CVE-2026-23348

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl: Fix race of nvdimm_bus object when creating nvdimm objects<br /> <br /> Found issue during running of cxl-translate.sh unit test. Adding a 3s<br /> sleep right before the test seems to make the issue reproduce fairly<br /> consistently. The cxl_translate module has dependency on cxl_acpi and<br /> causes orphaned nvdimm objects to reprobe after cxl_acpi is removed.<br /> The nvdimm_bus object is registered by the cxl_nvb object when<br /> cxl_acpi_probe() is called. With the nvdimm_bus object missing,<br /> __nd_device_register() will trigger NULL pointer dereference when<br /> accessing the dev-&gt;parent that points to &amp;nvdimm_bus-&gt;dev.<br /> <br /> [ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c<br /> [ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025<br /> [ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core]<br /> [ 192.899459] RIP: 0010:kobject_get+0xc/0x90<br /> [ 192.924871] Call Trace:<br /> [ 192.925959] <br /> [ 192.926976] ? pm_runtime_init+0xb9/0xe0<br /> [ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm]<br /> [ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm]<br /> [ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem]<br /> [ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core]<br /> [ 192.943349] really_probe+0xde/0x380<br /> <br /> This patch also relies on the previous change where<br /> devm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead<br /> of drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.<br /> <br /> 1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the<br /> driver is probed synchronously when add_device() is called.<br /> 2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the<br /> cxl_nvb driver is attached during cxl_acpi_probe().<br /> 3. Take the cxl_root uport_dev lock and the cxl_nvb-&gt;dev lock in<br /> devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.<br /> 4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe()<br /> will exit with -EBUSY.<br /> <br /> The removal of cxl_nvdimm devices should prevent any orphaned devices<br /> from probing once the nvdimm_bus is gone.<br /> <br /> [ dj: Fixed 0-day reported kdoc issue. ]<br /> [ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]