{ "schema_version": "1.4.0", "id": "GHSA-3r3f-7rrr-c2h9", "modified": "2024-10-29T21:30:45Z", "published": "2024-05-17T15:31:09Z", "aliases": [ "CVE-2024-35809" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that. It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete. In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point. A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35809" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "database_specific": { "cwe_ids": [], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-17T14:15:14Z" } }