From: Dave Jiang <dave.jiang@intel.com>
To: linux-cxl@vger.kernel.org
Cc: djbw@kernel.org, dave@stgolabs.net, jic23@kernel.org,
alison.schofield@intel.com, vishal.l.verma@intel.com,
flavien@nus.edu.sg, stable@vger.kernel.org
Subject: [PATCH 1/2] cxl/mce: Validate memdev and endpoint before dereference in cxl_handle_mce()
Date: Mon, 15 Jun 2026 17:40:06 -0700 [thread overview]
Message-ID: <20260616004007.4186004-2-dave.jiang@intel.com> (raw)
In-Reply-To: <20260616004007.4186004-1-dave.jiang@intel.com>
cxlmd and endpoint are both used in cxl_handle_mce() without proper
validation, which can lead to NULL pointer dereference or invalid pointer
dereference. The notifier is registered in cxl_memdev_state_create()
when the CXL PCI driver first binds, before the memdev is published and
before it is attached to a CXL topology.
Add checks to cxlmd and endpoint to ensure they are valid before usage.
Reported-by: Flavien Solt <flavien@nus.edu.sg>
Fixes: 516e5bd0b6bf ("cxl: Add mce notifier to emit aliased address for extended linear cache")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
---
drivers/cxl/core/mce.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/cxl/core/mce.c b/drivers/cxl/core/mce.c
index ff8d078c6ca1..47566015eb00 100644
--- a/drivers/cxl/core/mce.c
+++ b/drivers/cxl/core/mce.c
@@ -13,7 +13,7 @@ static int cxl_handle_mce(struct notifier_block *nb, unsigned long val,
struct cxl_memdev_state *mds = container_of(nb, struct cxl_memdev_state,
mce_notifier);
struct cxl_memdev *cxlmd = mds->cxlds.cxlmd;
- struct cxl_port *endpoint = cxlmd->endpoint;
+ struct cxl_port *endpoint;
struct mce *mce = data;
u64 spa, spa_alias;
unsigned long pfn;
@@ -21,7 +21,11 @@ static int cxl_handle_mce(struct notifier_block *nb, unsigned long val,
if (!mce || !mce_usable_address(mce))
return NOTIFY_DONE;
- if (!endpoint)
+ if (!cxlmd)
+ return NOTIFY_DONE;
+
+ endpoint = cxlmd->endpoint;
+ if (IS_ERR_OR_NULL(endpoint))
return NOTIFY_DONE;
spa = mce->addr & MCI_ADDR_PHYSADDR;
--
2.54.0
next prev parent reply other threads:[~2026-06-16 0:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 0:40 [PATCH 0/2] cxl: Fix endpoint access issues with CXL MCE notifier handler Dave Jiang
2026-06-16 0:40 ` Dave Jiang [this message]
2026-06-16 0:54 ` [PATCH 1/2] cxl/mce: Validate memdev and endpoint before dereference in cxl_handle_mce() sashiko-bot
2026-06-16 0:40 ` [PATCH 2/2] cxl/mce: Serialize the MCE handler against endpoint teardown Dave Jiang
2026-06-16 1:03 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616004007.4186004-2-dave.jiang@intel.com \
--to=dave.jiang@intel.com \
--cc=alison.schofield@intel.com \
--cc=dave@stgolabs.net \
--cc=djbw@kernel.org \
--cc=flavien@nus.edu.sg \
--cc=jic23@kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.