Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp1915324lqz;
        Tue, 2 Apr 2024 01:14:37 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVJQVj0/YuAPSArSWpyfE+G4uIxoOiN4OiQxwGemwCt9B3RjlIxl839nklHKOPiXj8eS8IYbG+OKB9d9lVIhvUkRnuwPAcAj/RmuPjMiw==
X-Google-Smtp-Source: AGHT+IGACqAXXR7FrixwTCdg96FncqX63QfX7JY2MUrMfXD4Bmrl4z6z+OKNTG6/vaM41akoQHcK
X-Received: by 2002:a17:906:f757:b0:a4e:8a80:92ed with SMTP id jp23-20020a170906f75700b00a4e8a8092edmr653946ejb.39.1712045677236;
        Tue, 02 Apr 2024 01:14:37 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712045677; cv=pass;
        d=google.com; s=arc-20160816;
        b=VJzyxAnAb8hg8Aw/kj8hMUaK0bnu0KKlOZEF2D/fqM0GP60cZpWv74Z36yEgLQThiD
         Z7/b8FwAAYGzL5Nvkk/BbGaCukpgN6ix9bpo9zEPZW4A3JnGgcF5WtWJck1VG+oYJ3Qw
         kZPtvycuxvcvjqDSowl2osK9geXt6j5lMabCoXuj5dkosg933+TMf4opIYF70JQ6WDE2
         7HBmAb/30qDi18jAzeY5Yjcks3Or+Yj9tHgIJGiiuYHuDC4TGeIkpWd1EiM8sz+qXrpy
         Cp+EsaENhRxujDeqMgQWutc/mHt6jwHFczxlivhmm+VNFP7bC5a67eW3vmFMmHaXAfIv
         jDvQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=Fa/2HxSfzIgoOpEnwjNc2XyVV+MKmAma+iK/P8j+piI=;
        fh=bTEC1MeFsNtW7nghrhREF6lRnDlBKZ7X8KksU3pdGbM=;
        b=GTIyq89CS0dDywwPh8LLJqiWuuPTRfO7H3Wh7l+46yhrAVHZ/HY3U5rCaJI6JfyIil
         prj2ScLpuRAdeY+vKy8y8wvEo6nT50/dWd6uviR+BHROLosaNaiZ56TNqt1HsXMvjM8O
         arkE0Ja4CXu/FqZe6f5JvSN+IIOG7ORMaygwOfNdxGSrYIJAPGHH2pJDdViR8fQwedic
         WC+A+KE4MCVdWxj/P6MKfxtiRtsvmYchSYJVCX3/a4ssODp/svi7Q0NSfzw1dUk5NX7F
         4Y8/zIv+dJCOnIbjgglch1TZH7z59LlmERnqyx2lMdTPxAwXydNbwwACGKcjJvlGGY1t
         bvCA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sk.com);
       spf=pass (google.com: domain of linux-kernel+bounces-127532-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-127532-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-127532-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id l6-20020a170906644600b00a4653cc39fesi5204620ejn.829.2024.04.02.01.14.37
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Apr 2024 01:14:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-127532-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sk.com);
       spf=pass (google.com: domain of linux-kernel+bounces-127532-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-127532-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id E9CFA1F2283E
	for <linux.lists.archive@gmail.com>; Tue,  2 Apr 2024 08:14:36 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id BE1A0405CF;
	Tue,  2 Apr 2024 08:14:22 +0000 (UTC)
Received: from invmail4.hynix.com (exvmail4.skhynix.com [166.125.252.92])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 401933D552;
	Tue,  2 Apr 2024 08:14:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=166.125.252.92
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712045662; cv=none; b=QYHEDwfiXnWDizkqKiNA15cwckAgEI3WfINj2KyK/unw50WSRrq1xCKcmqx87QzD7lzhurafKeiJ7AkkPGd+IFDAbn/AbSbbgzVZItbnJBE+Q/PPu1JYRshKTKBNHtAA/qrX5Y4GaGuTgRhCswzaoJHSifCiJ+KAacYFeTJKv4w=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712045662; c=relaxed/simple;
	bh=zFoKGVF+3N6sg6qvMpvexaatvVtPYRghID21GGzQsC0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=u5TVEjVTW95nuobeJZrimN5SCzIbsm+R67g+Gt1QGn6IJOaOJkWql7TO+sHSKY/h3qISSfHH/cUl19O9fKcFEvq1KD+HDi/tI6WTtKKr2FjWrNVzVKVvLcqfhXIhMEYljR7A8r8iSKmP/bc5+FgOF48GhlpJUshaPQbc375K770=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sk.com; spf=pass smtp.mailfrom=sk.com; arc=none smtp.client-ip=166.125.252.92
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sk.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sk.com
X-AuditID: a67dfc5b-d6dff70000001748-62-660bbe500238
From: Kwangjin Ko <kwangjin.ko@sk.com>
To: dave@stgolabs.net,
	jonathan.cameron@huawei.com,
	dave.jiang@intel.com,
	alison.schofield@intel.com,
	vishal.l.verma@intel.com,
	ira.weiny@intel.com,
	dan.j.williams@intel.com
Cc: linux-cxl@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	kernel_team@skhynix.com
Subject: [PATCH v2 1/1] cxl/core: Fix initialization of mbox_cmd.size_out in get event
Date: Tue,  2 Apr 2024 17:14:03 +0900
Message-ID: <20240402081404.1106-2-kwangjin.ko@sk.com>
X-Mailer: git-send-email 2.44.0.windows.1
In-Reply-To: <20240402081404.1106-1-kwangjin.ko@sk.com>
References: <20240402081404.1106-1-kwangjin.ko@sk.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrCLMWRmVeSWpSXmKPExsXC9ZZnkW7APu40g9b1fBZ3H19gs5g+9QKj
	xYmbjWwWq2+uYbTY//Q5i8WqhdfYLM7POsVicXnXHDaLWxOOMTlwerQcecvqsXjPSyaPqbPr
	PT5vkgtgieKySUnNySxLLdK3S+DKOP55HlvBTu6K3Ru/MDcw9nJ2MXJySAiYSPz9dZcZxt70
	6CaYzSagJjHp2mG2LkYuDhGBnYwSt5etAUswC0RIbGnqZwKxhQXCJO7vnMMGYrMIqEosvXQf
	yObg4BUwkzi6zRhipqbE+1nfwVo5Bcwl2hd+ZQexhYBK+u8uYASxeQUEJU7OfMICMV5eonnr
	bGaQvRICC9gkdi+9ywoxSFLi4IobLBMY+Wch6ZmFpGcBI9MqRqHMvLLcxMwcE72MyrzMCr3k
	/NxNjMCwXVb7J3oH46cLwYcYBTgYlXh4b2zjShNiTSwrrsw9xCjBwawkwvvTmzNNiDclsbIq
	tSg/vqg0J7X4EKM0B4uSOK/Rt/IUIYH0xJLU7NTUgtQimCwTB6dUA+PqTyXneJivST/pTVv9
	Vli/1pnp9J8XLov6zDM2sHhnpywQSlr/d1FG8Vum19XHpTNfNAZZO/zSFP300TW9ST9cfWam
	0PSwqRNu+2gKvo0p+PK+p4Kb/67TYVbe/49/PrTefj0+3tPOuzb2fYhAiADX3IAauSln5BZe
	9rdd93HhuY618nW1p5VYijMSDbWYi4oTAVWkrKxXAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrNLMWRmVeSWpSXmKPExsXCNUPhiW7APu40g95+Jou7jy+wWUyfeoHR
	4sTNRjaL1TfXMFrsf/qcxWLVwmtsFofnnmS1OD/rFIvF5V1z2CxuTTjG5MDl0XLkLavH4j0v
	mTwWv/jA5DF1dr3H501yAaxRXDYpqTmZZalF+nYJXBnHP89jK9jJXbF74xfmBsZezi5GTg4J
	AROJTY9uMoPYbAJqEpOuHWbrYuTiEBHYyShxe9kasASzQITElqZ+JhBbWCBM4v7OOWwgNouA
	qsTSS/eBbA4OXgEziaPbjCFmakq8n/UdrJVTwFyifeFXdhBbCKik/+4CRhCbV0BQ4uTMJywQ
	4+UlmrfOZp7AyDMLSWoWktQCRqZVjCKZeWW5iZk5pnrF2RmVeZkVesn5uZsYgUG4rPbPxB2M
	Xy67H2IU4GBU4uG9sJ4rTYg1say4MvcQowQHs5II709vzjQh3pTEyqrUovz4otKc1OJDjNIc
	LErivF7hqQlCAumJJanZqakFqUUwWSYOTqkGxuQ7G69yunt0m1z4c2hFwdG6z162M2KU+m5K
	a/PvddF/5b+pVfz8ZZfwwp598TXfLns1ZD+b+kj/0oaLJ6YUz/b0iT9p7tF/13erfN/HTofl
	21zMfSxP+9du3cB/a6dZ+elUp6wO7Xcv0pS6wi1fzKvcLHJzpRiDRE2ChFvVn1fqTxnfTe1j
	V2Ipzkg01GIuKk4EAAgrpqQ+AgAA
X-CFilter-Loop: Reflected

Since mbox_cmd.size_out is overwritten with the actual output size in
the function below, it needs to be initialized every time.

cxl_internal_send_cmd -> __cxl_pci_mbox_send_cmd

Problem scenario:

1) The size_out variable is initially set to the size of the mailbox.
2) Read an event.
   - size_out is set to 160 bytes(header 32B + one event 128B).
   - Two event are created while reading.
3) Read the new *two* events.
   - size_out is still set to 160 bytes.
   - Although the value of out_len is 288 bytes, only 160 bytes are
     copied from the mailbox register to the local variable.
   - record_count is set to 2.
   - Accessing records[1] will result in reading incorrect data.

Signed-off-by: Kwangjin Ko <kwangjin.ko@sk.com>
---
 drivers/cxl/core/mbox.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
index 9adda4795eb7..a38531a055c8 100644
--- a/drivers/cxl/core/mbox.c
+++ b/drivers/cxl/core/mbox.c
@@ -958,13 +958,14 @@ static void cxl_mem_get_records_log(struct cxl_memdev_state *mds,
 		.payload_in = &log_type,
 		.size_in = sizeof(log_type),
 		.payload_out = payload,
-		.size_out = mds->payload_size,
 		.min_out = struct_size(payload, records, 0),
 	};
 
 	do {
 		int rc, i;
 
+		mbox_cmd.size_out = mds->payload_size;
+
 		rc = cxl_internal_send_cmd(mds, &mbox_cmd);
 		if (rc) {
 			dev_err_ratelimited(dev,
-- 
2.34.1