From: sashiko-bot@kernel.org
To: "Dave Jiang" <dave.jiang@intel.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH v4 1/6] cxl/test: Add test for module parameters
Date: Thu, 11 Jun 2026 15:34:40 +0000 [thread overview]
Message-ID: <20260611153441.2170E1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260611152124.3656434-2-dave.jiang@intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The module unregisters `hmem_test_device` without flushing or canceling its pending work, leading to a use-after-free and execute-after-free when the `cxl_test` module unloads.
--
commit 25e58b40eb66000f930689ce58f1f38f11a8a5bd
Author: Dave Jiang <dave.jiang@intel.com>
cxl/test: Add test for module parameters
Add a test for module parameters during module init to make sure that
only one is activated.
[ ... ]
> diff --git a/tools/testing/cxl/test/hmem_test.c b/tools/testing/cxl/test/hmem_test.c
> index 3a1a089e1721b..0fa00f7e16db5 100644
> --- a/tools/testing/cxl/test/hmem_test.c
> +++ b/tools/testing/cxl/test/hmem_test.c
> @@ -3,8 +3,9 @@
> #include <linux/moduleparam.h>
> #include <linux/workqueue.h>
> #include "../../../drivers/dax/bus.h"
> +#include "mock.h"
>
> -static bool hmem_test;
> +bool hmem_test;
>
> static void hmem_test_work(struct work_struct *work)
> {
[Severity: High]
This is a pre-existing issue, but does the hmem_test module leak
outstanding workqueue references upon unload?
The module unregisters hmem_test_device in hmem_test_exit() without flushing
or canceling its pending work:
tools/testing/cxl/test/hmem_test.c:hmem_test_exit() {
if (hmem_test)
platform_device_unregister(&hmem_test_device.pdev);
}
Because hmem_test_device is statically allocated in the module:
tools/testing/cxl/test/hmem_test.c:
static struct hmem_platform_device hmem_test_device = { ... };
and its release function is in the module's text section:
tools/testing/cxl/test/hmem_test.c:hmem_test_release() {
struct hmem_platform_device *hpdev =
container_of(dev, typeof(*hpdev), pdev.dev);
memset(hpdev, 0, sizeof(*hpdev));
}
could the module unload, allowing its memory to be freed before the
workqueue executes?
If the pending work executes after the module is unloaded, it would access the
freed hmem_test_device memory and trigger hmem_test_release() from the unloaded
text section, causing a kernel crash. Should there be a call to cancel the
work before unregistering the device?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611152124.3656434-1-dave.jiang@intel.com?part=1
next prev parent reply other threads:[~2026-06-11 15:34 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 15:21 [PATCH v4 0/6] cxl: Add CXL type2 accelerator support for cxl_test Dave Jiang
2026-06-11 15:21 ` [PATCH v4 1/6] cxl/test: Add test for module parameters Dave Jiang
2026-06-11 15:34 ` sashiko-bot [this message]
2026-06-11 15:21 ` [PATCH v4 2/6] cxl/test: Add type2 support for mock CFMWS0 Dave Jiang
2026-06-11 15:38 ` sashiko-bot
2026-06-11 15:21 ` [PATCH v4 3/6] cxl/test: Refactor platform device enumerations Dave Jiang
2026-06-11 15:21 ` [PATCH v4 4/6] cxl/test: Add hierarchy enumeration support for type2 device Dave Jiang
2026-06-11 15:31 ` sashiko-bot
2026-06-11 15:21 ` [PATCH v4 5/6] cxl/test: Fixup hdm init for auto region to support type2 Dave Jiang
2026-06-11 15:44 ` sashiko-bot
2026-06-11 15:21 ` [PATCH v4 6/6] cxl/test: Add cxl_test accelerator driver Dave Jiang
2026-06-11 15:32 ` sashiko-bot
2026-06-11 15:41 ` Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611153441.2170E1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dave.jiang@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.