CVE-2024-50226 in Linuxinfo

Summary

by MITRE • 11/09/2024

In the Linux kernel, the following vulnerability has been resolved:

cxl/port: Fix use-after-free, permit out-of-order decoder shutdown

In support of investigating an initialization failure report [1],
cxl_test was updated to register mock memory-devices after the mock root-port/bus device had been registered. That led to cxl_test crashing with a use-after-free bug with the following signature:

cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1 cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1 cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 0
1) cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[1] = cxl_switch_dport.4 for mem4:decoder14.0 @ 1
[..]
cxld_unregister: cxl decoder14.0: cxl_region_decode_reset: cxl_region region3: mock_decoder_reset: cxl_port port3: decoder3.0 reset 2) mock_decoder_reset: cxl_port port3: decoder3.0: out of order reset, expected decoder3.1 cxl_endpoint_decoder_release: cxl decoder14.0: [..]
cxld_unregister: cxl decoder7.0: 3) cxl_region_decode_reset: cxl_region region3: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI
[..]
RIP: 0010:to_cxl_port+0x8/0x60 [cxl_core]
[..]
Call Trace: cxl_region_decode_reset+0x69/0x190 [cxl_core]
cxl_region_detach+0xe8/0x210 [cxl_core]
cxl_decoder_kill_region+0x27/0x40 [cxl_core]
cxld_unregister+0x5d/0x60 [cxl_core]

At 1) a region has been established with 2 endpoint decoders (7.0 and 14.0). Those endpoints share a common switch-decoder in the topology (3.0). At teardown, 2), decoder14.0 is the first to be removed and hits the "out of order reset case" in the switch decoder. The effect though is that region3 cleanup is aborted leaving it in-tact and referencing decoder14.0. At 3) the second attempt to teardown region3 trips over the stale decoder14.0 object which has long since been deleted.

The fix here is to recognize that the CXL specification places no mandate on in-order shutdown of switch-decoders, the driver enforces in-order allocation, and hardware enforces in-order commit. So, rather than fail and leave objects dangling, always remove them.

In support of making cxl_region_decode_reset() always succeed, cxl_region_invalidate_memregion() failures are turned into warnings. Crashing the kernel is ok there since system integrity is at risk if caches cannot be managed around physical address mutation events like CXL region destruction.

A new device_for_each_child_reverse_from() is added to cleanup port->commit_end after all dependent decoders have been disabled. In other words if decoders are allocated 0->1->2 and disabled 1->2->0 then port->commit_end only decrements from 2 after 2 has been disabled, and it decrements all the way to zero since 1 was disabled previously.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2025

The vulnerability identified as CVE-2024-50226 resides within the Linux kernel's CXL (Compute Express Link) subsystem, specifically affecting the cxl/port component responsible for managing memory regions and decoders in CXL host bridges and switches. This issue manifests as a use-after-free condition that occurs during the shutdown sequence of CXL memory decoders, leading to potential system crashes and instability. The vulnerability was discovered during investigation of an initialization failure in the cxl_test utility, which revealed a problematic interaction between mock device registration order and the subsequent teardown process.

The technical flaw stems from improper handling of decoder shutdown sequences in the CXL subsystem. When memory regions are being torn down, the system attempts to reset decoders in an order that violates the expected sequence, causing a stale reference to a freed decoder object. The crash occurs at the cxl_region_decode_reset function where it attempts to access decoder14.0 which has already been deallocated, resulting in a general protection fault. This behavior is particularly dangerous because the system does not properly account for out-of-order shutdown scenarios that are permitted by the CXL specification, where hardware enforces in-order commit but not necessarily in-order shutdown. The root cause involves the cxl_port_setup_targets function and the mock_decoder_reset function, where the system fails to properly track decoder states during cleanup operations.

The operational impact of this vulnerability is significant for systems utilizing CXL memory subsystems, particularly in high-performance computing and data center environments where memory consistency and system stability are critical. The use-after-free condition can lead to kernel panics, system crashes, and potential data corruption during memory region teardown operations. This vulnerability affects any system running a Linux kernel with CXL support, especially those using mock testing infrastructure like cxl_test that exercises the memory region allocation and deallocation paths. The vulnerability is particularly concerning because it occurs during cleanup operations that should be safe and predictable, making it difficult to detect and prevent in production environments.

The fix implemented addresses the core issue by relaxing the strict ordering requirements for decoder shutdown operations and ensuring proper cleanup regardless of the shutdown sequence. The solution recognizes that while the CXL specification mandates in-order allocation and hardware commit, it does not require in-order shutdown, allowing for more flexible driver behavior. The implementation modifies cxl_region_decode_reset to always succeed by converting failures in cxl_region_invalidate_memregion into warnings rather than system crashes, since system integrity is already at risk when caches cannot be managed properly during physical address mutations. Additionally, a new device_for_each_child_reverse_from() function was introduced to properly manage the port->commit_end cleanup process, ensuring that the commit_end counter only decrements after all dependent decoders have been properly disabled, thereby preventing the stale reference scenario that caused the original crash.

This vulnerability aligns with CWE-416 (Use After Free) and CWE-399 (Resource Management Errors) categories, representing a classic memory safety issue in kernel space where freed objects are accessed after deallocation. From an ATT&CK perspective, this vulnerability could be leveraged in privilege escalation scenarios if exploited by malicious actors, though the specific attack surface is limited to systems with CXL memory subsystems. The fix demonstrates proper resource management practices by ensuring that cleanup operations are robust against out-of-order execution patterns and maintain proper object lifetime tracking throughout the memory subsystem lifecycle. The mitigation approach follows security best practices by avoiding kernel crashes during cleanup operations while ensuring that system resources are properly managed and released.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00237

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!