From: Ira Weiny <ira.weiny@intel.com>
To: Dan Williams <dan.j.williams@intel.com>, <dave.jiang@intel.com>
Cc: <patches@lists.linux.dev>, <linux-cxl@vger.kernel.org>,
<alison.schofield@intel.com>,
<Smita.KoralahalliChannabasappa@amd.com>,
<stable@vger.kernel.org>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>
Subject: Re: [PATCH 1/9] cxl/region: Fix use-after-free from auto assembly failure
Date: Mon, 30 Mar 2026 15:24:26 -0500 [thread overview]
Message-ID: <69cadbfacef53_17924f1006b@iweiny-mobl.notmuch> (raw)
In-Reply-To: <20260327052821.440749-2-dan.j.williams@intel.com>
Dan Williams wrote:
> The following crash signature results from region destruction while an
> endpoint decoder is staged, but not fully attached.
>
> ---
NIT: When I applied this series to check it out this '---' incorrectly
trimmed the commit message. Dave should be able to fix that.
So with that fixed:
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
> BUG: KASAN: slab-use-after-free in __cxl_decoder_detach+0x724/0x830 [cxl_core]
> Read of size 8 at addr ffff888265638840 by task modprobe/1287
>
> Call Trace:
> <TASK>
> dump_stack_lvl+0x68/0x90
> print_report+0x170/0x4e2
> kasan_report+0xc2/0x1a0
> __cxl_decoder_detach+0x724/0x830 [cxl_core]
> cxl_decoder_detach+0x6c/0x100 [cxl_core]
> unregister_region+0x88/0x140 [cxl_core]
> devres_release_all+0x172/0x230
> ---
>
> The "staged" state is established by cxl_region_attach_auto() and finalized
> by cxl_region_attach_position(). When that is finalized a memdev removal
> event will destroy regions before endpoint decoders. However, in the
> interim the memdev removal will falsely assume that the endpoint decoder is
> unattached. Later, the eventual region removal finds the stale pointer to
> the now freed endpoint decoder.
>
> Introduce CXL_DECODER_STATE_AUTO_STAGED and cxl_cancel_auto_attach() to
> cleanup this interim state.
>
> Fixes: a32320b71f08 ("cxl/region: Add region autodiscovery")
> Cc: <stable@vger.kernel.org>
> Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
[snip]
next prev parent reply other threads:[~2026-03-30 20:20 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 5:28 [PATCH 0/9] dax/hmem: Add tests for the dax_hmem takeover capability Dan Williams
2026-03-27 5:28 ` [PATCH 1/9] cxl/region: Fix use-after-free from auto assembly failure Dan Williams
2026-03-27 16:28 ` Dave Jiang
2026-03-27 19:20 ` Alison Schofield
2026-03-27 21:54 ` Dan Williams
2026-03-27 22:37 ` Alison Schofield
2026-03-27 23:43 ` Alison Schofield
2026-03-30 20:24 ` Ira Weiny [this message]
2026-03-27 5:28 ` [PATCH 2/9] dax/cxl: Fix HMEM dependencies Dan Williams
2026-03-27 16:29 ` Dave Jiang
2026-03-27 23:44 ` Alison Schofield
2026-03-30 21:10 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 3/9] cxl/region: Limit visibility of cxl_region_contains_resource() Dan Williams
2026-03-27 16:39 ` Dave Jiang
2026-03-27 23:45 ` Alison Schofield
2026-03-30 22:19 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 4/9] cxl/region: Constify cxl_region_resource_contains() Dan Williams
2026-03-27 16:40 ` Dave Jiang
2026-03-27 23:45 ` Alison Schofield
2026-03-30 22:22 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 5/9] dax/hmem: Reduce visibility of dax_cxl coordination symbols Dan Williams
2026-03-27 16:46 ` Dave Jiang
2026-03-27 23:46 ` Alison Schofield
2026-03-30 22:26 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 6/9] dax/hmem: Fix singleton confusion between dax_hmem_work and hmem devices Dan Williams
2026-03-27 17:06 ` Dave Jiang
2026-03-27 23:46 ` Alison Schofield
2026-03-31 17:32 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 7/9] dax/hmem: Parent dax_hmem devices Dan Williams
2026-03-27 17:07 ` Dave Jiang
2026-03-27 23:47 ` Alison Schofield
2026-03-31 17:42 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 8/9] tools/testing/cxl: Simulate auto-assembly failure Dan Williams
2026-03-27 17:08 ` Dave Jiang
2026-03-27 23:48 ` Alison Schofield
2026-03-31 17:43 ` Ira Weiny
2026-03-27 5:28 ` [PATCH 9/9] tools/testing/cxl: Test dax_hmem takeover of CXL regions Dan Williams
2026-03-27 17:10 ` Dave Jiang
2026-03-27 23:58 ` Alison Schofield
2026-03-28 3:20 ` Dan Williams
2026-03-31 17:57 ` Ira Weiny
2026-03-31 18:13 ` Alison Schofield
2026-03-27 23:42 ` [PATCH 0/9] dax/hmem: Add tests for the dax_hmem takeover capability Alison Schofield
2026-03-30 21:12 ` Koralahalli Channabasappa, Smita
2026-03-30 21:17 ` Dave Jiang
2026-03-31 21:57 ` Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69cadbfacef53_17924f1006b@iweiny-mobl.notmuch \
--to=ira.weiny@intel.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=Smita.KoralahalliChannabasappa@amd.com \
--cc=alison.schofield@intel.com \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.