CVE-2023-53123: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability has been identified in the Linux kernel's PCI subsystem, specifically affecting s390 architecture systems. The vulnerability (CVE-2023-53123) was discovered in the PCI resource handling for per-function hotplug operations on s390 systems. The issue occurs when PCI functions are individually hotplugged, particularly in cases involving multi-function devices and SR-IOV virtual functions (NVD).

The vulnerability stems from a flaw introduced in commit a50297cf8235 ("s390/pci: separate zbus creation from scanning") where both struct pci_bus and struct zpci_bus's resource lists maintain references to PCI functions' MMIO resources even after these resources are released during hot-unplug. When the PCI function is re-added, these stale resources may be claimed again, resulting in a use-after-free condition (NVD).

The vulnerability can lead to system instability and potential security risks due to the use-after-free condition in the kernel's PCI resource management system. This particularly affects systems using SR-IOV devices where virtual functions are frequently removed and re-added (NVD).

The fix involves removing resources of individually hot-unplugged PCI functions from the PCI bus's resource list while keeping other PCI functions' resources intact. This is implemented through the introduction of pci_bus_remove_resource() function. Additionally, the fix eliminates the need to add MMIO resources to the struct zpci_bus's resource list, instead utilizing the zpci_bar_struct's resource pointer directly (NVD).