[PATCH v2] cxl/region: Validate partition index before array access

Next message: guocai . he . cn: "[PATCH 6.6.y] Revert &quot;wifi: cfg80211: stop NAN and P2P in cfg80211_leave&quot;"
Previous message: Martin K. Petersen: "Re: [PATCH] scsi: target: configfs: bound snprintf return in tg_pt_gp_members_show"
Next in thread: Alison Schofield: "Re: [PATCH v2] cxl/region: Validate partition index before array access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: KobaK

Date: Mon Apr 13 2026 - 22:45:49 EST

From: Koba Ko <kobak@xxxxxxxxxx>

construct_region() reads cxled->part and uses it to index
cxlds->part[] without checking for a negative value. If the
partition was never resolved, part remains at its initial value
of -1, causing an out-of-bounds array access.

Add a guard to return -EBUSY when part is negative.

Fixes: be5cbd084027 ("cxl: Kill enum cxl_decoder_mode")
Signed-off-by: Koba Ko <kobak@xxxxxxxxxx>
---
drivers/cxl/core/region.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
index edc267c6cf77..de749b54fd62 100644
--- a/drivers/cxl/core/region.c
+++ b/drivers/cxl/core/region.c
@@ -3712,6 +3712,9 @@ static struct cxl_region *construct_region(struct cxl_root_decoder *cxlrd,
int rc, part = READ_ONCE(cxled->part);
struct cxl_region *cxlr;

+ if (part < 0)
+ return ERR_PTR(-EBUSY);
+
do {
cxlr = __create_region(cxlrd, cxlds->part[part].mode,
atomic_read(&cxlrd->region_id),
--
2.43.0