FKIE_CVE-2024-35809

Vulnerability from fkie_nvd - Published: 2024-05-17 14:15 - Updated: 2025-12-23 18:29
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: PCI/PM: Drain runtime-idle callbacks before driver removal A race condition between the .runtime_idle() callback and the .remove() callback in the rtsx_pcr PCI driver leads to a kernel crash due to an unhandled page fault [1]. The problem is that rtsx_pci_runtime_idle() is not expected to be running after pm_runtime_get_sync() has been called, but the latter doesn't really guarantee that. It only guarantees that the suspend and resume callbacks will not be running when it returns. However, if a .runtime_idle() callback is already running when pm_runtime_get_sync() is called, the latter will notice that the runtime PM status of the device is RPM_ACTIVE and it will return right away without waiting for the former to complete. In fact, it cannot wait for .runtime_idle() to complete because it may be called from that callback (it arguably does not make much sense to do that, but it is not strictly prohibited). Thus in general, whoever is providing a .runtime_idle() callback needs to protect it from running in parallel with whatever code runs after pm_runtime_get_sync(). [Note that .runtime_idle() will not start after pm_runtime_get_sync() has returned, but it may continue running then if it has started earlier.] One way to address that race condition is to call pm_runtime_barrier() after pm_runtime_get_sync() (not before it, because a nonzero value of the runtime PM usage counter is necessary to prevent runtime PM callbacks from being invoked) to wait for the .runtime_idle() callback to complete should it be running at that point. A suitable place for doing that is in pci_device_remove() which calls pm_runtime_get_sync() before removing the driver, so it may as well call pm_runtime_barrier() subsequently, which will prevent the race in question from occurring, not just in the rtsx_pcr driver, but in any PCI drivers providing .runtime_idle() callbacks.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bfPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4bPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bfPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989Patch
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00020.htmlThird Party Advisory
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
debian debian_linux 10.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "23F858DD-6739-4BD9-9DA9-A9F5F66187C0",
              "versionEndExcluding": "4.19.312",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F45A0F3C-C16D-49C4-86D6-D021C3D4B834",
              "versionEndExcluding": "5.4.274",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9CD5894E-58E9-4B4A-B0F4-3E6BC134B8F5",
              "versionEndExcluding": "5.10.215",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "577E212E-7E95-4A71-9B5C-F1D1A3AFFF46",
              "versionEndExcluding": "5.15.154",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "834D9BD5-42A6-4D74-979E-4D6D93F630FD",
              "versionEndExcluding": "6.1.84",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8018C1D0-0A5F-48D0-BC72-A2B33FDDA693",
              "versionEndExcluding": "6.6.24",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BE9771A-BAFD-4624-95F9-58D536540C53",
              "versionEndExcluding": "6.7.12",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C59BBC3-6495-4A77-9C82-55EC7CDF5E02",
              "versionEndExcluding": "6.8.3",
              "versionStartIncluding": "6.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn\u0027t really\nguarantee that.  It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete.  In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync().  [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point.  A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PCI/PM: drena las devoluciones de llamada inactivas en tiempo de ejecuci\u00f3n antes de eliminar el controlador. Una condici\u00f3n de ejecuci\u00f3n entre la devoluci\u00f3n de llamada .runtime_idle() y la devoluci\u00f3n de llamada .remove() en el controlador PCI rtsx_pcr conduce a un crash de kernel debido a un error de p\u00e1gina no controlado [1]. El problema es que no se espera que rtsx_pci_runtime_idle() se ejecute despu\u00e9s de llamar a pm_runtime_get_sync(), pero esto \u00faltimo realmente no garantiza eso. Solo garantiza que las devoluciones de llamada de suspensi\u00f3n y reanudaci\u00f3n no se ejecutar\u00e1n cuando regrese. Sin embargo, si ya se est\u00e1 ejecutando una devoluci\u00f3n de llamada .runtime_idle() cuando se llama a pm_runtime_get_sync(), este \u00faltimo notar\u00e1 que el estado de PM en tiempo de ejecuci\u00f3n del dispositivo es RPM_ACTIVE y regresar\u00e1 de inmediato sin esperar a que se complete el primero. De hecho, no puede esperar a que se complete .runtime_idle() porque puede ser llamado desde esa devoluci\u00f3n de llamada (podr\u00eda decirse que no tiene mucho sentido hacerlo, pero no est\u00e1 estrictamente prohibido). Por lo tanto, en general, quien proporciona una devoluci\u00f3n de llamada .runtime_idle() debe protegerla para que no se ejecute en paralelo con cualquier c\u00f3digo que se ejecute despu\u00e9s de pm_runtime_get_sync(). [Tenga en cuenta que .runtime_idle() no se iniciar\u00e1 despu\u00e9s de que pm_runtime_get_sync() haya regresado, pero puede continuar ejecut\u00e1ndose si comenz\u00f3 antes.] Una forma de abordar esa condici\u00f3n de ejecuci\u00f3n es llamar a pm_runtime_barrier() despu\u00e9s de pm_runtime_get_sync() (no antes porque es necesario un valor distinto de cero del contador de uso de PM en tiempo de ejecuci\u00f3n para evitar que se invoquen devoluciones de llamada de PM en tiempo de ejecuci\u00f3n) para esperar a que se complete la devoluci\u00f3n de llamada .runtime_idle() en caso de que se est\u00e9 ejecutando en ese punto. Un lugar adecuado para hacerlo es pci_device_remove() que llama a pm_runtime_get_sync() antes de eliminar el controlador, por lo que tambi\u00e9n puede llamar a pm_runtime_barrier() posteriormente, lo que evitar\u00e1 que se produzca la ejecuci\u00f3n en cuesti\u00f3n, no s\u00f3lo en el controlador rtsx_pcr, sino en cualquier controlador PCI que proporcione devoluciones de llamada .runtime_idle()."
    }
  ],
  "id": "CVE-2024-35809",
  "lastModified": "2025-12-23T18:29:25.103",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-17T14:15:14.730",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.