CVE-2023-52849

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/mem: Fix shutdown order<br /> <br /> Ira reports that removing cxl_mock_mem causes a crash with the following<br /> trace:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000044<br /> [..]<br /> RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core]<br /> [..]<br /> Call Trace:<br /> <br /> cxl_region_detach+0xe8/0x210 [cxl_core]<br /> cxl_decoder_kill_region+0x27/0x40 [cxl_core]<br /> cxld_unregister+0x29/0x40 [cxl_core]<br /> devres_release_all+0xb8/0x110<br /> device_unbind_cleanup+0xe/0x70<br /> device_release_driver_internal+0x1d2/0x210<br /> bus_remove_device+0xd7/0x150<br /> device_del+0x155/0x3e0<br /> device_unregister+0x13/0x60<br /> devm_release_action+0x4d/0x90<br /> ? __pfx_unregister_port+0x10/0x10 [cxl_core]<br /> delete_endpoint+0x121/0x130 [cxl_core]<br /> devres_release_all+0xb8/0x110<br /> device_unbind_cleanup+0xe/0x70<br /> device_release_driver_internal+0x1d2/0x210<br /> bus_remove_device+0xd7/0x150<br /> device_del+0x155/0x3e0<br /> ? lock_release+0x142/0x290<br /> cdev_device_del+0x15/0x50<br /> cxl_memdev_unregister+0x54/0x70 [cxl_core]<br /> <br /> This crash is due to the clearing out the cxl_memdev&amp;#39;s driver context<br /> (@cxlds) before the subsystem is done with it. This is ultimately due to<br /> the region(s), that this memdev is a member, being torn down and expecting<br /> to be able to de-reference @cxlds, like here:<br /> <br /> static int cxl_region_decode_reset(struct cxl_region *cxlr, int count)<br /> ...<br /> if (cxlds-&gt;rcd)<br /> goto endpoint_reset;<br /> ...<br /> <br /> Fix it by keeping the driver context valid until memdev-device<br /> unregistration, and subsequently the entire stack of related<br /> dependencies, unwinds.