From: Dan Williams <dan.j.williams@intel.com>
To: Alison Schofield <alison.schofield@intel.com>,
Dan Williams <dan.j.williams@intel.com>
Cc: <dave.jiang@intel.com>, <patches@lists.linux.dev>,
<linux-cxl@vger.kernel.org>,
<Smita.KoralahalliChannabasappa@amd.com>,
<stable@vger.kernel.org>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>
Subject: Re: [PATCH 1/9] cxl/region: Fix use-after-free from auto assembly failure
Date: Fri, 27 Mar 2026 14:54:24 -0700 [thread overview]
Message-ID: <69c6fc90593bd_1b0cc610088@dwillia2-mobl4.notmuch> (raw)
In-Reply-To: <acbYgkczKrpG4x6d@aschofie-mobl2.lan>
Alison Schofield wrote:
> On Thu, Mar 26, 2026 at 10:28:13PM -0700, Dan Williams wrote:
> > The following crash signature results from region destruction while an
> > endpoint decoder is staged, but not fully attached.
> >
> > ---
> > BUG: KASAN: slab-use-after-free in __cxl_decoder_detach+0x724/0x830 [cxl_core]
> > Read of size 8 at addr ffff888265638840 by task modprobe/1287
> >
> > Call Trace:
> > <TASK>
> > dump_stack_lvl+0x68/0x90
> > print_report+0x170/0x4e2
> > kasan_report+0xc2/0x1a0
> > __cxl_decoder_detach+0x724/0x830 [cxl_core]
> > cxl_decoder_detach+0x6c/0x100 [cxl_core]
> > unregister_region+0x88/0x140 [cxl_core]
> > devres_release_all+0x172/0x230
> > ---
> >
> > The "staged" state is established by cxl_region_attach_auto() and finalized
> > by cxl_region_attach_position(). When that is finalized a memdev removal
> > event will destroy regions before endpoint decoders. However, in the
> > interim the memdev removal will falsely assume that the endpoint decoder is
> > unattached. Later, the eventual region removal finds the stale pointer to
> > the now freed endpoint decoder.
>
> I'm wondering how this is exposed. What is 'eventual region removal'?
>
> The region driver does not clean up after failed auto assembly.
> The cxl-cli cannot because topology is broken.
>
> How did you get here?
tl;dr: "modprobe -r cxl_test"
When the cxl_acpi driver is removed the CXL Window root decoders are
destroyed along with any regions that were in the process of being
created.
If one of the region's to be cleaned up has a p->targets[] entry setup
by cxl_region_attach_auto(), but not finalized by
cxl_region_attach_position() then there is nothing to stop that @cxled
object from being freed.
The "modprobe -r cxl_test" event destroys all the memdevs. When the
memdev goes to free its decoders it sees that @cxled->cxld.region is not
yet set, assumes it is idle and frees it. Later, unregister_region()
sees the now freed @cxled in its p->targets[] list, tries to
de-reference it and boom.
next prev parent reply other threads:[~2026-03-27 21:54 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 5:28 [PATCH 0/9] dax/hmem: Add tests for the dax_hmem takeover capability Dan Williams
2026-03-27 5:28 ` [PATCH 1/9] cxl/region: Fix use-after-free from auto assembly failure Dan Williams
2026-03-27 16:28 ` Dave Jiang
2026-03-27 19:20 ` Alison Schofield
2026-03-27 21:54 ` Dan Williams [this message]
2026-03-27 22:37 ` Alison Schofield
2026-03-27 23:43 ` Alison Schofield
2026-03-30 20:24 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 2/9] dax/cxl: Fix HMEM dependencies Dan Williams
2026-03-27 16:29 ` Dave Jiang
2026-03-27 23:44 ` Alison Schofield
2026-03-30 21:10 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 3/9] cxl/region: Limit visibility of cxl_region_contains_resource() Dan Williams
2026-03-27 16:39 ` Dave Jiang
2026-03-27 23:45 ` Alison Schofield
2026-03-30 22:19 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 4/9] cxl/region: Constify cxl_region_resource_contains() Dan Williams
2026-03-27 16:40 ` Dave Jiang
2026-03-27 23:45 ` Alison Schofield
2026-03-30 22:22 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 5/9] dax/hmem: Reduce visibility of dax_cxl coordination symbols Dan Williams
2026-03-27 16:46 ` Dave Jiang
2026-03-27 23:46 ` Alison Schofield
2026-03-30 22:26 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 6/9] dax/hmem: Fix singleton confusion between dax_hmem_work and hmem devices Dan Williams
2026-03-27 17:06 ` Dave Jiang
2026-03-27 23:46 ` Alison Schofield
2026-03-31 17:32 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 7/9] dax/hmem: Parent dax_hmem devices Dan Williams
2026-03-27 17:07 ` Dave Jiang
2026-03-27 23:47 ` Alison Schofield
2026-03-31 17:42 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 8/9] tools/testing/cxl: Simulate auto-assembly failure Dan Williams
2026-03-27 17:08 ` Dave Jiang
2026-03-27 23:48 ` Alison Schofield
2026-03-31 17:43 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 9/9] tools/testing/cxl: Test dax_hmem takeover of CXL regions Dan Williams
2026-03-27 17:10 ` Dave Jiang
2026-03-27 23:58 ` Alison Schofield
2026-03-28 3:20 ` Dan Williams
2026-03-31 17:57 ` Ira Weiny
2026-03-31 18:13 ` Alison Schofield
2026-03-27 23:42 ` [PATCH 0/9] dax/hmem: Add tests for the dax_hmem takeover capability Alison Schofield
2026-03-30 21:12 ` Koralahalli Channabasappa, Smita
2026-03-30 21:17 ` Dave Jiang
2026-03-31 21:57 ` Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69c6fc90593bd_1b0cc610088@dwillia2-mobl4.notmuch \
--to=dan.j.williams@intel.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=Smita.KoralahalliChannabasappa@amd.com \
--cc=alison.schofield@intel.com \
--cc=dave.jiang@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.