ghsa-rjpx-6frc-3vgp
Vulnerability from github
Published
2025-05-09 09:33
Modified
2025-05-09 09:33
Details

In the Linux kernel, the following vulnerability has been resolved:

PCI: pciehp: Avoid unnecessary device replacement check

Hot-removal of nested PCI hotplug ports suffers from a long-standing race condition which can lead to a deadlock: A parent hotplug port acquires pci_lock_rescan_remove(), then waits for pciehp to unbind from a child hotplug port. Meanwhile that child hotplug port tries to acquire pci_lock_rescan_remove() as well in order to remove its own children.

The deadlock only occurs if the parent acquires pci_lock_rescan_remove() first, not if the child happens to acquire it first.

Several workarounds to avoid the issue have been proposed and discarded over the years, e.g.:

https://lore.kernel.org/r/4c882e25194ba8282b78fe963fec8faae7cf23eb.1529173804.git.lukas@wunner.de/

A proper fix is being worked on, but needs more time as it is nontrivial and necessarily intrusive.

Recent commit 9d573d19547b ("PCI: pciehp: Detect device replacement during system sleep") provokes more frequent occurrence of the deadlock when removing more than one Thunderbolt device during system sleep. The commit sought to detect device replacement, but also triggered on device removal. Differentiating reliably between replacement and removal is impossible because pci_get_dsn() returns 0 both if the device was removed, as well as if it was replaced with one lacking a Device Serial Number.

Avoid the more frequent occurrence of the deadlock by checking whether the hotplug port itself was hot-removed. If so, there's no sense in checking whether its child device was replaced.

This works because the ->resume_noirq() callback is invoked in top-down order for the entire hierarchy: A parent hotplug port detecting device replacement (or removal) marks all children as removed using pci_dev_set_disconnected() and a child hotplug port can then reliably detect being removed.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-37843"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-09T07:16:05Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pciehp: Avoid unnecessary device replacement check\n\nHot-removal of nested PCI hotplug ports suffers from a long-standing race\ncondition which can lead to a deadlock:  A parent hotplug port acquires\npci_lock_rescan_remove(), then waits for pciehp to unbind from a child\nhotplug port.  Meanwhile that child hotplug port tries to acquire\npci_lock_rescan_remove() as well in order to remove its own children.\n\nThe deadlock only occurs if the parent acquires pci_lock_rescan_remove()\nfirst, not if the child happens to acquire it first.\n\nSeveral workarounds to avoid the issue have been proposed and discarded\nover the years, e.g.:\n\nhttps://lore.kernel.org/r/4c882e25194ba8282b78fe963fec8faae7cf23eb.1529173804.git.lukas@wunner.de/\n\nA proper fix is being worked on, but needs more time as it is nontrivial\nand necessarily intrusive.\n\nRecent commit 9d573d19547b (\"PCI: pciehp: Detect device replacement during\nsystem sleep\") provokes more frequent occurrence of the deadlock when\nremoving more than one Thunderbolt device during system sleep.  The commit\nsought to detect device replacement, but also triggered on device removal.\nDifferentiating reliably between replacement and removal is impossible\nbecause pci_get_dsn() returns 0 both if the device was removed, as well as\nif it was replaced with one lacking a Device Serial Number.\n\nAvoid the more frequent occurrence of the deadlock by checking whether the\nhotplug port itself was hot-removed.  If so, there\u0027s no sense in checking\nwhether its child device was replaced.\n\nThis works because the -\u003eresume_noirq() callback is invoked in top-down\norder for the entire hierarchy:  A parent hotplug port detecting device\nreplacement (or removal) marks all children as removed using\npci_dev_set_disconnected() and a child hotplug port can then reliably\ndetect being removed.",
  "id": "GHSA-rjpx-6frc-3vgp",
  "modified": "2025-05-09T09:33:19Z",
  "published": "2025-05-09T09:33:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37843"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d0bbd01f7c0ac7d1be9f85aaf2cd0baec34655f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7535d10a2c61baeff493300070cf04d9ddda216b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3260237aaadc9799107ccb940c6688195c4518d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e4a1d7defbc2d806540720a5adebe24ec3488683"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.