[PATCH v2] cxl/mbox: Clamp mailbox output allocation to the payload size

From: Richard Cheng

Date: Wed Jun 24 2026 - 10:47:25 EST


CXL_MEM_SEND_COMMAND bounds the user's in.size to the mailbox payload
size but leaves out.size unbounded, then cxl_mbox_cmd_ctor() calls
kvzalloc(out.size). A large out.size drives a huge allocation, above
INT_MAX it WARNs and taints, and with panic_on_warn=1 it panics.

The transport __cxl_pci_mbox_send_cmd() already clamps the response copy
to min(out.size, payload_size, device len), so the output buffer is
never written beyond payload_size. Clamp the allocation to payload_size
too, matching the RAW path.

Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface")
Reviewed-by: Kai-Heng Feng <kaihengf@xxxxxxxxxx>
Reviewed-by: Koba Ko <kobak@xxxxxxxxxx>
Reviewed-by: Dave Jiang <dave.jiang@xxxxxxxxx>
Reviewed-by: Davidlohr Bueso <dave@xxxxxxxxxxxx>
Signed-off-by: Richard Cheng <icheng@xxxxxxxxxx>
---
Changelog:

v1 -> v2:
- Correct the Fixes tag to 583fa5e71cae ("cxl/mem: Add basic IOCTL
interface")
- Drop the reproducer and sent it as a regression test in ndctl

Best regards,
Richard Cheng.
---
drivers/cxl/core/mbox.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
index 7c6c5b7450a5..d9cb02c9f72c 100644
--- a/drivers/cxl/core/mbox.c
+++ b/drivers/cxl/core/mbox.c
@@ -380,11 +380,7 @@ static int cxl_mbox_cmd_ctor(struct cxl_mbox_cmd *mbox_cmd,
}
}

- /* Prepare to handle a full payload for variable sized output */
- if (out_size == CXL_VARIABLE_PAYLOAD)
- mbox_cmd->size_out = cxl_mbox->payload_size;
- else
- mbox_cmd->size_out = out_size;
+ mbox_cmd->size_out = min_t(size_t, out_size, cxl_mbox->payload_size);

if (mbox_cmd->size_out) {
mbox_cmd->payload_out = kvzalloc(mbox_cmd->size_out, GFP_KERNEL);

base-commit: ef0c9f75a19532d7675384708fc8621e10850104
--
2.43.0