Linux Kernel CXL Port Use-After-Free Vulnerability in Detach Function

A use-after-free vulnerability has been identified in the Linux kernel's CXL (Compute Express Link) subsystem, specifically within the 'cxl_detach_ep()' function. This issue arises during the removal process of CXL memory devices under a switch port. The function locks both the port and its parent, removes the endpoint, and if the port is empty, marks it as dead and unregisters it. However, there are two scenarios where the parent port can be accessed after it has been freed, leading to memory corruption. The vulnerability can be reproduced by reloading the 'cxl_acpi' module in QEMU with CXL devices present.

Impact

Exploitation of this vulnerability causes silent memory corruption, which can be detected with lock debugging enabled, as it triggers warnings about unlocking a mutex that is not owned by the current task.

Reproduction

The vulnerability can be reproduced by loading CXL devices in QEMU and then reloading the 'cxl_acpi' module. This process triggers the 'cxl_detach_ep()' function, where the use-after-free vulnerability occurs.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.