CVE-2024-42302

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal<br /> <br /> Keith reports a use-after-free when a DPC event occurs concurrently to<br /> hot-removal of the same portion of the hierarchy:<br /> <br /> The dpc_handler() awaits readiness of the secondary bus below the<br /> Downstream Port where the DPC event occurred. To do so, it polls the<br /> config space of the first child device on the secondary bus. If that<br /> child device is concurrently removed, accesses to its struct pci_dev<br /> cause the kernel to oops.<br /> <br /> That&amp;#39;s because pci_bridge_wait_for_secondary_bus() neglects to hold a<br /> reference on the child device. Before v6.3, the function was only<br /> called on resume from system sleep or on runtime resume. Holding a<br /> reference wasn&amp;#39;t necessary back then because the pciehp IRQ thread<br /> could never run concurrently. (On resume from system sleep, IRQs are<br /> not enabled until after the resume_noirq phase. And runtime resume is<br /> always awaited before a PCI device is removed.)<br /> <br /> However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also<br /> called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness<br /> of secondary bus after reset"), which introduced that, failed to<br /> appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a<br /> reference on the child device because dpc_handler() and pciehp may<br /> indeed run concurrently. The commit was backported to v5.10+ stable<br /> kernels, so that&amp;#39;s the oldest one affected.<br /> <br /> Add the missing reference acquisition.<br /> <br /> Abridged stack trace:<br /> <br /> BUG: unable to handle page fault for address: 00000000091400c0<br /> CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0<br /> RIP: pci_bus_read_config_dword+0x17/0x50<br /> pci_dev_wait()<br /> pci_bridge_wait_for_secondary_bus()<br /> dpc_reset_link()<br /> pcie_do_recovery()<br /> dpc_handler()