Re: [PATCH v2] cxl/region: Validate partition index before array access

Next message: Rio Liu: "[PATCH] Skip ieee80211_verify_sta_ht_mcs_support check in non-strict mode"
Previous message: Alexis Czezar Torreno: "[PATCH 1/2] dt-bindings: hwmon: pmbus: add max20830"
In reply to: KobaK: "[PATCH v2] cxl/region: Validate partition index before array access"
Next in thread: KobaK: "Re: [PATCH v2] cxl/region: Validate partition index before array access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alison Schofield

Date: Tue Apr 14 2026 - 00:38:01 EST

On Tue, Apr 14, 2026 at 10:45:27AM +0800, KobaK wrote:
> From: Koba Ko <kobak@xxxxxxxxxx>
>
> construct_region() reads cxled->part and uses it to index
> cxlds->part[] without checking for a negative value. If the
> partition was never resolved, part remains at its initial value
> of -1, causing an out-of-bounds array access.
>
> Add a guard to return -EBUSY when part is negative.
>
> Fixes: be5cbd084027 ("cxl: Kill enum cxl_decoder_mode")

The above tag added the check for part < 0 in construct_region(),
so that's not the fixes tag. Like I wrote in v1, I don't see the
obvious tag that deleted that check, else I'd just tell you.

> Signed-off-by: Koba Ko <kobak@xxxxxxxxxx>
> ---

Need a changelog here.
See https://docs.kernel.org/process/submitting-patches.html#commentary

> drivers/cxl/core/region.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
> index edc267c6cf77..de749b54fd62 100644
> --- a/drivers/cxl/core/region.c
> +++ b/drivers/cxl/core/region.c
> @@ -3712,6 +3712,9 @@ static struct cxl_region *construct_region(struct cxl_root_decoder *cxlrd,
> int rc, part = READ_ONCE(cxled->part);
> struct cxl_region *cxlr;
>
> + if (part < 0)
> + return ERR_PTR(-EBUSY);
> +
> do {
> cxlr = __create_region(cxlrd, cxlds->part[part].mode,
> atomic_read(&cxlrd->region_id),
> --
> 2.43.0
>
>