CVE-2023-54323

Summary

In the Linux kernel, the following vulnerability has been resolved:

cxl/pmem: Fix nvdimm registration races

A loop of the form:

while true; do modprobe cxl_pci; modprobe -r cxl_pci; done

…fails with the following crash signature:

BUG: kernel NULL pointer dereference, address: 0000000000000040
[..]
RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core]
[..]
Call Trace:
 <TASK>
 cxl_pmem_ctl+0x121/0x240 [cxl_pmem]
 nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm]
 nd_label_data_init+0x135/0x7e0 [libnvdimm]
 nvdimm_probe+0xd6/0x1c0 [libnvdimm]
 nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm]
 really_probe+0xde/0x380
 __driver_probe_device+0x78/0x170
 driver_probe_device+0x1f/0x90
 __device_attach_driver+0x85/0x110
 bus_for_each_drv+0x7d/0xc0
 __device_attach+0xb4/0x1e0
 bus_probe_device+0x9f/0xc0
 device_add+0x445/0x9c0
 nd_async_device_register+0xe/0x40 [libnvdimm]
 async_run_entry_fn+0x30/0x130

…namely that the bottom half of async nvdimm device registration runs after the CXL has already torn down the context that cxl_pmem_ctl() needs. Unlike the ACPI NFIT case that benefits from launching multiple nvdimm device registrations in parallel from those listed in the table, CXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a synchronous registration path to preclude this scenario.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux21083f51521fb0f60dbac591f175c3ed48435af4 < a371788d4f4a7f59eecd22644331d599979fd283affected
LinuxLinux21083f51521fb0f60dbac591f175c3ed48435af4 < 18c65667fa9104780eeaa0dc1bc240f0c2094772affected
LinuxLinux21083f51521fb0f60dbac591f175c3ed48435af4 < f57aec443c24d2e8e1f3b5b4856aea12ddda4254affected
LinuxLinux5.14affected
LinuxLinux0 < 5.14unaffected
LinuxLinux6.1.16 <= 6.1.*unaffected
LinuxLinux6.2.3 <= 6.2.*unaffected
LinuxLinux6.3 <= *unaffected

Weaknesses

References