| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <19c2408481d.d3a542847734.6787260991561471110@zohomail.com>
Date: Tue, 03 Feb 2026 23:04:08 +0800
From: Li Ming <ming.li@...omail.com>
To: "Dave Jiang" <dave.jiang@...el.com>
Cc: "dave" <dave@...olabs.net>,
"jonathan.cameron" <jonathan.cameron@...wei.com>,
"alison.schofield" <alison.schofield@...el.com>,
"vishal.l.verma" <vishal.l.verma@...el.com>,
"ira.weiny" <ira.weiny@...el.com>,
"linux-cxl" <linux-cxl@...r.kernel.org>,
"linux-kernel" <linux-kernel@...r.kernel.org>,
"dan.j.williams" <dan.j.williams@...el.com>
Subject: Re: [PATCH 1/2] cxl/core: Set cxlmd->endpoint to NULL by default
From: Dave Jiang <dave.jiang@...el.com>
To: "Li Ming"<ming.li@...omail.com>, <dave@...olabs.net>, <jonathan.cameron@...wei.com>, <alison.schofield@...el.com>, <vishal.l.verma@...el.com>, <ira.weiny@...el.com>, <dan.j.williams@...el.com>
Cc: <linux-cxl@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Date: Tue, 03 Feb 2026 05:04:44 +0800
Subject: Re: [PATCH 1/2] cxl/core: Set cxlmd->endpoint to NULL by default
>
>
> On 2/1/26 2:30 AM, Li Ming wrote:
> > CXL testing environment can trigger following trace
> >
> > Oops: general protection fault, probably for non-canonical address 0xdffffc0000000092: 0000 [#1] SMP KASAN NOPTI
> > KASAN: null-ptr-deref in range [0x0000000000000490-0x0000000000000497]
> > RIP: 0010:cxl_dpa_to_region+0x105/0x1f0 [cxl_core]
> > Call Trace:
> > <TASK>
> > cxl_event_trace_record+0xd1/0xa70 [cxl_core]
> > __cxl_event_trace_record+0x12f/0x1e0 [cxl_core]
> > cxl_mem_get_records_log+0x261/0x500 [cxl_core]
> > cxl_mem_get_event_records+0x7c/0xc0 [cxl_core]
> > cxl_mock_mem_probe+0xd38/0x1c60 [cxl_mock_mem]
> > platform_probe+0x9d/0x130
> > really_probe+0x1c8/0x960
> > __driver_probe_device+0x187/0x3e0
> > driver_probe_device+0x45/0x120
> > __device_attach_driver+0x15d/0x280
>
> So I talked to Dan and the assigning of ERR_PTR(-ENXIO) is from a previous revision of implementation and isn't intended to be there. So removing the line entirely (which would mean endpoint == NULL from kzalloc) is probably the right change. However, I'm not able to reproduce the error. How is it triggered? Also, by setting it to NULL, are we covering up a different issue? Are you able to determine whether cxlmd->endpoint at that point is unexpected and perhaps triggered by a different bug?
>
> DJ
Hi Dave,
As I implied in cover-letter, When I trigger issue #2, it always trigger this issue.
I have a simple script to run cxl test over and over again in a VM. I usually reproduce it in one hour with KASAN enabled.
When I reproduced it, I dumpped out the value of cxlmd->endpoint, it is -ENXIO. That means it was not updated in cxl_port_add() yet at that time. I cannot reproduce this issue only with patch #2.
Ming
>
> >
> > commit 29317f8dc6ed ("cxl/mem: Introduce cxl_memdev_attach for CXL-dependent operation")
> > initializes cxlmd->endpoint to ERR_PTR(-ENXIO) in cxl_memdev_alloc().
> > However, cxl_dpa_to_region() treats a non-NULL cxlmd->endpoint as a
> > valid endpoint.
> >
> > Across the CXL core, endpoint availability is generally determined by
> > checking whether it is NULL. Align with this convention by initializing
> > cxlmd->endpoint to NULL by default.
> >
> > Fixes: 29317f8dc6ed ("cxl/mem: Introduce cxl_memdev_attach for CXL-dependent operation")
> > Signed-off-by: Li Ming <ming.li@...omail.com>
> > ---
> > drivers/cxl/core/memdev.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/cxl/core/memdev.c b/drivers/cxl/core/memdev.c
> > index af3d0cc65138..41a507b5daa4 100644
> > --- a/drivers/cxl/core/memdev.c
> > +++ b/drivers/cxl/core/memdev.c
> > @@ -675,7 +675,7 @@ static struct cxl_memdev *cxl_memdev_alloc(struct cxl_dev_state *cxlds,
> > cxlmd->id = rc;
> > cxlmd->depth = -1;
> > cxlmd->attach = attach;
> > - cxlmd->endpoint = ERR_PTR(-ENXIO);
> > + cxlmd->endpoint = NULL;
> >
> > dev = &cxlmd->dev;
> > device_initialize(dev);
>
>
Powered by blists - more mailing lists