CVE-2023-52617: PCI: switchtec: Fix stdev_release() crash after surprise hot remove

From: Lee Jones <lee@kernel.org>
To: linux-cve-announce@vger.kernel.org
Cc: Lee Jones <lee@kernel.org>
Subject: CVE-2023-52617: PCI: switchtec: Fix stdev_release() crash after surprise hot remove
Date: Mon, 18 Mar 2024 10:21:18 +0000	[thread overview]
Message-ID: <20240318102117.2839904-7-lee@kernel.org> (raw)

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

PCI: switchtec: Fix stdev_release() crash after surprise hot remove

A PCI device hot removal may occur while stdev->cdev is held open. The call
to stdev_release() then happens during close or exit, at a point way past
switchtec_pci_remove(). Otherwise the last ref would vanish with the
trailing put_device(), just before return.

At that later point in time, the devm cleanup has already removed the
stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted
one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause
a fatal page fault, and the subsequent dma_free_coherent(), if reached,
would pass a stale &stdev->pdev->dev pointer.

Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after
stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent
future accidents.

Reproducible via the script at
https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com

The Linux kernel CVE team has assigned CVE-2023-52617 to this issue.

Affected and fixed versions
===========================

	Fixed in 5.4.269 with commit d8c293549946
	Fixed in 5.10.210 with commit 4a5d0528cf19
	Fixed in 5.15.149 with commit ff1c7e2fb9e9
	Fixed in 6.1.77 with commit 1d83c8592264
	Fixed in 6.6.16 with commit 0233b836312e
	Fixed in 6.7.4 with commit e129c7fa7070
	Fixed in 6.8 with commit df25461119d9

Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52617
will be updated if fixes are backported, please check that for the most
up to date information about this issue.

Affected files
==============

The file(s) affected by this issue are:
	drivers/pci/switch/switchtec.c

Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355
	https://git.kernel.org/stable/c/4a5d0528cf19dbf060313dffbe047bc11c90c24c
	https://git.kernel.org/stable/c/ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8
	https://git.kernel.org/stable/c/1d83c85922647758c1f1e4806a4c5c3cf591a20a
	https://git.kernel.org/stable/c/0233b836312e39a3c763fb53512b3fa455b473b3
	https://git.kernel.org/stable/c/e129c7fa7070fbce57feb0bfc5eaa65eef44b693
	https://git.kernel.org/stable/c/df25461119d987b8c81d232cfe4411e91dcabe66