CVE-2024-50226

In the Linux kernel, the following vulnerability has been resolved:

cxl/port: Fix use-after-free, permit out-of-order decoder shutdown

In support of investigating an initialization failure report [1], cxltest was updated to register mock memory-devices after the mock root-port/bus device had been registered. That led to cxltest crashing with a use-after-free bug with the following signature:

cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1
cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1
cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 0

1) cxlportsetuptargets: cxl region3: cxlswitchuport.0:port6 target[1] = cxlswitchdport.4 for mem4:decoder14.0 @ 1 [..] cxldunregister: cxl decoder14.0: cxlregiondecodereset: cxlregion region3: mockdecoderreset: cxlport port3: decoder3.0 reset 2) mockdecoderreset: cxlport port3: decoder3.0: out of order reset, expected decoder3.1 cxlendpointdecoderrelease: cxl decoder14.0: [..] cxldunregister: cxl decoder7.0: 3) cxlregiondecodereset: cxlregion region3: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI [..] RIP: 0010:tocxlport+0x8/0x60 [cxlcore] [..] Call Trace: <TASK> cxlregiondecodereset+0x69/0x190 [cxlcore] cxlregiondetach+0xe8/0x210 [cxlcore] cxldecoderkillregion+0x27/0x40 [cxlcore] cxldunregister+0x5d/0x60 [cxlcore]

At 1) a region has been established with 2 endpoint decoders (7.0 and 14.0). Those endpoints share a common switch-decoder in the topology (3.0). At teardown, 2), decoder14.0 is the first to be removed and hits the "out of order reset case" in the switch decoder. The effect though is that region3 cleanup is aborted leaving it in-tact and referencing decoder14.0. At 3) the second attempt to teardown region3 trips over the stale decoder14.0 object which has long since been deleted.

The fix here is to recognize that the CXL specification places no mandate on in-order shutdown of switch-decoders, the driver enforces in-order allocation, and hardware enforces in-order commit. So, rather than fail and leave objects dangling, always remove them.

In support of making cxlregiondecodereset() always succeed, cxlregioninvalidatememregion() failures are turned into warnings. Crashing the kernel is ok there since system integrity is at risk if caches cannot be managed around physical address mutation events like CXL region destruction.

A new deviceforeachchildreversefrom() is added to cleanup port->commitend after all dependent decoders have been disabled. In other words if decoders are allocated 0->1->2 and disabled 1->2->0 then port->commit_end only decrements from 2 after 2 has been disabled, and it decrements all the way to zero since 1 was disabled previously.