From: Dan Williams <dan.j.williams@intel.com>
To: Li Ming <ming.li@zohomail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Danilo Krummrich" <dakr@kernel.org>,
Davidlohr Bueso <dave@stgolabs.net>,
"Jonathan Cameron" <jonathan.cameron@huawei.com>,
Dave Jiang <dave.jiang@intel.com>,
Alison Schofield <alison.schofield@intel.com>,
Vishal Verma <vishal.l.verma@intel.com>,
Ira Weiny <ira.weiny@intel.com>,
Dan Williams <dan.j.williams@intel.com>,
Bjorn Helgaas <bhelgaas@google.com>,
Ben Cheatham <benjamin.cheatham@amd.com>
Cc: <driver-core@lists.linux.dev>, <linux-kernel@vger.kernel.org>,
<linux-cxl@vger.kernel.org>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Li Ming <ming.li@zohomail.com>
Subject: Re: [PATCH 0/7] cxl: Consolidate cxlmd->endpoint accessing
Date: Tue, 10 Mar 2026 13:33:37 -0700 [thread overview]
Message-ID: <69b08021288c7_490a1004d@dwillia2-mobl4.notmuch> (raw)
In-Reply-To: <20260310-fix_access_endpoint_without_drv_check-v1-0-94fe919a0b87@zohomail.com>
Li Ming wrote:
> Currently, CXL subsystem implementation has some functions that may
> access CXL memdev's endpoint before the endpoint initialization
> completed or without checking the CXL memdev endpoint validity.
> This patchset fixes three scenarios as above description.
>
> 1. cxl_dpa_to_region() is possible to access an invalid CXL memdev
> endpoint.
> there are two scenarios that can trigger this issue:
> a. memdev poison injection/clearing debugfs interfaces:
> devm_cxl_add_endpoint() is used to register CXL memdev endpoint
> and update cxlmd->endpoint from -ENXIO to the endpoint structure.
> memdev poison injection/clearing debugfs interfaces are registered
> before devm_cxl_add_endpoint() is invoked in cxl_mem_probe().
> There is a small window where user can use the debugfs interfaces
> to access an invalid endpoint.
This is the justification I wanted to see in the changelog of the
patches themselves. That is a reasonable theoretical window.
> b. cxl_event_config() in the end of cxl_pci_probe():
> cxl_event_config() invokes cxl_mem_get_event_record() to get
> remain event logs from CXL device during cxl_pci_probe(). If CXL
> memdev probing failed before that, it is also possible to access
> an invalid endpoint.
Makes sense, please put this in the changelog.
> To fix these two cases, cxl_dpa_to_region() requires callers holding
> CXL memdev lock to access it and check if CXL memdev driver bingding
> status. Holding CXL memdev lock ensures that CXL memdev probing has
> completed, and if CXL memdev driver is bound, it will mean
> cxlmd->endpoint is valid. (PATCH #1-#5)
>
> 2. cxl_reset_done() callback in cxl_pci module.
> cxl_reset_done() callback also accesses cxlmd->endpoint without any
> checking. If CXL memdev probing fails, then cxl_reset_done() is
> called by PCI subsystem, it will access an invalid endpoint. The
> solution is adding a CXL memdev driver binding status inside
> cxl_reset_done(). (PATCH #6)
Makes sense. I jumped into the patches first since I was familiar with
the problem space, but happy to see you did this analysis. Just
cover-letter analysis can typically get lost in teh shuffle.
next prev parent reply other threads:[~2026-03-10 20:33 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-10 15:57 [PATCH 0/7] cxl: Consolidate cxlmd->endpoint accessing Li Ming
2026-03-10 15:57 ` [PATCH 1/7] driver core: Add conditional guard support for device_lock() Li Ming
2026-03-10 17:45 ` Dave Jiang
2026-03-10 18:06 ` Danilo Krummrich
2026-03-10 18:09 ` Dave Jiang
2026-03-10 18:39 ` Dan Williams
2026-03-10 19:17 ` Danilo Krummrich
2026-03-10 20:37 ` Dan Williams
2026-03-10 20:41 ` Danilo Krummrich
2026-03-12 14:35 ` Greg Kroah-Hartman
2026-03-14 15:14 ` Danilo Krummrich
2026-03-10 15:57 ` [PATCH 2/7] cxl/memdev: Hold memdev lock during memdev poison injection/clear Li Ming
2026-03-10 17:53 ` Dave Jiang
2026-03-10 19:29 ` Alison Schofield
2026-03-10 21:34 ` Alison Schofield
2026-03-11 10:53 ` Li Ming
2026-03-12 4:05 ` Alison Schofield
2026-03-12 10:45 ` Li Ming
2026-03-10 15:57 ` [PATCH 3/7] cxl/region: Hold memdev lock during region " Li Ming
2026-03-10 19:54 ` Dan Williams
2026-03-10 21:57 ` Alison Schofield
2026-03-11 11:10 ` Li Ming
2026-03-17 2:10 ` Dan Williams
2026-03-10 15:57 ` [PATCH 4/7] cxl/pci: Hold memdev lock in cxl_event_trace_record() Li Ming
2026-03-10 19:33 ` Dan Williams
2026-03-11 11:11 ` Li Ming
2026-03-10 20:52 ` Dave Jiang
2026-03-11 11:12 ` Li Ming
2026-03-10 15:57 ` [PATCH 5/7] cxl/region: Ensure endpoint is valid in cxl_dpa_to_region() Li Ming
2026-03-10 20:53 ` Dave Jiang
2026-03-10 15:57 ` [PATCH 6/7] cxl/pci: Check memdev driver binding status in cxl_reset_done() Li Ming
2026-03-10 19:31 ` Dan Williams
2026-03-10 20:50 ` Dave Jiang
2026-03-10 15:57 ` [PATCH 7/7] cxl/port: Reset cxlmd->endpoint to -ENXIO by default Li Ming
2026-03-10 19:29 ` Dan Williams
2026-03-11 12:14 ` Li Ming
2026-03-10 19:20 ` [PATCH 0/7] cxl: Consolidate cxlmd->endpoint accessing Alison Schofield
2026-03-11 10:41 ` Li Ming
2026-03-10 20:33 ` Dan Williams [this message]
2026-03-11 10:44 ` Li Ming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69b08021288c7_490a1004d@dwillia2-mobl4.notmuch \
--to=dan.j.williams@intel.com \
--cc=alison.schofield@intel.com \
--cc=benjamin.cheatham@amd.com \
--cc=bhelgaas@google.com \
--cc=dakr@kernel.org \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=driver-core@lists.linux.dev \
--cc=gregkh@linuxfoundation.org \
--cc=ira.weiny@intel.com \
--cc=jonathan.cameron@huawei.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.li@zohomail.com \
--cc=rafael@kernel.org \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox