CVE-2023-54117
Description
In the Linux kernel, the following vulnerability has been resolved:
s390/dcssblk: fix kernel crash with list_add corruption
Commit fb08a1908cb1 ("dax: simplify the dax_device <-> gendisk association") introduced new logic for gendisk association, requiring drivers to explicitly call dax_add_host() and dax_remove_host().
For dcssblk driver, some dax_remove_host() calls were missing, e.g. in device remove path. The commit also broke error handling for out_dax case in device add path, resulting in an extra put_device() w/o the previous get_device() in that case.
This lead to stale xarray entries after device add / remove cycles. In the case when a previously used struct gendisk pointer (xarray index) would be used again, because blk_alloc_disk() happened to return such a pointer, the xa_insert() in dax_add_host() would fail and go to out_dax, doing the extra put_device() in the error path. In combination with an already flawed error handling in dcssblk (device_register() cleanup), which needs to be addressed in a separate patch, this resulted in a missing device_del() / klist_del(), and eventually in the kernel crash with list_add corruption on a subsequent device_add() / klist_add().
Fix this by adding the missing dax_remove_host() calls, and also move the put_device() in the error path to restore the previous logic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing dax_remove_host() calls in the s390 dcssblk driver cause a kernel crash due to list_add corruption during device add/remove cycles.
Vulnerability
In the Linux kernel's s390 dcssblk driver, a kernel crash occurs due to list_add corruption. The root cause is missing dax_remove_host() calls in the device remove path and flawed error handling in the device add path, introduced by commit fb08a1908cb1 that changed the dax device-gendisk association logic [1][2]. This leads to stale xarray entries when devices are repeatedly added and removed.
Exploitation
An attacker with the ability to add and remove dcssblk devices (requiring local access and sufficient privileges) can trigger the vulnerability. By cycling device add/remove operations, the driver eventually reuses a previously freed gendisk pointer, causing xa_insert() in dax_add_host() to fail and triggering the flawed error path. This results in a missing device_del() or klist_del(), leading to list corruption on the next device_add().
Impact
Successful exploitation causes a kernel panic due to list_add corruption, resulting in a denial of service (system crash). No privilege escalation or data corruption is indicated.
Mitigation
The fix involves adding the missing dax_remove_host() calls and correcting the error path to avoid an extra put_device(). Patches are available in the kernel stable tree [1][2]. Users should apply the updates to their kernels.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
46489ec010786b7ad75c77349b5c531a9a7d8c8f40a0bccefVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.