CVE-2025-37843

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: pciehp: Avoid unnecessary device replacement check<br /> <br /> Hot-removal of nested PCI hotplug ports suffers from a long-standing race<br /> condition which can lead to a deadlock: A parent hotplug port acquires<br /> pci_lock_rescan_remove(), then waits for pciehp to unbind from a child<br /> hotplug port. Meanwhile that child hotplug port tries to acquire<br /> pci_lock_rescan_remove() as well in order to remove its own children.<br /> <br /> The deadlock only occurs if the parent acquires pci_lock_rescan_remove()<br /> first, not if the child happens to acquire it first.<br /> <br /> Several workarounds to avoid the issue have been proposed and discarded<br /> over the years, e.g.:<br /> <br /> https://lore.kernel.org/r/4c882e25194ba8282b78fe963fec8faae7cf23eb.1529173804.git.lukas@wunner.de/<br /> <br /> A proper fix is being worked on, but needs more time as it is nontrivial<br /> and necessarily intrusive.<br /> <br /> Recent commit 9d573d19547b ("PCI: pciehp: Detect device replacement during<br /> system sleep") provokes more frequent occurrence of the deadlock when<br /> removing more than one Thunderbolt device during system sleep. The commit<br /> sought to detect device replacement, but also triggered on device removal.<br /> Differentiating reliably between replacement and removal is impossible<br /> because pci_get_dsn() returns 0 both if the device was removed, as well as<br /> if it was replaced with one lacking a Device Serial Number.<br /> <br /> Avoid the more frequent occurrence of the deadlock by checking whether the<br /> hotplug port itself was hot-removed. If so, there&amp;#39;s no sense in checking<br /> whether its child device was replaced.<br /> <br /> This works because the -&gt;resume_noirq() callback is invoked in top-down<br /> order for the entire hierarchy: A parent hotplug port detecting device<br /> replacement (or removal) marks all children as removed using<br /> pci_dev_set_disconnected() and a child hotplug port can then reliably<br /> detect being removed.