CVE-2023-52771

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/port: Fix delete_endpoint() vs parent unregistration race<br /> <br /> The CXL subsystem, at cxl_mem -&gt;probe() time, establishes a lineage of<br /> ports (struct cxl_port objects) between an endpoint and the root of a<br /> CXL topology. Each port including the endpoint port is attached to the<br /> cxl_port driver.<br /> <br /> Given that setup, it follows that when either any port in that lineage<br /> goes through a cxl_port -&gt;remove() event, or the memdev goes through a<br /> cxl_mem -&gt;remove() event. The hierarchy below the removed port, or the<br /> entire hierarchy if the memdev is removed needs to come down.<br /> <br /> The delete_endpoint() callback is careful to check whether it is being<br /> called to tear down the hierarchy, or if it is only being called to<br /> teardown the memdev because an ancestor port is going through<br /> -&gt;remove().<br /> <br /> That care needs to take the device_lock() of the endpoint&amp;#39;s parent.<br /> Which requires 2 bugs to be fixed:<br /> <br /> 1/ A reference on the parent is needed to prevent use-after-free<br /> scenarios like this signature:<br /> <br /> BUG: spinlock bad magic on CPU#0, kworker/u56:0/11<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023<br /> Workqueue: cxl_port detach_memdev [cxl_core]<br /> RIP: 0010:spin_bug+0x65/0xa0<br /> Call Trace:<br /> do_raw_spin_lock+0x69/0xa0<br /> __mutex_lock+0x695/0xb80<br /> delete_endpoint+0xad/0x150 [cxl_core]<br /> devres_release_all+0xb8/0x110<br /> device_unbind_cleanup+0xe/0x70<br /> device_release_driver_internal+0x1d2/0x210<br /> detach_memdev+0x15/0x20 [cxl_core]<br /> process_one_work+0x1e3/0x4c0<br /> worker_thread+0x1dd/0x3d0<br /> <br /> 2/ In the case of RCH topologies, the parent device that needs to be<br /> locked is not always @port-&gt;dev as returned by cxl_mem_find_port(), use<br /> endpoint-&gt;dev.parent instead.