sieni
/
linux
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/drivers/cxl/core
History
Davidlohr Bueso 9a6a209132 cxl/mbox: Use proper endpoint validity check upon sanitize 
Fuzzying CXL triggered:

BUG: KASAN: null-ptr-deref in cxl_num_decoders_committed+0x3e/0x80 drivers/cxl/core/port.c:49
Read of size 4 at addr 0000000000000642 by task syz.0.97/2282

CPU: 2 UID: 0 PID: 2282 Comm: syz.0.97 Not tainted 7.0.0-rc1-gebd11be59f74-dirty #494 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 cxl_num_decoders_committed+0x3e/0x80 drivers/cxl/core/port.c:49
 cxl_mem_sanitize+0x141/0x170 drivers/cxl/core/mbox.c:1304
 security_sanitize_store+0xb0/0x120 drivers/cxl/core/memdev.c:173
 dev_attr_store+0x46/0x70 drivers/base/core.c:2437
 sysfs_kf_write+0x95/0xb0 fs/sysfs/file.c:142
 kernfs_fop_write_iter+0x276/0x330 fs/kernfs/file.c:352
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x5df/0xaa0 fs/read_write.c:688
 ksys_write+0x103/0x1f0 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x111/0x680 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f60a584ba79
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f60a42a7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f60a5ab5fa0 RCX: 00007f60a584ba79
RDX: 0000000000000002 RSI: 00002000000001c0 RDI: 0000000000000003
RBP: 00007f60a58a49df R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f60a5ab6038 R14: 00007f60a5ab5fa0 R15: 00007ffe58fad8b8
 </TASK>

This goes away using the correct check instead of abusing cxlmd->endpoint,
which is unusable (ENXIO) until the driver has probed. During that window
the memdev sysfs attributes are already visible, as soon as device_add()
completes.

Fixes: 29317f8dc6 ("cxl/mem: Introduce cxl_memdev_attach for CXL-dependent operation")
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Reviewed-by: Gregory Price <gourry@gourry.net>
Link: https://patch.msgid.link/20260301221739.1726722-1-dave@stgolabs.net
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
 		2026-03-18 08:49:29 -07:00
..
Makefile Merge branch 'for-7.0/cxl-prm-translation' into cxl-for-next 2026-02-04 10:53:33 -07:00
atl.c cxl: Disable HPA/SPA translation handlers for Normalized Addressing 2026-02-04 09:17:31 -07:00
cdat.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
core.h cxl/port: Introduce port_to_host() helper 2026-02-23 09:31:07 -07:00
edac.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
features.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
hdm.c cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled 2026-03-16 16:58:32 -07:00
mbox.c cxl/mbox: Use proper endpoint validity check upon sanitize 2026-03-18 08:49:29 -07:00
mce.c cxl: Add mce notifier to emit aliased address for extended linear cache 2025-02-26 14:13:49 -07:00
mce.h cxl: mce: fix typo "notifer" 2025-08-02 12:01:39 -07:00
memdev.c cxl/memdev: fix deadlock in cxl_memdev_autoremove() on attach failure 2026-02-23 09:03:44 -07:00
pci.c cxl/port: Move dport probe operations to a driver event 2026-02-02 08:41:29 -07:00
pmem.c cxl: Fix race of nvdimm_bus object when creating nvdimm objects 2026-02-24 08:33:21 -07:00
pmu.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
port.c cxl/port: Fix use after free of parent_port in cxl_detach_ep() 2026-03-03 10:20:19 -07:00
ras.c cxl changes for v7.0 2026-02-12 16:33:05 -08:00
ras_rch.c cxl: Update RAS handler interfaces to also support CXL Ports 2026-01-22 15:07:04 -07:00
region.c cxl/region: Fix leakage in __construct_region() 2026-03-04 10:26:39 -07:00
regs.c PCI: Update CXL DVSEC definitions 2026-01-22 14:52:23 -07:00
suspend.c module: Convert symbol namespace to string literal 2024-12-02 11:34:44 -08:00
trace.c cxl/region: Move cxl_trace_hpa() work to the region driver 2024-04-30 12:24:42 -07:00
trace.h cxl/trace: Subtract to find an hpa_alias0 in cxl_poison events 2025-10-14 14:48:14 -07:00