CVE-2024-26605

PCI/ASPM: Fix deadlock when enabling ASPM

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

PCI/ASPM: Fix deadlock when enabling ASPM

A last minute revert in 6.7-final introduced a potential deadlock when
enabling ASPM during probe of Qualcomm PCIe controllers as reported by
lockdep:

============================================
WARNING: possible recursive locking detected
6.7.0 #40 Not tainted
--------------------------------------------
kworker/u16:5/90 is trying to acquire lock:
ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc

but task is already holding lock:
ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(pci_bus_sem);
lock(pci_bus_sem);

*** DEADLOCK ***

Call trace:
print_deadlock_bug+0x25c/0x348
__lock_acquire+0x10a4/0x2064
lock_acquire+0x1e8/0x318
down_read+0x60/0x184
pcie_aspm_pm_state_change+0x58/0xdc
pci_set_full_power_state+0xa8/0x114
pci_set_power_state+0xc4/0x120
qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]
pci_walk_bus+0x64/0xbc
qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]

The deadlock can easily be reproduced on machines like the Lenovo ThinkPad
X13s by adding a delay to increase the race window during asynchronous
probe where another thread can take a write lock.

Add a new pci_set_power_state_locked() and associated helper functions that
can be called with the PCI bus semaphore held to avoid taking the read lock
twice.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: PCI/ASPM: solucionó el punto muerto al habilitar ASPM. Una reversión de último minuto en 6.7-final introdujo un posible punto muerto al habilitar ASPM durante la prueba de los controladores PCIe de Qualcomm, según lo informado por lockdep: === ========================================= ADVERTENCIA: posible bloqueo recursivo detectado 6.7.0 #40 No contaminado -------------------------------------------- kworker/ u16:5/90 está intentando adquirir el bloqueo: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, en: pcie_aspm_pm_state_change+0x58/0xdc pero la tarea ya mantiene el bloqueo: ffffacfa78ced000 (pci_bus_sem){+++ +}-{3:3}, en: pci_walk_bus+0x34/0xbc otra información que podría ayudarnos a depurar esto: Posible escenario de bloqueo inseguro: CPU0 ---- lock(pci_bus_sem); bloquear(pci_bus_sem); *** DEADLOCK *** Rastreo de llamadas: print_deadlock_bug+0x25c/0x348 __lock_acquire+0x10a4/0x2064 lock_acquire+0x1e8/0x318 down_read+0x60/0x184 pcie_aspm_pm_state_change+0x58/0xdc pci_set_full_power_state+0xa8/0x114 pci_ set_power_state+0xc4/0x120 qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom] pci_walk_bus+0x64/0xbc qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom] El punto muerto se puede reproducir fácilmente en máquinas como la Lenovo ThinkPad X13s agregando un retraso para aumentar la ventana de carrera durante la prueba asíncrona donde otro hilo puede tomar un bloqueo de escritura. Agregue un nuevo pci_set_power_state_locked() y funciones auxiliares asociadas que se pueden llamar con el semáforo del bus PCI retenido para evitar tomar el bloqueo de lectura dos veces.

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-02-24 CVE Published
2024-04-29 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-667: Improper Locking

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/b9c370b61d735a0e5390c42771e7eb21413f7868	Vuln. Introduced
https://git.kernel.org/stable/c/8cc22ba3f77c59df5f1ac47d62df51efb28cd868	Vuln. Introduced
https://git.kernel.org/stable/c/f93e71aea6c60ebff8adbd8941e678302d377869	Vuln. Introduced
https://git.kernel.org/stable/c/1f2f662c8bec75d1311e063efaa9107435cf16c8	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3	2024-04-27
https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c	2024-04-27
https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70	2024-02-16
https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20	2024-01-31

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.72 < 6.1.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.72 < 6.1.88"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.11 < 6.6.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.11 < 6.6.29"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.7.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.7.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.147 Search vendor "Linux" for product "Linux Kernel" and version "5.15.147"		en		Affected