// For flags

CVE-2024-35809

PCI/PM: Drain runtime-idle callbacks before driver removal

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

PCI/PM: Drain runtime-idle callbacks before driver removal

A race condition between the .runtime_idle() callback and the .remove()
callback in the rtsx_pcr PCI driver leads to a kernel crash due to an
unhandled page fault [1].

The problem is that rtsx_pci_runtime_idle() is not expected to be running
after pm_runtime_get_sync() has been called, but the latter doesn't really
guarantee that. It only guarantees that the suspend and resume callbacks
will not be running when it returns.

However, if a .runtime_idle() callback is already running when
pm_runtime_get_sync() is called, the latter will notice that the runtime PM
status of the device is RPM_ACTIVE and it will return right away without
waiting for the former to complete. In fact, it cannot wait for
.runtime_idle() to complete because it may be called from that callback (it
arguably does not make much sense to do that, but it is not strictly
prohibited).

Thus in general, whoever is providing a .runtime_idle() callback needs
to protect it from running in parallel with whatever code runs after
pm_runtime_get_sync(). [Note that .runtime_idle() will not start after
pm_runtime_get_sync() has returned, but it may continue running then if it
has started earlier.]

One way to address that race condition is to call pm_runtime_barrier()
after pm_runtime_get_sync() (not before it, because a nonzero value of the
runtime PM usage counter is necessary to prevent runtime PM callbacks from
being invoked) to wait for the .runtime_idle() callback to complete should
it be running at that point. A suitable place for doing that is in
pci_device_remove() which calls pm_runtime_get_sync() before removing the
driver, so it may as well call pm_runtime_barrier() subsequently, which
will prevent the race in question from occurring, not just in the rtsx_pcr
driver, but in any PCI drivers providing .runtime_idle() callbacks.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PCI/PM: drena las devoluciones de llamada inactivas en tiempo de ejecución antes de eliminar el controlador. Una condición de ejecución entre la devolución de llamada .runtime_idle() y la devolución de llamada .remove() en el controlador PCI rtsx_pcr conduce a un crash de kernel debido a un error de página no controlado [1]. El problema es que no se espera que rtsx_pci_runtime_idle() se ejecute después de llamar a pm_runtime_get_sync(), pero esto último realmente no garantiza eso. Solo garantiza que las devoluciones de llamada de suspensión y reanudación no se ejecutarán cuando regrese. Sin embargo, si ya se está ejecutando una devolución de llamada .runtime_idle() cuando se llama a pm_runtime_get_sync(), este último notará que el estado de PM en tiempo de ejecución del dispositivo es RPM_ACTIVE y regresará de inmediato sin esperar a que se complete el primero. De hecho, no puede esperar a que se complete .runtime_idle() porque puede ser llamado desde esa devolución de llamada (podría decirse que no tiene mucho sentido hacerlo, pero no está estrictamente prohibido). Por lo tanto, en general, quien proporciona una devolución de llamada .runtime_idle() debe protegerla para que no se ejecute en paralelo con cualquier código que se ejecute después de pm_runtime_get_sync(). [Tenga en cuenta que .runtime_idle() no se iniciará después de que pm_runtime_get_sync() haya regresado, pero puede continuar ejecutándose si comenzó antes.] Una forma de abordar esa condición de ejecución es llamar a pm_runtime_barrier() después de pm_runtime_get_sync() (no antes porque es necesario un valor distinto de cero del contador de uso de PM en tiempo de ejecución para evitar que se invoquen devoluciones de llamada de PM en tiempo de ejecución) para esperar a que se complete la devolución de llamada .runtime_idle() en caso de que se esté ejecutando en ese punto. Un lugar adecuado para hacerlo es pci_device_remove() que llama a pm_runtime_get_sync() antes de eliminar el controlador, por lo que también puede llamar a pm_runtime_barrier() posteriormente, lo que evitará que se produzca la ejecución en cuestión, no sólo en el controlador rtsx_pcr, sino en cualquier controlador PCI que proporcione devoluciones de llamada .runtime_idle().

A vulnerability was found in the PCI subsystem in the Linux kernel, where runtime-idle callbacks are not always drained before a PCI driver is removed. If these callbacks are still active when the driver is removed, it could result in system instability or crashes.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-17 CVE Reserved
  • 2024-05-17 CVE Published
  • 2024-05-18 EPSS Updated
  • 2024-11-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 4.19.312
Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.312"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 5.4.274
Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.274"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 5.10.215
Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.215"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 5.15.154
Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.154"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.1.84
Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.84"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.6.24
Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.24"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.7.12
Search vendor "Linux" for product "Linux Kernel" and version " < 6.7.12"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.8.3
Search vendor "Linux" for product "Linux Kernel" and version " < 6.8.3"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 6.9
Search vendor "Linux" for product "Linux Kernel" and version " < 6.9"
en
Affected