Implement a regression test for unbounded kvzalloc() in the kernel's cxl_mbox_cmd_ctor(), which a CXL_MEM_SEND_COMMAND with an out.size greater than INT_MAX could drive into a size > INT_MAX kvmalloc() WARN.
libcxl's cxl_cmd_set_output_payload() rejects an out.size larger than the mailbox payload_max, so the test crafts a raw struct cxl_send_command and issues the CXL_MEM_SEND_COMMAND ioctl directly against the cxl_test mock memdev. The test is for a kernel bug fix [1]. [1]: https://lore.kernel.org/all/[email protected]/ Signed-off-by: Richard Cheng <[email protected]> --- test/cxl-mbox.c | 129 +++++++++++++++++++++++++++++++++++++++++++++++ test/cxl-mbox.sh | 48 ++++++++++++++++++ 2 files changed, 177 insertions(+) create mode 100644 test/cxl-mbox.c create mode 100755 test/cxl-mbox.sh diff --git a/test/cxl-mbox.c b/test/cxl-mbox.c new file mode 100644 index 0000000..d81327b --- /dev/null +++ b/test/cxl-mbox.c @@ -0,0 +1,129 @@ +// SPDX-License-Identifier: GPL-2.0 +// Copyright (C) 2026 Nvidia Corporation. All rights reserved. +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdint.h> +#include <stddef.h> +#include <stdlib.h> +#include <syslog.h> +#include <string.h> +#include <unistd.h> +#include <sys/ioctl.h> +#include <cxl/libcxl.h> +#include <cxl/cxl_mem.h> + +static const char provider[] = "cxl_test"; + +/* + * The cxl_test mock advertises a 4 KiB (SZ_4K) mailbox payload_size and + * IDENTIFY returns a full struct cxl_mbox_identify. Post-fix the kernel + * clamps the output allocation to payload_size and copies that many bytes + * back into out.payload, so the buffer must be >= payload_size. 64 KiB is + * comfortably above the mock's 4 KiB payload. + */ +#define OUT_BUF_SIZE (64 * 1024) + +/* + * Regression for the unbounded kvzalloc() in cxl_mbox_cmd_ctor() driven by a + * huge CXL_MEM_SEND_COMMAND out.size. The kernel fix CLAMPS the output + * allocation to the mailbox payload_size; it does not reject the request. + * Assert the ioctl SUCCEEDS (no -ENOMEM) -- do NOT assert -EINVAL. + */ +static int test_cxl_mbox_huge_out_size(struct cxl_memdev *memdev) +{ + struct cxl_send_command c = { 0 }; + const char *devname; + char path[256]; + void *buf; + int fd, rc; + + devname = cxl_memdev_get_devname(memdev); + if (!devname) + return -ENODEV; + + snprintf(path, sizeof(path), "/dev/cxl/%s", devname); + + fd = open(path, O_RDWR); + if (fd < 0) { + if (errno == ENOENT || errno == ENODEV) + return -ENODEV; + fprintf(stderr, "failed to open %s: %s\n", path, + strerror(errno)); + return -errno; + } + + buf = calloc(1, OUT_BUF_SIZE); + if (!buf) { + rc = -ENOMEM; + goto out; + } + + c.id = CXL_MEM_COMMAND_ID_IDENTIFY; + /* + * 0x80000000 (2^31, > INT_MAX) is the proven reproducer that trips the + * size > INT_MAX kvmalloc() WARN. out.size is __s32 in this vendored + * UAPI; cast to avoid -Woverflow, the kernel reads the same 4 bytes + * (kernel UAPI declares it __u32). + */ + c.out.size = (typeof(c.out.size))0x80000000U; + c.out.payload = (__u64)(uintptr_t)buf; + + rc = ioctl(fd, CXL_MEM_SEND_COMMAND, &c); + + /* Pass iff the kernel clamped (success), not rejected. */ + if (rc == 0 && c.retval == 0) { + rc = 0; + goto out; + } + + fprintf(stderr, + "CXL_MEM_SEND_COMMAND huge out.size mishandled: rc=%d errno=%d retval=%u\n", + rc, errno, c.retval); + rc = -ENXIO; + +out: + free(buf); + close(fd); + return rc; +} + +static int test_cxl_mbox(struct cxl_ctx *ctx, struct cxl_bus *bus) +{ + struct cxl_memdev *memdev; + + cxl_memdev_foreach(ctx, memdev) { + if (cxl_memdev_get_bus(memdev) != bus) + continue; + return test_cxl_mbox_huge_out_size(memdev); + } + + return -ENODEV; +} + +int main(int argc, char *argv[]) +{ + struct cxl_ctx *ctx; + struct cxl_bus *bus; + int rc; + + rc = cxl_new(&ctx); + if (rc < 0) + return rc; + + cxl_set_log_priority(ctx, LOG_DEBUG); + + bus = cxl_bus_get_by_provider(ctx, provider); + if (!bus) { + fprintf(stderr, "%s: unable to find bus (%s)\n", + argv[0], provider); + rc = -ENODEV; + goto out; + } + + rc = test_cxl_mbox(ctx, bus); + +out: + cxl_unref(ctx); + return rc; +} diff --git a/test/cxl-mbox.sh b/test/cxl-mbox.sh new file mode 100755 index 0000000..67fecf5 --- /dev/null +++ b/test/cxl-mbox.sh @@ -0,0 +1,48 @@ +#!/bin/bash -Ex +# SPDX-License-Identifier: GPL-2.0 +# Copyright (C) 2026 Nvidia Corporation. All rights reserved. + +. $(dirname "$0")/common + +BIN="$TEST_PATH"/cxl-mbox +rc=77 +# 237 is -ENODEV +ERR_NODEV=237 +# TAINT_WARN is bit 9 +TAINT_WARN=512 + +trap 'err $LINENO' ERR + +modprobe -r cxl_test 2>/dev/null +modprobe cxl_test +# cxl_test alone does not autoload the mock memdev module on this box +modprobe cxl_mock_mem + +main() +{ + test -x "$BIN" || do_skip "no CXL mailbox test" + + t0=$(cat /proc/sys/kernel/tainted) + + rc=0 + "$BIN" || rc=$? + + t1=$(cat /proc/sys/kernel/tainted) + + echo "status: $rc" + if [ "$rc" -eq "$ERR_NODEV" ]; then + do_skip "no cxl_test memdev" + elif [ "$rc" -ne 0 ]; then + echo "fail: $LINENO" && exit 1 + fi + + if (( (t1 & TAINT_WARN) && !(t0 & TAINT_WARN) )); then + echo "fail: $LINENO kernel WARN taint (bit 9) set" && exit 1 + fi + + _cxl_cleanup +} + +{ + main "$@"; exit "$?" +} base-commit: 8ad90e54f0ff4f7291e7f21d44d769d10f24e2b6 -- 2.43.0
