From: Breno Leitao <leitao@debian.org>
To: Dave Jiang <dave.jiang@intel.com>
Cc: alison.schofield@intel.com, vishal.l.verma@intel.com,
ira.weiny@intel.com, bwidawsk@kernel.org,
dan.j.williams@intel.com, linux-cxl@vger.kernel.org
Subject: Re: [PATCH] cxl/acpi: Release device after dev_err
Date: Mon, 10 Jul 2023 03:49:13 -0700 [thread overview]
Message-ID: <ZKviKY6Px9qqJYK3@gmail.com> (raw)
In-Reply-To: <fb897ce1-3abf-f5b6-6585-1c74054beb86@intel.com>
On Fri, Jul 07, 2023 at 09:50:09AM -0700, Dave Jiang wrote:
>
>
> On 7/7/23 09:16, Breno Leitao wrote:
> > Kfence is detecting a user-after-free in the CXL, when cxl_decoder_add()
> > fails. Kfence drops this message, after the following:
> >
> > BUG: KFENCE: use-after-free read in resource_string
> >
> > This is happening in cxl_parse_cfmws(), and here is a simplified flow
> > that is coming from Kfence.
> >
> > Use-after-free:
> > _dev_err
> > cxl_parse_cfmws
> > acpi_table_parse_entries_array
> > acpi_table_parse_cedt
> > cxl_acpi_probe
> >
> > Free:
> > cxl_decoder_release
> > device_release
> > kobject_put
> > cxl_parse_cfmws
> > acpi_table_parse_entries_array
> > acpi_table_parse_cedt
> > cxl_acpi_probe
> >
> > Alloc:
> > cxl_decoder_alloc
> > cxl_parse_cfmws
> > acpi_table_parse_entries_array
> > acpi_table_parse_cedt
> > cxl_acpi_probe
> > platform_probe
> >
> > From my reading of the issue, the device struct being used by
> > dev_err() was removed in the put_device() before.
> >
> > Put the device just after the message is printed.
> >
> > Signed-off-by: Breno Leitao <leitao@debian.org>
> > ---
> > drivers/cxl/acpi.c | 7 +++----
> > 1 file changed, 3 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/cxl/acpi.c b/drivers/cxl/acpi.c
> > index 658e6b84a769..5179bf4211d8 100644
> > --- a/drivers/cxl/acpi.c
> > +++ b/drivers/cxl/acpi.c
> > @@ -291,14 +291,13 @@ static int cxl_parse_cfmws(union acpi_subtable_headers *header, void *arg,
> > }
> > rc = cxl_decoder_add(cxld, target_map);
> > err_xormap:
> > - if (rc)
> > - put_device(&cxld->dev);
> > - else
> > - rc = cxl_decoder_autoremove(dev, cxld);
> > if (rc) {
> > dev_err(dev, "Failed to add decode range [%#llx - %#llx]\n",
> > cxld->hpa_range.start, cxld->hpa_range.end);
> > + put_device(&cxld->dev);
> > return 0;
>
> I think you will want to change this to 'return rc;' in order to reflect the
> error.
This is a good point also, and I can change it in v2, if there is an
agreement in this patch.
next prev parent reply other threads:[~2023-07-10 10:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-07 16:16 [PATCH] cxl/acpi: Release device after dev_err Breno Leitao
2023-07-07 16:50 ` Dave Jiang
2023-07-10 10:49 ` Breno Leitao [this message]
2023-07-07 22:17 ` Alison Schofield
2023-07-08 0:33 ` Dave Jiang
2023-07-08 1:07 ` Alison Schofield
2023-07-10 15:55 ` Dave Jiang
2023-07-10 10:41 ` Breno Leitao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZKviKY6Px9qqJYK3@gmail.com \
--to=leitao@debian.org \
--cc=alison.schofield@intel.com \
--cc=bwidawsk@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=ira.weiny@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.