CVE-2023-52617 Information

Description

In the Linux kernel the following vulnerability has been resolved:

PCI: switchtec: Fix stdev_release() crash after surprise hot remove

A PCI device hot removal may occur while stdev->cdev is held open. The call to stdev_release() then happens during close or exit at a point way past switchtec_pci_remove(). Otherwise the last ref would vanish with the trailing put_device() just before return.

At that later point in time the devm cleanup has already removed the stdev->mmio_mrpc mapping. Also the stdev->pdev reference was not a counted one. Therefore in DMA mode the iowrite32() in stdev_release() will cause a fatal page fault and the subsequent dma_free_coherent() if reached would pass a stale &stdev->pdev->dev pointer.

Fix by moving MRPC DMA shutdown into switchtec_pci_remove() after stdev_kill(). Counting the stdev->pdev ref is now optional but may prevent future accidents.

Reproducible via the script at https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com

Reference

https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355 https://git.kernel.org/stable/c/4a5d0528cf19dbf060313dffbe047bc11c90c24c https://git.kernel.org/stable/c/ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8 https://git.kernel.org/stable/c/1d83c85922647758c1f1e4806a4c5c3cf591a20a https://git.kernel.org/stable/c/0233b836312e39a3c763fb53512b3fa455b473b3 https://git.kernel.org/stable/c/e129c7fa7070fbce57feb0bfc5eaa65eef44b693 https://git.kernel.org/stable/c/df25461119d987b8c81d232cfe4411e91dcabe66