In the Linux kernel, the following vulnerability has been resolved:
cxl/mem: Fix shutdown order
Ira reports that removing cxlmockmem causes a crash with the following trace:
BUG: kernel NULL pointer dereference, address: 0000000000000044 [..] RIP: 0010:cxlregiondecodereset+0x7f/0x180 [cxlcore] [..] Call Trace: <TASK> cxlregiondetach+0xe8/0x210 [cxlcore] cxldecoderkillregion+0x27/0x40 [cxlcore] cxldunregister+0x29/0x40 [cxlcore] devresreleaseall+0xb8/0x110 deviceunbindcleanup+0xe/0x70 devicereleasedriverinternal+0x1d2/0x210 busremovedevice+0xd7/0x150 devicedel+0x155/0x3e0 deviceunregister+0x13/0x60 devmreleaseaction+0x4d/0x90 ? _pfxunregisterport+0x10/0x10 [cxlcore] deleteendpoint+0x121/0x130 [cxlcore] devresreleaseall+0xb8/0x110 deviceunbindcleanup+0xe/0x70 devicereleasedriverinternal+0x1d2/0x210 busremovedevice+0xd7/0x150 devicedel+0x155/0x3e0 ? lockrelease+0x142/0x290 cdevdevicedel+0x15/0x50 cxlmemdevunregister+0x54/0x70 [cxlcore]
This crash is due to the clearing out the cxl_memdev's driver context (@cxlds) before the subsystem is done with it. This is ultimately due to the region(s), that this memdev is a member, being torn down and expecting to be able to de-reference @cxlds, like here:
static int cxlregiondecodereset(struct cxlregion *cxlr, int count) ... if (cxlds->rcd) goto endpoint_reset; ...
Fix it by keeping the driver context valid until memdev-device unregistration, and subsequently the entire stack of related dependencies, unwinds.