On Wed, Jun 24, 2026 at 10:58:43PM +0800, Richard Cheng wrote:
> Implement a regression test for unbounded kvzalloc() in the kernel's
> cxl_mbox_cmd_ctor(), which a CXL_MEM_SEND_COMMAND with an out.size
> greater than INT_MAX could drive into a size > INT_MAX kvmalloc() WARN.
>
> libcxl's cxl_cmd_set_output_payload() rejects an out.size larger than
> the mailbox payload_max, so the test crafts a raw struct
> cxl_send_command and issues the CXL_MEM_SEND_COMMAND ioctl directly
> against the cxl_test mock memdev.
>
> The test is for a kernel bug fix [1].
>
> [1]: https://lore.kernel.org/all/[email protected]/
> Signed-off-by: Richard Cheng <[email protected]>
Sorry, forgot to add the ndctl prefix, please ignore this one.
I'll resend it.
Best regards,
Richard Cheng.
> ---
> test/cxl-mbox.c | 129 +++++++++++++++++++++++++++++++++++++++++++++++
> test/cxl-mbox.sh | 48 ++++++++++++++++++
> 2 files changed, 177 insertions(+)
> create mode 100644 test/cxl-mbox.c
> create mode 100755 test/cxl-mbox.sh
>
> diff --git a/test/cxl-mbox.c b/test/cxl-mbox.c
> new file mode 100644
> index 0000000..d81327b
> --- /dev/null
> +++ b/test/cxl-mbox.c
> @@ -0,0 +1,129 @@
> +// SPDX-License-Identifier: GPL-2.0
> +// Copyright (C) 2026 Nvidia Corporation. All rights reserved.
> +#include <errno.h>
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <stdint.h>
> +#include <stddef.h>
> +#include <stdlib.h>
> +#include <syslog.h>
> +#include <string.h>
> +#include <unistd.h>
> +#include <sys/ioctl.h>
> +#include <cxl/libcxl.h>
> +#include <cxl/cxl_mem.h>
> +
> +static const char provider[] = "cxl_test";
> +
> +/*
> + * The cxl_test mock advertises a 4 KiB (SZ_4K) mailbox payload_size and
> + * IDENTIFY returns a full struct cxl_mbox_identify. Post-fix the kernel
> + * clamps the output allocation to payload_size and copies that many bytes
> + * back into out.payload, so the buffer must be >= payload_size. 64 KiB is
> + * comfortably above the mock's 4 KiB payload.
> + */
> +#define OUT_BUF_SIZE (64 * 1024)
> +
> +/*
> + * Regression for the unbounded kvzalloc() in cxl_mbox_cmd_ctor() driven by a
> + * huge CXL_MEM_SEND_COMMAND out.size. The kernel fix CLAMPS the output
> + * allocation to the mailbox payload_size; it does not reject the request.
> + * Assert the ioctl SUCCEEDS (no -ENOMEM) -- do NOT assert -EINVAL.
> + */
> +static int test_cxl_mbox_huge_out_size(struct cxl_memdev *memdev)
> +{
> + struct cxl_send_command c = { 0 };
> + const char *devname;
> + char path[256];
> + void *buf;
> + int fd, rc;
> +
> + devname = cxl_memdev_get_devname(memdev);
> + if (!devname)
> + return -ENODEV;
> +
> + snprintf(path, sizeof(path), "/dev/cxl/%s", devname);
> +
> + fd = open(path, O_RDWR);
> + if (fd < 0) {
> + if (errno == ENOENT || errno == ENODEV)
> + return -ENODEV;
> + fprintf(stderr, "failed to open %s: %s\n", path,
> + strerror(errno));
> + return -errno;
> + }
> +
> + buf = calloc(1, OUT_BUF_SIZE);
> + if (!buf) {
> + rc = -ENOMEM;
> + goto out;
> + }
> +
> + c.id = CXL_MEM_COMMAND_ID_IDENTIFY;
> + /*
> + * 0x80000000 (2^31, > INT_MAX) is the proven reproducer that trips the
> + * size > INT_MAX kvmalloc() WARN. out.size is __s32 in this vendored
> + * UAPI; cast to avoid -Woverflow, the kernel reads the same 4 bytes
> + * (kernel UAPI declares it __u32).
> + */
> + c.out.size = (typeof(c.out.size))0x80000000U;
> + c.out.payload = (__u64)(uintptr_t)buf;
> +
> + rc = ioctl(fd, CXL_MEM_SEND_COMMAND, &c);
> +
> + /* Pass iff the kernel clamped (success), not rejected. */
> + if (rc == 0 && c.retval == 0) {
> + rc = 0;
> + goto out;
> + }
> +
> + fprintf(stderr,
> + "CXL_MEM_SEND_COMMAND huge out.size mishandled: rc=%d errno=%d
> retval=%u\n",
> + rc, errno, c.retval);
> + rc = -ENXIO;
> +
> +out:
> + free(buf);
> + close(fd);
> + return rc;
> +}
> +
> +static int test_cxl_mbox(struct cxl_ctx *ctx, struct cxl_bus *bus)
> +{
> + struct cxl_memdev *memdev;
> +
> + cxl_memdev_foreach(ctx, memdev) {
> + if (cxl_memdev_get_bus(memdev) != bus)
> + continue;
> + return test_cxl_mbox_huge_out_size(memdev);
> + }
> +
> + return -ENODEV;
> +}
> +
> +int main(int argc, char *argv[])
> +{
> + struct cxl_ctx *ctx;
> + struct cxl_bus *bus;
> + int rc;
> +
> + rc = cxl_new(&ctx);
> + if (rc < 0)
> + return rc;
> +
> + cxl_set_log_priority(ctx, LOG_DEBUG);
> +
> + bus = cxl_bus_get_by_provider(ctx, provider);
> + if (!bus) {
> + fprintf(stderr, "%s: unable to find bus (%s)\n",
> + argv[0], provider);
> + rc = -ENODEV;
> + goto out;
> + }
> +
> + rc = test_cxl_mbox(ctx, bus);
> +
> +out:
> + cxl_unref(ctx);
> + return rc;
> +}
> diff --git a/test/cxl-mbox.sh b/test/cxl-mbox.sh
> new file mode 100755
> index 0000000..67fecf5
> --- /dev/null
> +++ b/test/cxl-mbox.sh
> @@ -0,0 +1,48 @@
> +#!/bin/bash -Ex
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (C) 2026 Nvidia Corporation. All rights reserved.
> +
> +. $(dirname "$0")/common
> +
> +BIN="$TEST_PATH"/cxl-mbox
> +rc=77
> +# 237 is -ENODEV
> +ERR_NODEV=237
> +# TAINT_WARN is bit 9
> +TAINT_WARN=512
> +
> +trap 'err $LINENO' ERR
> +
> +modprobe -r cxl_test 2>/dev/null
> +modprobe cxl_test
> +# cxl_test alone does not autoload the mock memdev module on this box
> +modprobe cxl_mock_mem
> +
> +main()
> +{
> + test -x "$BIN" || do_skip "no CXL mailbox test"
> +
> + t0=$(cat /proc/sys/kernel/tainted)
> +
> + rc=0
> + "$BIN" || rc=$?
> +
> + t1=$(cat /proc/sys/kernel/tainted)
> +
> + echo "status: $rc"
> + if [ "$rc" -eq "$ERR_NODEV" ]; then
> + do_skip "no cxl_test memdev"
> + elif [ "$rc" -ne 0 ]; then
> + echo "fail: $LINENO" && exit 1
> + fi
> +
> + if (( (t1 & TAINT_WARN) && !(t0 & TAINT_WARN) )); then
> + echo "fail: $LINENO kernel WARN taint (bit 9) set" && exit 1
> + fi
> +
> + _cxl_cleanup
> +}
> +
> +{
> + main "$@"; exit "$?"
> +}
>
> base-commit: 8ad90e54f0ff4f7291e7f21d44d769d10f24e2b6
> --
> 2.43.0
>
