CVE-2023-53123

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: s390: Fix use-after-free of PCI resources with per-function hotplug<br /> <br /> On s390 PCI functions may be hotplugged individually even when they<br /> belong to a multi-function device. In particular on an SR-IOV device VFs<br /> may be removed and later re-added.<br /> <br /> In commit a50297cf8235 ("s390/pci: separate zbus creation from<br /> scanning") it was missed however that struct pci_bus and struct<br /> zpci_bus&amp;#39;s resource list retained a reference to the PCI functions MMIO<br /> resources even though those resources are released and freed on<br /> hot-unplug. These stale resources may subsequently be claimed when the<br /> PCI function re-appears resulting in use-after-free.<br /> <br /> One idea of fixing this use-after-free in s390 specific code that was<br /> investigated was to simply keep resources around from the moment a PCI<br /> function first appeared until the whole virtual PCI bus created for<br /> a multi-function device disappears. The problem with this however is<br /> that due to the requirement of artificial MMIO addreesses (address<br /> cookies) extra logic is then needed to keep the address cookies<br /> compatible on re-plug. At the same time the MMIO resources semantically<br /> belong to the PCI function so tying their lifecycle to the function<br /> seems more logical.<br /> <br /> Instead a simpler approach is to remove the resources of an individually<br /> hot-unplugged PCI function from the PCI bus&amp;#39;s resource list while<br /> keeping the resources of other PCI functions on the PCI bus untouched.<br /> <br /> This is done by introducing pci_bus_remove_resource() to remove an<br /> individual resource. Similarly the resource also needs to be removed<br /> from the struct zpci_bus&amp;#39;s resource list. It turns out however, that<br /> there is really no need to add the MMIO resources to the struct<br /> zpci_bus&amp;#39;s resource list at all and instead we can simply use the<br /> zpci_bar_struct&amp;#39;s resource pointer directly.