CVE-2023-54117

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/dcssblk: fix kernel crash with list_add corruption<br /> <br /> Commit fb08a1908cb1 ("dax: simplify the dax_device gendisk<br /> association") introduced new logic for gendisk association, requiring<br /> drivers to explicitly call dax_add_host() and dax_remove_host().<br /> <br /> For dcssblk driver, some dax_remove_host() calls were missing, e.g. in<br /> device remove path. The commit also broke error handling for out_dax case<br /> in device add path, resulting in an extra put_device() w/o the previous<br /> get_device() in that case.<br /> <br /> This lead to stale xarray entries after device add / remove cycles. In the<br /> case when a previously used struct gendisk pointer (xarray index) would be<br /> used again, because blk_alloc_disk() happened to return such a pointer, the<br /> xa_insert() in dax_add_host() would fail and go to out_dax, doing the extra<br /> put_device() in the error path. In combination with an already flawed error<br /> handling in dcssblk (device_register() cleanup), which needs to be<br /> addressed in a separate patch, this resulted in a missing device_del() /<br /> klist_del(), and eventually in the kernel crash with list_add corruption on<br /> a subsequent device_add() / klist_add().<br /> <br /> Fix this by adding the missing dax_remove_host() calls, and also move the<br /> put_device() in the error path to restore the previous logic.