Linux CXL
 help / color / mirror / Atom feed
From: Alison Schofield <alison.schofield@intel.com>
To: <sashiko-reviews@lists.linux.dev>
Cc: <linux-cxl@vger.kernel.org>
Subject: Re: [PATCH] cxl/region: Fix use-after-free in find_pos_and_ways() error path
Date: Sat, 11 Jul 2026 12:52:24 -0700	[thread overview]
Message-ID: <alKe-MPcCLbLgFQt@aschofie-mobl2.lan> (raw)
In-Reply-To: <20260711181949.A4B1D1F000E9@smtp.kernel.org>

On Sat, Jul 11, 2026 at 06:19:49PM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
> 
> Pre-existing issues:
> - [High] Unchecked `interleave_ways` value from untrusted CXL device leads to heap out-of-bounds read and write on the `cxlsd->target[]` flexible array.
> - [High] Out-of-bounds read of stack variable `target_list` when initializing HDM switch decoder targets.

For both of these...
interleave_ways is not fully unchecked. It is decoded by eiw_to_ways(),
which rejects any encoding outside the legal set and caps the result at
16, and init_hdm_decoder() checks that return value and bails on error.
So the value is always in [1, 16]

But - as noted here it could exceed HW target list or reported target
count. That would happen w a bad device, ie malfunctioning or malicious
since good hardware won't advertise an interleave that exceeds its own
target list.

Worth hardening, and I'll follow w the fixup.


> --
> 
> --- Patch [1]: [PATCH] cxl/region: Fix use-after-free in find_pos_and_ways() error path ---
> commit 1c57e04f0aa13be6ae927836e151c3bc815eda70
> Author: Alison Schofield <alison.schofield@intel.com>
> 
> cxl/region: Fix use-after-free in find_pos_and_ways() error path
> 
> This commit drops the reference to a switch decoder after logging an
> error message that includes the decoder's name. This prevents a potential
> use-after-free if it was the last reference.
> 
> > diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
> > index 1e211542b6b64..c86dd9d55e939 100644
> > --- a/drivers/cxl/core/region.c
> > +++ b/drivers/cxl/core/region.c
> > @@ -1938,8 +1938,6 @@ static int find_pos_and_ways(struct cxl_port *port, struct range *range,
> 
> [Severity: High]
> This is a pre-existing issue, but is there a risk of an out-of-bounds array
> access in this function and others when handling interleave_ways?
> 
> Just above this hunk, find_pos_and_ways() loops up to
> cxlsd->cxld.interleave_ways and accesses the cxlsd->target[] flexible array:
> 
> 	for (int i = 0; i < *ways; i++) {
> 		if (cxlsd->target[i] == port->parent_dport) {
> 
> The interleave_ways value originates from the HDM Decoder Control register in
> init_hdm_decoder():
> 
> drivers/cxl/core/hdm.c:init_hdm_decoder() {
> ...
> 	rc = eiw_to_ways(FIELD_GET(CXL_HDM_DECODER0_CTRL_IW_MASK, ctrl), &cxld->interleave_ways);
> ...
> }
> 
> If an untrusted CXL device provides a small target_count but a maliciously
> inflated interleave_ways, could this result in heap out-of-bounds reads here
> in find_pos_and_ways(), as well as out-of-bounds writes in
> decoder_populate_targets() and update_decoder_targets() when they iterate
> up to the inflated value?
> 
> >  			break;
> >  		}
> >  	}
> > -	put_device(dev);
> > -
> >  	if (rc)
> >  		dev_err(port->uport_dev,
> >  			"failed to find %s:%s in target list of %s\n",
> 
> [Severity: High]
> This is also a pre-existing issue, but does this same unchecked
> interleave_ways value cause a stack out-of-bounds read in
> init_hdm_decoder()?
> 
> drivers/cxl/core/hdm.c:init_hdm_decoder() {
> ...
> 	for (i = 0; i < cxld->interleave_ways; i++)
> 		cxld->target_map[i] = target_list.target_id[i];
> ...
> }
> 
> Since target_list.target_id is an 8-byte stack-allocated union, if
> interleave_ways is larger than 8 (e.g., 16), could this loop read past
> the end of the 8-byte array and leak adjacent stack memory into
> cxld->target_map?
> 
> > @@ -1947,6 +1945,8 @@ static int find_pos_and_ways(struct cxl_port *port, struct range *range,
> >  			dev_name(port->parent_dport->dport_dev),
> >  			dev_name(&cxlsd->cxld.dev));
> >  
> > +	put_device(dev);
> > +
> >  	return rc;
> >  }
> 
> -- 
> Sashiko AI review · https://sashiko.dev/#/patchset/20260711180755.1779002-1-alison.schofield@intel.com?part=1
> 

      reply	other threads:[~2026-07-11 19:52 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-11 18:07 [PATCH] cxl/region: Fix use-after-free in find_pos_and_ways() error path Alison Schofield
2026-07-11 18:19 ` sashiko-bot
2026-07-11 19:52   ` Alison Schofield [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alKe-MPcCLbLgFQt@aschofie-mobl2.lan \
    --to=alison.schofield@intel.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox