cve/published/2025/CVE-2025-37843.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37843: PCI: pciehp: Avoid unnecessary device replacement check

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 PCI: pciehp: Avoid unnecessary device replacement check

 Hot-removal of nested PCI hotplug ports suffers from a long-standing race
 condition which can lead to a deadlock:  A parent hotplug port acquires
 pci_lock_rescan_remove(), then waits for pciehp to unbind from a child
 hotplug port.  Meanwhile that child hotplug port tries to acquire
 pci_lock_rescan_remove() as well in order to remove its own children.

 The deadlock only occurs if the parent acquires pci_lock_rescan_remove()
 first, not if the child happens to acquire it first.

 Several workarounds to avoid the issue have been proposed and discarded
 over the years, e.g.:

 https://lore.kernel.org/r/4c882e25194ba8282b78fe963fec8faae7cf23eb.1529173804.git.lukas@wunner.de/

 A proper fix is being worked on, but needs more time as it is nontrivial
 and necessarily intrusive.

 Recent commit 9d573d19547b ("PCI: pciehp: Detect device replacement during
 system sleep") provokes more frequent occurrence of the deadlock when
 removing more than one Thunderbolt device during system sleep.  The commit
 sought to detect device replacement, but also triggered on device removal.
 Differentiating reliably between replacement and removal is impossible
 because pci_get_dsn() returns 0 both if the device was removed, as well as
 if it was replaced with one lacking a Device Serial Number.

 Avoid the more frequent occurrence of the deadlock by checking whether the
 hotplug port itself was hot-removed.  If so, there's no sense in checking
 whether its child device was replaced.

 This works because the ->resume_noirq() callback is invoked in top-down
 order for the entire hierarchy:  A parent hotplug port detecting device
 replacement (or removal) marks all children as removed using
 pci_dev_set_disconnected() and a child hotplug port can then reliably
 detect being removed.

 The Linux kernel CVE team has assigned CVE-2025-37843 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.11 with commit 9d573d19547b3fae0c1d4e5fce52bdad3fda3664 and fixed in 6.12.24 with commit e4a1d7defbc2d806540720a5adebe24ec3488683
 	Issue introduced in 6.11 with commit 9d573d19547b3fae0c1d4e5fce52bdad3fda3664 and fixed in 6.13.12 with commit 0d0bbd01f7c0ac7d1be9f85aaf2cd0baec34655f
 	Issue introduced in 6.11 with commit 9d573d19547b3fae0c1d4e5fce52bdad3fda3664 and fixed in 6.14.3 with commit 7535d10a2c61baeff493300070cf04d9ddda216b
 	Issue introduced in 6.11 with commit 9d573d19547b3fae0c1d4e5fce52bdad3fda3664 and fixed in 6.15 with commit e3260237aaadc9799107ccb940c6688195c4518d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37843
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/pci/hotplug/pciehp_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e4a1d7defbc2d806540720a5adebe24ec3488683
 	https://git.kernel.org/stable/c/0d0bbd01f7c0ac7d1be9f85aaf2cd0baec34655f
 	https://git.kernel.org/stable/c/7535d10a2c61baeff493300070cf04d9ddda216b
 	https://git.kernel.org/stable/c/e3260237aaadc9799107ccb940c6688195c4518d
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37843: PCI: pciehp: Avoid unnecessary device replacement check

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	PCI: pciehp: Avoid unnecessary device replacement check

	Hot-removal of nested PCI hotplug ports suffers from a long-standing race
	condition which can lead to a deadlock: A parent hotplug port acquires
	pci_lock_rescan_remove(), then waits for pciehp to unbind from a child
	hotplug port. Meanwhile that child hotplug port tries to acquire
	pci_lock_rescan_remove() as well in order to remove its own children.

	The deadlock only occurs if the parent acquires pci_lock_rescan_remove()
	first, not if the child happens to acquire it first.

	Several workarounds to avoid the issue have been proposed and discarded
	over the years, e.g.:

	https://lore.kernel.org/r/4c882e25194ba8282b78fe963fec8faae7cf23eb.1529173804.git.lukas@wunner.de/

	A proper fix is being worked on, but needs more time as it is nontrivial
	and necessarily intrusive.

	Recent commit 9d573d19547b ("PCI: pciehp: Detect device replacement during
	system sleep") provokes more frequent occurrence of the deadlock when
	removing more than one Thunderbolt device during system sleep. The commit
	sought to detect device replacement, but also triggered on device removal.
	Differentiating reliably between replacement and removal is impossible
	because pci_get_dsn() returns 0 both if the device was removed, as well as
	if it was replaced with one lacking a Device Serial Number.

	Avoid the more frequent occurrence of the deadlock by checking whether the
	hotplug port itself was hot-removed. If so, there's no sense in checking
	whether its child device was replaced.

	This works because the ->resume_noirq() callback is invoked in top-down
	order for the entire hierarchy: A parent hotplug port detecting device
	replacement (or removal) marks all children as removed using
	pci_dev_set_disconnected() and a child hotplug port can then reliably
	detect being removed.

	The Linux kernel CVE team has assigned CVE-2025-37843 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.11 with commit 9d573d19547b3fae0c1d4e5fce52bdad3fda3664 and fixed in 6.12.24 with commit e4a1d7defbc2d806540720a5adebe24ec3488683
	Issue introduced in 6.11 with commit 9d573d19547b3fae0c1d4e5fce52bdad3fda3664 and fixed in 6.13.12 with commit 0d0bbd01f7c0ac7d1be9f85aaf2cd0baec34655f
	Issue introduced in 6.11 with commit 9d573d19547b3fae0c1d4e5fce52bdad3fda3664 and fixed in 6.14.3 with commit 7535d10a2c61baeff493300070cf04d9ddda216b
	Issue introduced in 6.11 with commit 9d573d19547b3fae0c1d4e5fce52bdad3fda3664 and fixed in 6.15 with commit e3260237aaadc9799107ccb940c6688195c4518d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37843
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/pci/hotplug/pciehp_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e4a1d7defbc2d806540720a5adebe24ec3488683
	https://git.kernel.org/stable/c/0d0bbd01f7c0ac7d1be9f85aaf2cd0baec34655f
	https://git.kernel.org/stable/c/7535d10a2c61baeff493300070cf04d9ddda216b
	https://git.kernel.org/stable/c/e3260237aaadc9799107ccb940c6688195c4518d