From: Sasha Levin <sashal@kernel.org>
To: gregkh@linuxfoundation.org, stable@vger.kernel.org,
alison.schofield@intel.com
Cc: Sasha Levin <sashal@kernel.org>,
patches@lists.linux.dev, linux-kernel@vger.kernel.org,
dave@stgolabs.net, jonathan.cameron@huawei.com,
dave.jiang@intel.com, vishal.l.verma@intel.com,
ira.weiny@intel.com, dan.j.williams@intel.com,
ming.li@zohomail.com, linux-cxl@vger.kernel.org,
Fang Wang <32840572@qq.com>
Subject: Re: [PATCH 6.6.y] cxl/port: Fix use after free of parent_port in cxl_detach_ep()
Date: Mon, 25 May 2026 11:33:10 -0400 [thread overview]
Message-ID: <20260525152512.agent5-0007@kernel.org> (raw)
In-Reply-To: <tencent_C9D9ED71D51B177EDF71B708417942F4F206@qq.com>
On Mon, May 25, 2026 at 03:44:54PM +0800, Fang Wang wrote:
> From: Alison Schofield <alison.schofield@intel.com>
>
> [ Upstream commit 19d2f0b97a131198efc2c4ca3eb7f980bba8c2b4 ]
>
> @@ -527,6 +527,7 @@ static void cxl_port_release(struct device *dev)
> xa_destroy(&port->dports);
> xa_destroy(&port->regions);
> ida_free(&cxl_port_ida, port->id);
> + put_device(dev->parent);
> kfree(port);
> }
>
> @@ -657,6 +658,7 @@ static struct cxl_port *cxl_port_alloc(struct device *uport_dev,
> struct cxl_port *iter;
>
> dev->parent = &parent_port->dev;
> + get_device(dev->parent);
> port->depth = parent_port->depth + 1;
> port->parent_dport = parent_dport;
This isn't safe as-is for 6.6. Upstream guards the put_device() in
cxl_port_release() with is_cxl_root(port), and only does the matching
get_device() on the child-port path. In 6.6, struct cxl_root does not
exist yet (it was added in v6.8 by commit 26064b3641c4 ("cxl: introduce
cxl_root")) and the is_cxl_root() helper is absent, so dropping the
guard means cxl_port_release() unconditionally puts dev->parent.
cxl_port_alloc() in 6.6 only takes the new get_device(dev->parent) on
the parent_dport != NULL branch; the root-port path still does
`dev->parent = uport_dev` with no matching get. The result is an
unbalanced put on the root port's uport_dev (typically the cxl_acpi
host device) on every cxl_acpi unload, which is a fresh refcount
underflow / UAF on 6.6.
--
Thanks,
Sasha
prev parent reply other threads:[~2026-05-25 15:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 7:44 [PATCH 6.6.y] cxl/port: Fix use after free of parent_port in cxl_detach_ep() Fang Wang
2026-05-25 15:33 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525152512.agent5-0007@kernel.org \
--to=sashal@kernel.org \
--cc=32840572@qq.com \
--cc=alison.schofield@intel.com \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=gregkh@linuxfoundation.org \
--cc=ira.weiny@intel.com \
--cc=jonathan.cameron@huawei.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.li@zohomail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.