CVE-2023-52771
Description
In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix delete_endpoint() vs parent unregistration race The CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of ports (struct cxl_port objects) between an endpoint and the root of a CXL topology. Each port including the endpoint port is attached to the cxl_port driver. Given that setup, it follows that when either any port in that lineage goes through a cxl_port ->remove() event, or the memdev goes through a cxl_mem ->remove() event. The hierarchy below the removed port, or the entire hierarchy if the memdev is removed needs to come down. The delete_endpoint() callback is careful to check whether it is being called to tear down the hierarchy, or if it is only being called to teardown the memdev because an ancestor port is going through ->remove(). That care needs to take the device_lock() of the endpoint's parent. Which requires 2 bugs to be fixed: 1/ A reference on the parent is needed to prevent use-after-free scenarios like this signature: BUG: spinlock bad magic on CPU#0, kworker/u56:0/11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023 Workqueue: cxl_port detach_memdev [cxl_core] RIP: 0010:spin_bug+0x65/0xa0 Call Trace: do_raw_spin_lock+0x69/0xa0 __mutex_lock+0x695/0xb80 delete_endpoint+0xad/0x150 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 detach_memdev+0x15/0x20 [cxl_core] process_one_work+0x1e3/0x4c0 worker_thread+0x1dd/0x3d0 2/ In the case of RCH topologies, the parent device that needs to be locked is not always @port->dev as returned by cxl_mem_find_port(), use endpoint->dev.parent instead.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.5.13-1 |
| sid | Fixed | 6.5.13-1 |
| forky | Fixed | 6.5.13-1 |
| bullseye | Fixed | 0 |
| bookworm | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | perf-5.14.0-427.33.1.el9_4.aarch64.rpm |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
References
- https://access.redhat.com/errata/RHSA-2024:5928
- https://www.suse.com/security/cve/CVE-2023-52771.html
- https://security-tracker.debian.org/tracker/CVE-2023-52771
- https://bugzilla.redhat.com/2265185
- https://bugzilla.redhat.com/2272797
- https://bugzilla.redhat.com/2273654
- https://bugzilla.redhat.com/2275742
- https://bugzilla.redhat.com/2275744
- https://bugzilla.redhat.com/2277166
- https://bugzilla.redhat.com/2278256
- https://bugzilla.redhat.com/2278258
- https://bugzilla.redhat.com/2278264
- https://bugzilla.redhat.com/2281101
- https://bugzilla.redhat.com/2281284
- https://bugzilla.redhat.com/2281669
- https://bugzilla.redhat.com/2281672
- https://bugzilla.redhat.com/2281675
- https://bugzilla.redhat.com/2281916
- https://bugzilla.redhat.com/2281958
- https://bugzilla.redhat.com/2282720
- https://bugzilla.redhat.com/2283468
- https://bugzilla.redhat.com/2284421
- https://bugzilla.redhat.com/2293356
- https://bugzilla.redhat.com/2293414
- https://bugzilla.redhat.com/2293455
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.