CVE-2023-52771

2024-05-2116:15:16

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux kernel

vulnerability

cxl subsystem

endpoint port

cxl_port driver

hierarchy

port lineage

memdev

delete_endpoint()

parent

device_lock

bug fix

reference

use-after-free

spinlock

rch topologies.

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

In the Linux kernel, the following vulnerability has been resolved:

cxl/port: Fix delete_endpoint() vs parent unregistration race

The CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of
ports (struct cxl_port objects) between an endpoint and the root of a
CXL topology. Each port including the endpoint port is attached to the
cxl_port driver.

Given that setup, it follows that when either any port in that lineage
goes through a cxl_port ->remove() event, or the memdev goes through a
cxl_mem ->remove() event. The hierarchy below the removed port, or the
entire hierarchy if the memdev is removed needs to come down.

The delete_endpoint() callback is careful to check whether it is being
called to tear down the hierarchy, or if it is only being called to
teardown the memdev because an ancestor port is going through
->remove().

That care needs to take the device_lock() of the endpoint’s parent.
Which requires 2 bugs to be fixed:

1/ A reference on the parent is needed to prevent use-after-free
scenarios like this signature:

BUG: spinlock bad magic on CPU#0, kworker/u56:0/11
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023
Workqueue: cxl_port detach_memdev [cxl_core]
RIP: 0010:spin_bug+0x65/0xa0
Call Trace:
  do_raw_spin_lock+0x69/0xa0
 __mutex_lock+0x695/0xb80
 delete_endpoint+0xad/0x150 [cxl_core]
 devres_release_all+0xb8/0x110
 device_unbind_cleanup+0xe/0x70
 device_release_driver_internal+0x1d2/0x210
 detach_memdev+0x15/0x20 [cxl_core]
 process_one_work+0x1e3/0x4c0
 worker_thread+0x1dd/0x3d0

2/ In the case of RCH topologies, the parent device that needs to be
locked is not always @port->dev as returned by cxl_mem_find_port(), use
endpoint->dev.parent instead.

Affected configurations

Vulners

Node

linuxlinux_kernelRange5.18–6.5.13

linuxlinux_kernelRange6.6.0–6.6.3

linuxlinux_kernelRange6.7.0≥

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/cxl/core/port.c"
    ],
    "versions": [
      {
        "version": "8dd2bc0f8e02",
        "lessThan": "37179fcc916b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "8dd2bc0f8e02",
        "lessThan": "6b2e428e673b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "8dd2bc0f8e02",
        "lessThan": "8d2ad999ca3c",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/cxl/core/port.c"
    ],
    "versions": [
      {
        "version": "5.18",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.18",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.5.13",
        "lessThanOrEqual": "6.5.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.3",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]