Re: [PATCH 2/2] cxl/region: Fill first free targets[] slot during auto-discovery

[Alison Schofield]

On Sat, Jun 06, 2026 at 03:51:01PM +0800, Li Ming wrote:
> Any invalid endpoint decoder pointer in the target array of an active
> region is not allowed by cxl driver. This means cxl driver always
> assumes the first p->nr_targets entries of the target array in an
> auto-assembly region are valid. However, there are scenarios that could
> leave NULL endpoint decoder pointer holes in the target array.
> 
> 1. When cxl_cancel_auto_attach() removes an endpoint decoder from a
>    target array, the target slot is set to NULL. If the removed endpoint
>    decoder is not the last element in the target array, the target array
>    will contain a NULL hole.
> 
> 2. When a auto-assembly region removes an assigned endpoint decoder, if
>    the removed endpoint decoder is not the last element in the target
>    array, always remains a NULL hole in the target array.
> 
> When a NULL pointer hole exists in a region's target array, it
> introduces two potential problems:
> 1. Access an endpoint decoder via a NULL pointer. it always trigger
>    calltrace like that.
>     Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KASAN PTI
>     RIP: 0010:cxl_calc_interleave_pos+0x26/0x810 [cxl_core]
>     Call Trace:
>       <TASK>
>       cxl_region_attach+0xc50/0x2140 [cxl_core]
>       cxl_add_to_region+0x321/0x2330 [cxl_core]
>       discover_region+0x92/0x150 [cxl_port]
>       device_for_each_child+0xf3/0x170
>       cxl_port_probe+0x150/0x200 [cxl_port]
>       cxl_bus_probe+0x4f/0xa0 [cxl_core]
>       really_probe+0x1c8/0x960
>       __driver_probe_device+0x323/0x450
>       driver_probe_device+0x45/0x120
>       __device_attach_driver+0x15d/0x280
>       bus_for_each_drv+0x10f/0x190
> 
> 2. Not having enough valid endpoint decoders attached to an
>    auto-assembly region. if an auto-assembly region is created with lock
>    flag or assigned endpoint decoder with lock flag, which means
>    assigned endpoint decoder will not be reset during detaching, they
>    could re-attach to the auto-assembly region again. But cxl region
>    driver relies on p->nr_targets to verify whether the required number
>    of endpoint decoders has been attached, and NULL endpoint decoder
>    pointers are still counted in that case.
> 
> To fix above issues, adjust cxl_region_attach_auto() logic to find the
> first free target slot for endpoint decoder attachment, this ensures
> NULL holes in the target array are filled, rather than adding new
> endpoint decoders at the tail of the target array.

Reviewed-by: Alison Schofield <alison.schofield@xxxxxxxxx>