Re: [PATCH 1/2] cxl/mce: Validate memdev and endpoint before dereference in cxl_handle_mce()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The validation added for `cxlmd` fails to account for device teardown, where `cxlds->cxlmd` becomes a dangling pointer, leading to an incomplete fix and Use-After-Free.
--

commit d4d366d587ddef82637af37fbf8cd28754d28024
Author: Dave Jiang <dave.jiang@intel.com>

cxl/mce: Validate memdev and endpoint before dereference in cxl_handle_mce()

cxlmd and endpoint are both used in cxl_handle_mce() without proper
validation, which can lead to NULL pointer dereference or invalid pointer
dereference. The notifier is registered in cxl_memdev_state_create()
when the CXL PCI driver first binds.

> diff --git a/drivers/cxl/core/mce.c b/drivers/cxl/core/mce.c
> index ff8d078c6ca1e..47566015eb006 100644
> --- a/drivers/cxl/core/mce.c
> +++ b/drivers/cxl/core/mce.c
[ ... ]
> @@ -21,7 +21,11 @@ static int cxl_handle_mce(struct notifier_block *nb, unsigned long val,
>  	if (!mce || !mce_usable_address(mce))
>  		return NOTIFY_DONE;
>  
> -	if (!endpoint)
> +	if (!cxlmd)
> +		return NOTIFY_DONE;

[Severity: High]
This isn't a bug introduced by this patch, but does this check adequately
protect against a use-after-free during device teardown?

The MCE notifier is registered via devm_cxl_register_mce_notifier() early in
the PCI probe sequence. Later, cxl_memdev_autoremove() registers the
cxl_memdev_unregister() teardown action via devm_add_action_or_reset().
Because devm actions execute in LIFO order, cxl_memdev_unregister() runs
before the MCE notifier is unregistered.

During cxl_memdev_unregister(), put_device(&cxlmd->dev) is called, which can
free the cxlmd structure. However, neither cxl_memdev_unregister() nor
cxl_memdev_shutdown() clears the cxlds->cxlmd pointer.

This leaves mds->cxlds.cxlmd as a dangling pointer. If an MCE occurs during
this teardown window, cxl_handle_mce() will find a non-NULL cxlmd and pass it
to cxlmd_get_endpoint_dev(), which calls guard(device)(&cxlmd->dev), resulting
in a use-after-free.

> +
> +	endpoint = cxlmd->endpoint;
> +	if (IS_ERR_OR_NULL(endpoint))
>  		return NOTIFY_DONE;
>  
>  	spa = mce->addr & MCI_ADDR_PHYSADDR;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260616004007.4186004-1-dave.jiang@intel.com?part=1