CVE-2023-52617

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: switchtec: Fix stdev_release() crash after surprise hot remove<br /> <br /> A PCI device hot removal may occur while stdev-&gt;cdev is held open. The call<br /> to stdev_release() then happens during close or exit, at a point way past<br /> switchtec_pci_remove(). Otherwise the last ref would vanish with the<br /> trailing put_device(), just before return.<br /> <br /> At that later point in time, the devm cleanup has already removed the<br /> stdev-&gt;mmio_mrpc mapping. Also, the stdev-&gt;pdev reference was not a counted<br /> one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause<br /> a fatal page fault, and the subsequent dma_free_coherent(), if reached,<br /> would pass a stale &amp;stdev-&gt;pdev-&gt;dev pointer.<br /> <br /> Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after<br /> stdev_kill(). Counting the stdev-&gt;pdev ref is now optional, but may prevent<br /> future accidents.<br /> <br /> Reproducible via the script at<br /> https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com