[PATCH] cxl/region: Validate partition index before array access

Next message: Marc Zyngier: "Re: [PATCH v7 7/7] KVM: arm64: Normalize cache configuration"
Previous message: Zi Yan: "Re: [PATCH v3 08/10] mm: replace thp_disabled_by_hw() with pgtable_has_pmd_leaves()"
Next in thread: Dave Jiang: "Re: [PATCH] cxl/region: Validate partition index before array access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: KobaK

Date: Thu Apr 09 2026 - 11:48:26 EST

From: Koba Ko <kobak@xxxxxxxxxx>

Check partition index bounds before accessing cxlds->part[] to prevent
out-of-bounds access when part is -1 or invalid.

The partition index is read from cxled->part without validation. If it's
negative or exceeds nr_partitions, accessing cxlds->part[part].mode will
cause out-of-bounds array access.

Fixes: 5ec67596e368 ("cxl/region: Drop goto pattern of construct_region()")
Signed-off-by: Koba Ko <kobak@xxxxxxxxxx>
---
drivers/cxl/core/region.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
index edc267c6cf77a..6be46636db7ee 100644
--- a/drivers/cxl/core/region.c
+++ b/drivers/cxl/core/region.c
@@ -3712,6 +3712,14 @@ static struct cxl_region *construct_region(struct cxl_root_decoder *cxlrd,
int rc, part = READ_ONCE(cxled->part);
struct cxl_region *cxlr;

+ if (part < 0 || part >= cxlds->nr_partitions) {
+ dev_err(cxlmd->dev.parent,
+ "%s:%s: invalid partition index %d (max %u)\n",
+ dev_name(&cxlmd->dev), dev_name(&cxled->cxld.dev),
+ part, cxlds->nr_partitions);
+ return ERR_PTR(-ENXIO);
+ }
+
do {
cxlr = __create_region(cxlrd, cxlds->part[part].mode,
atomic_read(&cxlrd->region_id),
--
2.43.0