diff options
| author | Davidlohr Bueso <dave@stgolabs.net> | 2026-03-02 01:17:39 +0300 |
|---|---|---|
| committer | Dave Jiang <dave.jiang@intel.com> | 2026-03-18 18:49:29 +0300 |
| commit | 9a6a2091324ab6525951651b3700e3bea0fe9a89 (patch) | |
| tree | 400e8f76c0c6b382d752e57242e75e0d04f4b466 /scripts/dummy-tools/python3 | |
| parent | 75cea0776de502f2a1be5ca02d37c586dc81887e (diff) | |
| download | linux-9a6a2091324ab6525951651b3700e3bea0fe9a89.tar.xz | |
cxl/mbox: Use proper endpoint validity check upon sanitize
Fuzzying CXL triggered:
BUG: KASAN: null-ptr-deref in cxl_num_decoders_committed+0x3e/0x80 drivers/cxl/core/port.c:49
Read of size 4 at addr 0000000000000642 by task syz.0.97/2282
CPU: 2 UID: 0 PID: 2282 Comm: syz.0.97 Not tainted 7.0.0-rc1-gebd11be59f74-dirty #494 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
kasan_report+0xe0/0x110 mm/kasan/report.c:595
cxl_num_decoders_committed+0x3e/0x80 drivers/cxl/core/port.c:49
cxl_mem_sanitize+0x141/0x170 drivers/cxl/core/mbox.c:1304
security_sanitize_store+0xb0/0x120 drivers/cxl/core/memdev.c:173
dev_attr_store+0x46/0x70 drivers/base/core.c:2437
sysfs_kf_write+0x95/0xb0 fs/sysfs/file.c:142
kernfs_fop_write_iter+0x276/0x330 fs/kernfs/file.c:352
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x5df/0xaa0 fs/read_write.c:688
ksys_write+0x103/0x1f0 fs/read_write.c:740
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x111/0x680 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f60a584ba79
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f60a42a7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f60a5ab5fa0 RCX: 00007f60a584ba79
RDX: 0000000000000002 RSI: 00002000000001c0 RDI: 0000000000000003
RBP: 00007f60a58a49df R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f60a5ab6038 R14: 00007f60a5ab5fa0 R15: 00007ffe58fad8b8
</TASK>
This goes away using the correct check instead of abusing cxlmd->endpoint,
which is unusable (ENXIO) until the driver has probed. During that window
the memdev sysfs attributes are already visible, as soon as device_add()
completes.
Fixes: 29317f8dc6ed ("cxl/mem: Introduce cxl_memdev_attach for CXL-dependent operation")
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Reviewed-by: Gregory Price <gourry@gourry.net>
Link: https://patch.msgid.link/20260301221739.1726722-1-dave@stgolabs.net
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Diffstat (limited to 'scripts/dummy-tools/python3')
0 files changed, 0 insertions, 0 deletions