CVE-2026-23348

In the Linux kernel, the following vulnerability has been resolved:

cxl: Fix race of nvdimm_bus object when creating nvdimm objects

Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consistently. The cxltranslate module has dependency on cxlacpi and causes orphaned nvdimm objects to reprobe after cxlacpi is removed. The nvdimmbus object is registered by the cxlnvb object when cxlacpiprobe() is called. With the nvdimmbus object missing, _nddeviceregister() will trigger NULL pointer dereference when accessing the dev->parent that points to &nvdimmbus->dev.

[ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c [ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025 [ 192.897721] Workqueue: cxlport cxlbusrescanqueue [cxlcore] [ 192.899459] RIP: 0010:kobjectget+0xc/0x90 [ 192.924871] Call Trace: [ 192.925959] <TASK> [ 192.926976] ? pmruntimeinit+0xb9/0xe0 [ 192.929712] __nddeviceregister.part.0+0x4d/0xc0 [libnvdimm] [ 192.933314] __nvdimmcreate+0x206/0x290 [libnvdimm] [ 192.936662] cxlnvdimmprobe+0x119/0x1d0 [cxlpmem] [ 192.940245] cxlbusprobe+0x1a/0x60 [cxlcore] [ 192.943349] reallyprobe+0xde/0x380

This patch also relies on the previous change where devmcxladdnvdimmbridge() is called from drivers/cxl/pmem.c instead of drivers/cxl/core.c to ensure the dependency of cxlacpi on cxlpmem.

1. Set probetype of cxlnvb to PROBEFORCESYNCHRONOUS to ensure the driver is probed synchronously when add_device() is called.
2. Add a check in _devmcxladdnvdimmbridge() to ensure that the cxlnvb driver is attached during cxlacpiprobe().
3. Take the cxlroot uportdev lock and the cxlnvb->dev lock in devmcxladdnvdimm() before checking nvdimm_bus is valid.
4. Set cxlnvdimm flag to CXLNVDFINVALIDATED so cxlnvdimmprobe() will exit with -EBUSY.

The removal of cxlnvdimm devices should prevent any orphaned devices from probing once the nvdimmbus is gone.

[ dj: Fixed 0-day reported kdoc issue. ] [ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]