{"id":"CVE-2026-23348","summary":"cxl: Fix race of nvdimm_bus object when creating nvdimm objects","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: Fix race of nvdimm_bus object when creating nvdimm objects\n\nFound issue during running of cxl-translate.sh unit test. Adding a 3s\nsleep right before the test seems to make the issue reproduce fairly\nconsistently. The cxl_translate module has dependency on cxl_acpi and\ncauses orphaned nvdimm objects to reprobe after cxl_acpi is removed.\nThe nvdimm_bus object is registered by the cxl_nvb object when\ncxl_acpi_probe() is called. With the nvdimm_bus object missing,\n__nd_device_register() will trigger NULL pointer dereference when\naccessing the dev-\u003eparent that points to &nvdimm_bus-\u003edev.\n\n[  192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c\n[  192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025\n[  192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core]\n[  192.899459] RIP: 0010:kobject_get+0xc/0x90\n[  192.924871] Call Trace:\n[  192.925959]  \u003cTASK\u003e\n[  192.926976]  ? pm_runtime_init+0xb9/0xe0\n[  192.929712]  __nd_device_register.part.0+0x4d/0xc0 [libnvdimm]\n[  192.933314]  __nvdimm_create+0x206/0x290 [libnvdimm]\n[  192.936662]  cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem]\n[  192.940245]  cxl_bus_probe+0x1a/0x60 [cxl_core]\n[  192.943349]  really_probe+0xde/0x380\n\nThis patch also relies on the previous change where\ndevm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead\nof drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.\n\n1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the\n   driver is probed synchronously when add_device() is called.\n2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the\n   cxl_nvb driver is attached during cxl_acpi_probe().\n3. Take the cxl_root uport_dev lock and the cxl_nvb-\u003edev lock in\n   devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.\n4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe()\n   will exit with -EBUSY.\n\nThe removal of cxl_nvdimm devices should prevent any orphaned devices\nfrom probing once the nvdimm_bus is gone.\n\n[ dj: Fixed 0-day reported kdoc issue. ]\n[ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]","modified":"2026-04-02T13:12:22.477134Z","published":"2026-03-25T10:27:34.462Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23348.json"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5b230daeee420833287cc77314439903e5312f10"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/96a1fd0d84b17360840f344826897fa71049870e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23348.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23348"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8fdcb1704f61a8fd9be0f3849a174d084def0666"},{"fixed":"5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7"},{"fixed":"5b230daeee420833287cc77314439903e5312f10"},{"fixed":"96a1fd0d84b17360840f344826897fa71049870e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23348.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.14.0"},{"fixed":"6.18.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23348.json"}}],"schema_version":"1.7.5"}