From: sashiko-bot@kernel.org
To: "Dave Jiang" <dave.jiang@intel.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH 2/2] cxl/mce: Serialize the MCE handler against endpoint teardown
Date: Tue, 16 Jun 2026 01:03:06 +0000 [thread overview]
Message-ID: <20260616010307.314E61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260616004007.4186004-3-dave.jiang@intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] The MCE notifier accesses a freed `cxlmd` structure and attempts to lock its mutex if an MCE occurs during device teardown, leading to a Use-After-Free and kernel crash.
--
commit a9bb7894eaa94a0fe2d0d4c6dd69b86cf2d1fe0f
Author: Dave Jiang <dave.jiang@intel.com>
cxl/mce: Serialize the MCE handler against endpoint teardown
This commit modifies the MCE handler to take the cxlmd lock before verifying
the endpoint pointer. It then takes a reference on the endpoint device to
ensure it remains alive during access.
> diff --git a/drivers/cxl/core/mce.c b/drivers/cxl/core/mce.c
> index 47566015eb006..e684e411921b9 100644
> --- a/drivers/cxl/core/mce.c
> +++ b/drivers/cxl/core/mce.c
> @@ -7,13 +7,27 @@
> #include <cxlmem.h>
> #include "mce.h"
>
> +static struct device *cxlmd_get_endpoint_dev(struct cxl_memdev *cxlmd)
> +{
> + struct cxl_port *endpoint;
> +
> + if (!cxlmd)
> + return NULL;
> +
> + guard(device)(&cxlmd->dev);
[Severity: Critical]
This is a pre-existing issue, but does accessing cxlmd here lead to a
use-after-free if a Machine Check Exception occurs during device teardown?
During device teardown or driver unbind, devm actions execute in reverse
order. The MCE notifier is registered before the cxl_memdev structure
is allocated, which means cxl_memdev is unregistered and its memory freed
before the MCE notifier is deactivated.
While cxl_memdev_shutdown() clears cxlmd->cxlds, it does not clear
mds->cxlds.cxlmd. This leaves mds->cxlds.cxlmd as a dangling pointer.
If a Machine Check Exception happens during this window, cxl_handle_mce()
will read the freed cxlmd pointer and pass it here. Attempting to lock a
mutex inside freed memory will cause memory corruption or a crash.
> + endpoint = cxlmd->endpoint;
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616004007.4186004-1-dave.jiang@intel.com?part=2
prev parent reply other threads:[~2026-06-16 1:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 0:40 [PATCH 0/2] cxl: Fix endpoint access issues with CXL MCE notifier handler Dave Jiang
2026-06-16 0:40 ` [PATCH 1/2] cxl/mce: Validate memdev and endpoint before dereference in cxl_handle_mce() Dave Jiang
2026-06-16 0:54 ` sashiko-bot
2026-06-16 0:40 ` [PATCH 2/2] cxl/mce: Serialize the MCE handler against endpoint teardown Dave Jiang
2026-06-16 1:03 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616010307.314E61F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dave.jiang@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.