lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260210154320.1748223-1-gourry@gourry.net>
Date: Tue, 10 Feb 2026 10:43:20 -0500
From: Gregory Price <gourry@...rry.net>
To: linux-cxl@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
	kernel-team@...a.com,
	dave@...olabs.net,
	jonathan.cameron@...wei.com,
	dave.jiang@...el.com,
	alison.schofield@...el.com,
	vishal.l.verma@...el.com,
	ira.weiny@...el.com,
	dan.j.williams@...el.com
Subject: [PATCH] cxl/memdev: fix deadlock in cxl_memdev_autoremove() on attach failure

cxl_memdev_autoremove() takes device_lock(&cxlmd->dev) via guard(device)
and then calls cxl_memdev_unregister() when the attach callback was
provided but cxl_mem_probe() failed to bind.

cxl_memdev_unregister() calls
  cdev_device_del()
    device_del()
      bus_remove_device()
        device_release_driver()

which also takes device_lock(), deadlocking the calling thread.

This path is reached when a driver uses the @attach parameter to
devm_cxl_add_memdev() and the CXL topology fails to enumerate (e.g.
DVSEC range registers decode outside platform-defined CXL ranges,
causing the endpoint port probe to fail).

Fix by using scoped_guard() and breaking out of the guard scope before
calling cxl_memdev_unregister(), so device_lock() is released first.

Fixes: 29317f8dc6ed ("cxl/mem: Introduce cxl_memdev_attach for CXL-dependent operation")
Signed-off-by: Gregory Price <gourry@...rry.net>
---
 drivers/cxl/core/memdev.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/drivers/cxl/core/memdev.c b/drivers/cxl/core/memdev.c
index af3d0cc65138..c0de767b24fb 100644
--- a/drivers/cxl/core/memdev.c
+++ b/drivers/cxl/core/memdev.c
@@ -1098,19 +1098,22 @@ static struct cxl_memdev *cxl_memdev_autoremove(struct cxl_memdev *cxlmd)
 	 * return. Note that failure here could be the result of a race to
 	 * teardown the CXL port topology. I.e. cxl_mem_probe() could have
 	 * succeeded and then cxl_mem unbound before the lock is acquired.
+	 *
+	 * Check under device_lock but unregister outside of it, as
+	 * cxl_memdev_unregister() will also take the device lock.
 	 */
-	guard(device)(&cxlmd->dev);
-	if (cxlmd->attach && !cxlmd->dev.driver) {
-		cxl_memdev_unregister(cxlmd);
-		return ERR_PTR(-ENXIO);
+	scoped_guard(device, &cxlmd->dev) {
+		if (cxlmd->attach && !cxlmd->dev.driver)
+			break;
+
+		rc = devm_add_action_or_reset(cxlmd->cxlds->dev,
+					      cxl_memdev_unregister, cxlmd);
+		if (rc)
+			return ERR_PTR(rc);
+		return cxlmd;
 	}
-
-	rc = devm_add_action_or_reset(cxlmd->cxlds->dev, cxl_memdev_unregister,
-				      cxlmd);
-	if (rc)
-		return ERR_PTR(rc);
-
-	return cxlmd;
+	cxl_memdev_unregister(cxlmd);
+	return ERR_PTR(-ENXIO);
 }
 
 /*
-- 
2.53.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ