1.4 KiB
CVE-2023-52617
Description
In the Linux kernel, the following vulnerability has been resolved:PCI: switchtec: Fix stdev_release() crash after surprise hot removeA PCI device hot removal may occur while stdev->cdev is held open. The callto stdev_release() then happens during close or exit, at a point way pastswitchtec_pci_remove(). Otherwise the last ref would vanish with thetrailing put_device(), just before return.At that later point in time, the devm cleanup has already removed thestdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a countedone. Therefore, in DMA mode, the iowrite32() in stdev_release() will causea fatal page fault, and the subsequent dma_free_coherent(), if reached,would pass a stale &stdev->pdev->dev pointer.Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), afterstdev_kill(). Counting the stdev->pdev ref is now optional, but may preventfuture accidents.Reproducible via the script athttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com
POC
Reference
No PoCs from references.