From: sashiko-bot@kernel.org
To: "Alison Schofield" <alison.schofield@intel.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH] cxl/region: Fix use-after-free in find_pos_and_ways() error path
Date: Sat, 11 Jul 2026 18:19:49 +0000 [thread overview]
Message-ID: <20260711181949.A4B1D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260711180755.1779002-1-alison.schofield@intel.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Unchecked `interleave_ways` value from untrusted CXL device leads to heap out-of-bounds read and write on the `cxlsd->target[]` flexible array.
- [High] Out-of-bounds read of stack variable `target_list` when initializing HDM switch decoder targets.
--
--- Patch [1]: [PATCH] cxl/region: Fix use-after-free in find_pos_and_ways() error path ---
commit 1c57e04f0aa13be6ae927836e151c3bc815eda70
Author: Alison Schofield <alison.schofield@intel.com>
cxl/region: Fix use-after-free in find_pos_and_ways() error path
This commit drops the reference to a switch decoder after logging an
error message that includes the decoder's name. This prevents a potential
use-after-free if it was the last reference.
> diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
> index 1e211542b6b64..c86dd9d55e939 100644
> --- a/drivers/cxl/core/region.c
> +++ b/drivers/cxl/core/region.c
> @@ -1938,8 +1938,6 @@ static int find_pos_and_ways(struct cxl_port *port, struct range *range,
[Severity: High]
This is a pre-existing issue, but is there a risk of an out-of-bounds array
access in this function and others when handling interleave_ways?
Just above this hunk, find_pos_and_ways() loops up to
cxlsd->cxld.interleave_ways and accesses the cxlsd->target[] flexible array:
for (int i = 0; i < *ways; i++) {
if (cxlsd->target[i] == port->parent_dport) {
The interleave_ways value originates from the HDM Decoder Control register in
init_hdm_decoder():
drivers/cxl/core/hdm.c:init_hdm_decoder() {
...
rc = eiw_to_ways(FIELD_GET(CXL_HDM_DECODER0_CTRL_IW_MASK, ctrl), &cxld->interleave_ways);
...
}
If an untrusted CXL device provides a small target_count but a maliciously
inflated interleave_ways, could this result in heap out-of-bounds reads here
in find_pos_and_ways(), as well as out-of-bounds writes in
decoder_populate_targets() and update_decoder_targets() when they iterate
up to the inflated value?
> break;
> }
> }
> - put_device(dev);
> -
> if (rc)
> dev_err(port->uport_dev,
> "failed to find %s:%s in target list of %s\n",
[Severity: High]
This is also a pre-existing issue, but does this same unchecked
interleave_ways value cause a stack out-of-bounds read in
init_hdm_decoder()?
drivers/cxl/core/hdm.c:init_hdm_decoder() {
...
for (i = 0; i < cxld->interleave_ways; i++)
cxld->target_map[i] = target_list.target_id[i];
...
}
Since target_list.target_id is an 8-byte stack-allocated union, if
interleave_ways is larger than 8 (e.g., 16), could this loop read past
the end of the 8-byte array and leak adjacent stack memory into
cxld->target_map?
> @@ -1947,6 +1945,8 @@ static int find_pos_and_ways(struct cxl_port *port, struct range *range,
> dev_name(port->parent_dport->dport_dev),
> dev_name(&cxlsd->cxld.dev));
>
> + put_device(dev);
> +
> return rc;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260711180755.1779002-1-alison.schofield@intel.com?part=1
next prev parent reply other threads:[~2026-07-11 18:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-11 18:07 [PATCH] cxl/region: Fix use-after-free in find_pos_and_ways() error path Alison Schofield
2026-07-11 18:19 ` sashiko-bot [this message]
2026-07-11 19:52 ` Alison Schofield
2026-07-13 2:48 ` Li Ming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260711181949.A4B1D1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alison.schofield@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox