[PATCH 2/2] cxl/region: Fill first free targets[] slot during auto-discovery

[Li Ming]

Any invalid endpoint decoder pointer in the target array of an active
region is not allowed by cxl driver. This means cxl driver always
assumes the first p->nr_targets entries of the target array in an
auto-assembly region are valid. However, there are scenarios that could
leave NULL endpoint decoder pointer holes in the target array.

1. When cxl_cancel_auto_attach() removes an endpoint decoder from a
   target array, the target slot is set to NULL. If the removed endpoint
   decoder is not the last element in the target array, the target array
   will contain a NULL hole.

2. When a auto-assembly region removes an assigned endpoint decoder, if
   the removed endpoint decoder is not the last element in the target
   array, always remains a NULL hole in the target array.

When a NULL pointer hole exists in a region's target array, it
introduces two potential problems:
1. Access an endpoint decoder via a NULL pointer. it always trigger
   calltrace like that.
    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KASAN PTI
    RIP: 0010:cxl_calc_interleave_pos+0x26/0x810 [cxl_core]
    Call Trace:
      <TASK>
      cxl_region_attach+0xc50/0x2140 [cxl_core]
      cxl_add_to_region+0x321/0x2330 [cxl_core]
      discover_region+0x92/0x150 [cxl_port]
      device_for_each_child+0xf3/0x170
      cxl_port_probe+0x150/0x200 [cxl_port]
      cxl_bus_probe+0x4f/0xa0 [cxl_core]
      really_probe+0x1c8/0x960
      __driver_probe_device+0x323/0x450
      driver_probe_device+0x45/0x120
      __device_attach_driver+0x15d/0x280
      bus_for_each_drv+0x10f/0x190

2. Not having enough valid endpoint decoders attached to an
   auto-assembly region. if an auto-assembly region is created with lock
   flag or assigned endpoint decoder with lock flag, which means
   assigned endpoint decoder will not be reset during detaching, they
   could re-attach to the auto-assembly region again. But cxl region
   driver relies on p->nr_targets to verify whether the required number
   of endpoint decoders has been attached, and NULL endpoint decoder
   pointers are still counted in that case.

To fix above issues, adjust cxl_region_attach_auto() logic to find the
first free target slot for endpoint decoder attachment, this ensures
NULL holes in the target array are filled, rather than adding new
endpoint decoders at the tail of the target array.

Fixes: 87805c32e6ad ("cxl/region: Fix use-after-free from auto assembly failure")
Fixes: 2230c4bdc412 ("cxl: Add handling of locked CXL decoder")
Suggested-by: Alison Schofield <alison.schofield@xxxxxxxxx>
Signed-off-by: Li Ming <ming.li@xxxxxxxxxxxx>
---
 drivers/cxl/core/region.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
index c4335ebf19f7..532dac77bd00 100644
--- a/drivers/cxl/core/region.c
+++ b/drivers/cxl/core/region.c
@@ -1848,8 +1848,21 @@ static int cxl_region_attach_auto(struct cxl_region *cxlr,
 	 * this means that userspace can view devices in the wrong position
 	 * before the region activates, and must be careful to understand when
 	 * it might be racing region autodiscovery.
+	 *
+	 * The endpoint decoder will be recorded into the first free slot of
+	 * the target array.
 	 */
-	pos = p->nr_targets;
+	for (pos = 0; pos < p->interleave_ways; pos++) {
+		if (!p->targets[pos])
+			break;
+	}
+
+	if (pos == p->interleave_ways) {
+		dev_err(&cxlr->dev, "%s: unable to find a free target slot\n",
+			dev_name(&cxled->cxld.dev));
+		return -ENXIO;
+	}
+
 	p->targets[pos] = cxled;
 	cxled->pos = pos;
 	cxled->state = CXL_DECODER_STATE_AUTO_STAGED;

-- 
2.43.0