> > CXL_MEM_SEND_COMMAND bounds the user's in.size to the mailbox payload
> > size but leaves out.size unbounded, then cxl_mbox_cmd_ctor() calls
> > kvzalloc(out.size). A large out.size drives a huge allocation, even
> > above INT_MAX it WARNS and taints, on kernel with panic_on_warn=1, it
> > will panic.
> > The transport __cxl_pci_mbox_send_cmd() already clamps the response copy
> > to min(out.size, payload_size, device len), so the bound buffer is never
> > written beyond payload_size. Clamp the allocation to payload_size too,
> > matching the RAW path.
> 
> Patch looks good, just comments on Fixes and formatting:
> 
> > With the following reproducer[1] , we'll get error logs [2].
> > [1]:
> > """
> [ .. snip reproducer, yes a new test would be welcome .. ]
> > """
> > [2]:
> 
> Trim reports to the relevant information, I usually drop timestamps and
> all but the Call Trace:
>

No problem, I'll drop them in v2.
 
> >   WARNING: mm/slub.c:6841 at __kvmalloc_node_noprof+0x534/0x818,
> >   CPU#131: cxl_repro_outsi/4668
> >    Tainted: [W]=WARN
> >    Call trace:
> >     __kvmalloc_node_noprof+0x534/0x818 (P)
> >     cxl_send_cmd+0x514/0x7e0
> >     cxl_memdev_ioctl+0x7c/0xe0
> >     __arm64_sys_ioctl+0x4a4/0xbc8
> >     invoke_syscall.constprop.0+0xac/0x100
> >     do_el0_svc+0x4c/0x100
> >     el0_svc+0x50/0x2b0
> >     el0t_64_sync_handler+0xc0/0x108
> >     el0t_64_sync+0x1b8/0x1c0
> >    ---[ end trace 0000000000000000 ]---
> > 
> > Fixes: 4faf31b43468 ("cxl/mbox: Move mailbox and other non-PCI specific infrastructure to the core")
> 
> Looks like the correct Fixes would be:
> 
> Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface")
> 
> ...as unbounded input was mistakenly allowed from the outset.

Oh thanks for this, I'll correct it.

--Richard