cve/published/2024/CVE-2024-42302.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42302: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal

 Keith reports a use-after-free when a DPC event occurs concurrently to
 hot-removal of the same portion of the hierarchy:

 The dpc_handler() awaits readiness of the secondary bus below the
 Downstream Port where the DPC event occurred.  To do so, it polls the
 config space of the first child device on the secondary bus.  If that
 child device is concurrently removed, accesses to its struct pci_dev
 cause the kernel to oops.

 That's because pci_bridge_wait_for_secondary_bus() neglects to hold a
 reference on the child device.  Before v6.3, the function was only
 called on resume from system sleep or on runtime resume.  Holding a
 reference wasn't necessary back then because the pciehp IRQ thread
 could never run concurrently.  (On resume from system sleep, IRQs are
 not enabled until after the resume_noirq phase.  And runtime resume is
 always awaited before a PCI device is removed.)

 However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also
 called on a DPC event.  Commit 53b54ad074de ("PCI/DPC: Await readiness
 of secondary bus after reset"), which introduced that, failed to
 appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a
 reference on the child device because dpc_handler() and pciehp may
 indeed run concurrently.  The commit was backported to v5.10+ stable
 kernels, so that's the oldest one affected.

 Add the missing reference acquisition.

 Abridged stack trace:

   BUG: unable to handle page fault for address: 00000000091400c0
   CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0
   RIP: pci_bus_read_config_dword+0x17/0x50
   pci_dev_wait()
   pci_bridge_wait_for_secondary_bus()
   dpc_reset_link()
   pcie_do_recovery()
   dpc_handler()

 The Linux kernel CVE team has assigned CVE-2024-42302 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.176 with commit d0292124bb5787a2f1ab1316509e801ca89c10fb and fixed in 5.10.224 with commit c52f9e1a9eb40f13993142c331a6cfd334d4b91d
 	Issue introduced in 5.15.104 with commit ffe2318405e605f1b3985ce188eff69e6d1d1baa and fixed in 5.15.165 with commit 2c111413f38ca5cf87557cab89f6d82b0e3433e7
 	Issue introduced in 6.1.16 with commit 189f856e76f5463f59efb5fc18dcc1692d04c41a and fixed in 6.1.103 with commit f63df70b439bb8331358a306541893bf415bf1da
 	Issue introduced in 6.3 with commit 53b54ad074de1896f8b021615f65b27f557ce874 and fixed in 6.6.44 with commit 2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f
 	Issue introduced in 6.3 with commit 53b54ad074de1896f8b021615f65b27f557ce874 and fixed in 6.10.3 with commit b16f3ea1db47a6766a9f1169244cf1fc287a7c62
 	Issue introduced in 6.3 with commit 53b54ad074de1896f8b021615f65b27f557ce874 and fixed in 6.11 with commit 11a1f4bc47362700fcbde717292158873fb847ed
 	Issue introduced in 6.2.3 with commit 0081032082b5b45ca902b3c3d6986cb5cca69ff2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42302
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/pci/pci.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d
 	https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7
 	https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da
 	https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f
 	https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62
 	https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42302: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal

	Keith reports a use-after-free when a DPC event occurs concurrently to
	hot-removal of the same portion of the hierarchy:

	The dpc_handler() awaits readiness of the secondary bus below the
	Downstream Port where the DPC event occurred. To do so, it polls the
	config space of the first child device on the secondary bus. If that
	child device is concurrently removed, accesses to its struct pci_dev
	cause the kernel to oops.

	That's because pci_bridge_wait_for_secondary_bus() neglects to hold a
	reference on the child device. Before v6.3, the function was only
	called on resume from system sleep or on runtime resume. Holding a
	reference wasn't necessary back then because the pciehp IRQ thread
	could never run concurrently. (On resume from system sleep, IRQs are
	not enabled until after the resume_noirq phase. And runtime resume is
	always awaited before a PCI device is removed.)

	However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also
	called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness
	of secondary bus after reset"), which introduced that, failed to
	appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a
	reference on the child device because dpc_handler() and pciehp may
	indeed run concurrently. The commit was backported to v5.10+ stable
	kernels, so that's the oldest one affected.

	Add the missing reference acquisition.

	Abridged stack trace:

	BUG: unable to handle page fault for address: 00000000091400c0
	CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0
	RIP: pci_bus_read_config_dword+0x17/0x50
	pci_dev_wait()
	pci_bridge_wait_for_secondary_bus()
	dpc_reset_link()
	pcie_do_recovery()
	dpc_handler()

	The Linux kernel CVE team has assigned CVE-2024-42302 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.176 with commit d0292124bb5787a2f1ab1316509e801ca89c10fb and fixed in 5.10.224 with commit c52f9e1a9eb40f13993142c331a6cfd334d4b91d
	Issue introduced in 5.15.104 with commit ffe2318405e605f1b3985ce188eff69e6d1d1baa and fixed in 5.15.165 with commit 2c111413f38ca5cf87557cab89f6d82b0e3433e7
	Issue introduced in 6.1.16 with commit 189f856e76f5463f59efb5fc18dcc1692d04c41a and fixed in 6.1.103 with commit f63df70b439bb8331358a306541893bf415bf1da
	Issue introduced in 6.3 with commit 53b54ad074de1896f8b021615f65b27f557ce874 and fixed in 6.6.44 with commit 2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f
	Issue introduced in 6.3 with commit 53b54ad074de1896f8b021615f65b27f557ce874 and fixed in 6.10.3 with commit b16f3ea1db47a6766a9f1169244cf1fc287a7c62
	Issue introduced in 6.3 with commit 53b54ad074de1896f8b021615f65b27f557ce874 and fixed in 6.11 with commit 11a1f4bc47362700fcbde717292158873fb847ed
	Issue introduced in 6.2.3 with commit 0081032082b5b45ca902b3c3d6986cb5cca69ff2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42302
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/pci/pci.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d
	https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7
	https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da
	https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f
	https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62
	https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed