3.5 KiB
CVE-2024-50226
Description
In the Linux kernel, the following vulnerability has been resolved:cxl/port: Fix use-after-free, permit out-of-order decoder shutdownIn support of investigating an initialization failure report [1],cxl_test was updated to register mock memory-devices after the mockroot-port/bus device had been registered. That led to cxl_test crashingwith a use-after-free bug with the following signature: cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1 cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1 cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 01) cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[1] = cxl_switch_dport.4 for mem4:decoder14.0 @ 1 [..] cxld_unregister: cxl decoder14.0: cxl_region_decode_reset: cxl_region region3: mock_decoder_reset: cxl_port port3: decoder3.0 reset2) mock_decoder_reset: cxl_port port3: decoder3.0: out of order reset, expected decoder3.1 cxl_endpoint_decoder_release: cxl decoder14.0: [..] cxld_unregister: cxl decoder7.0:3) cxl_region_decode_reset: cxl_region region3: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI [..] RIP: 0010:to_cxl_port+0x8/0x60 [cxl_core] [..] Call Trace: cxl_region_decode_reset+0x69/0x190 [cxl_core] cxl_region_detach+0xe8/0x210 [cxl_core] cxl_decoder_kill_region+0x27/0x40 [cxl_core] cxld_unregister+0x5d/0x60 [cxl_core]At 1) a region has been established with 2 endpoint decoders (7.0 and14.0). Those endpoints share a common switch-decoder in the topology(3.0). At teardown, 2), decoder14.0 is the first to be removed and hitsthe "out of order reset case" in the switch decoder. The effect thoughis that region3 cleanup is aborted leaving it in-tact andreferencing decoder14.0. At 3) the second attempt to teardown region3trips over the stale decoder14.0 object which has long since beendeleted.The fix here is to recognize that the CXL specification places nomandate on in-order shutdown of switch-decoders, the driver enforcesin-order allocation, and hardware enforces in-order commit. So, ratherthan fail and leave objects dangling, always remove them.In support of making cxl_region_decode_reset() always succeed,cxl_region_invalidate_memregion() failures are turned into warnings.Crashing the kernel is ok there since system integrity is at risk ifcaches cannot be managed around physical address mutation events likeCXL region destruction.A new device_for_each_child_reverse_from() is added to cleanupport->commit_end after all dependent decoders have been disabled. Inother words if decoders are allocated 0->1->2 and disabled 1->2->0 thenport->commit_end only decrements from 2 after 2 has been disabled, andit decrements all the way to zero since 1 was disabled previously.
POC
Reference
No PoCs from references.