In the Linux kernel, the following vulnerability has been resolved:
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
A PCI device hot removal may occur while stdev->cdev is held open. The call to stdevrelease() then happens during close or exit, at a point way past switchtecpciremove(). Otherwise the last ref would vanish with the trailing putdevice(), just before return.
At that later point in time, the devm cleanup has already removed the stdev->mmiomrpc mapping. Also, the stdev->pdev reference was not a counted one. Therefore, in DMA mode, the iowrite32() in stdevrelease() will cause a fatal page fault, and the subsequent dmafreecoherent(), if reached, would pass a stale &stdev->pdev->dev pointer.
Fix by moving MRPC DMA shutdown into switchtecpciremove(), after stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent future accidents.
Reproducible via the script at https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com