CVE-2024-26762

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/pci: Skip to handle RAS errors if CXL.mem device is detached<br /> <br /> The PCI AER model is an awkward fit for CXL error handling. While the<br /> expectation is that a PCI device can escalate to link reset to recover<br /> from an AER event, the same reset on CXL amounts to a surprise memory<br /> hotplug of massive amounts of memory.<br /> <br /> At present, the CXL error handler attempts some optimistic error<br /> handling to unbind the device from the cxl_mem driver after reaping some<br /> RAS register values. This results in a "hopeful" attempt to unplug the<br /> memory, but there is no guarantee that will succeed.<br /> <br /> A subsequent AER notification after the memdev unbind event can no<br /> longer assume the registers are mapped. Check for memdev bind before<br /> reaping status register values to avoid crashes of the form:<br /> <br /> BUG: unable to handle page fault for address: ffa00000195e9100<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> [...]<br /> RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core]<br /> [...]<br /> Call Trace:<br /> <br /> ? __die+0x24/0x70<br /> ? page_fault_oops+0x82/0x160<br /> ? kernelmode_fixup_or_oops+0x84/0x110<br /> ? exc_page_fault+0x113/0x170<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? __pfx_dpc_reset_link+0x10/0x10<br /> ? __cxl_handle_ras+0x30/0x110 [cxl_core]<br /> ? find_cxl_port+0x59/0x80 [cxl_core]<br /> cxl_handle_rp_ras+0xbc/0xd0 [cxl_core]<br /> cxl_error_detected+0x6c/0xf0 [cxl_core]<br /> report_error_detected+0xc7/0x1c0<br /> pci_walk_bus+0x73/0x90<br /> pcie_do_recovery+0x23f/0x330<br /> <br /> Longer term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might<br /> need to be replaced with a new PCI_ERS_RESULT_PANIC.