Re: [PATCH v2] cxl/region: Validate partition index before array access

Next message: Lorenzo Stoakes: "[PATCH 2/3] mm/vma: remove mmap_action-&gt;success_hook"
Previous message: Yeonju Bae: "[PATCH net] tls: avoid zc receive for file-backed pages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Jiang

Date: Thu May 21 2026 - 13:53:34 EST

On 4/13/26 7:45 PM, KobaK wrote:
> From: Koba Ko <kobak@xxxxxxxxxx>
>
> construct_region() reads cxled->part and uses it to index
> cxlds->part[] without checking for a negative value. If the
> partition was never resolved, part remains at its initial value
> of -1, causing an out-of-bounds array access.
>
> Add a guard to return -EBUSY when part is negative.
>
> Fixes: be5cbd084027 ("cxl: Kill enum cxl_decoder_mode")
> Signed-off-by: Koba Ko <kobak@xxxxxxxxxx>

Applied to cxl/next
abb3c0de1190

> ---
> drivers/cxl/core/region.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
> index edc267c6cf77..de749b54fd62 100644
> --- a/drivers/cxl/core/region.c
> +++ b/drivers/cxl/core/region.c
> @@ -3712,6 +3712,9 @@ static struct cxl_region *construct_region(struct cxl_root_decoder *cxlrd,
> int rc, part = READ_ONCE(cxled->part);
> struct cxl_region *cxlr;
>
> + if (part < 0)
> + return ERR_PTR(-EBUSY);
> +
> do {
> cxlr = __create_region(cxlrd, cxlds->part[part].mode,
> atomic_read(&cxlrd->region_id),