CVE-2024-58093

Summary

In the Linux kernel, the following vulnerability has been resolved:

PCI/ASPM: Fix link state exit during switch upstream function removal

Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed.

That was too late. If function 0 is removed before sibling function, link->downstream would point to free'd memory after.

After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link.

That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports.

The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order.

On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed – before the parent link is obsolete, but after all subordinate links are gone.

[kwilczynski: commit log]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux456d8aa37d0f56fc9e985e812496e861dcd6f2f2 < cbf937dcadfd571a434f8074d057b32cd14fbea5affected
LinuxLinux666e7f9d60cee23077ea3e6331f6f8a19f7ea03faffected
LinuxLinux7badf4d6f49a358a01ab072bbff88d3ee886c33baffected
LinuxLinux9856c0de49052174ab474113f4ba40c02aaee086affected
LinuxLinux7aecdd47910c51707696e8b0e045b9f88bd4230faffected
LinuxLinuxd51d2eeae4ce54d542909c4d9d07bf371a78592caffected
LinuxLinux4203722d51afe3d239e03f15cc73efdf023a7103affected
LinuxLinux5.4.251 < 5.5affected
LinuxLinux5.10.188 < 5.11affected
LinuxLinux5.15.121 < 5.16affected
LinuxLinux6.1.39 < 6.2affected
LinuxLinux6.3.13 < 6.4affected
LinuxLinux6.4.4 < 6.5affected
LinuxLinux6.5affected
LinuxLinux0 < 6.5unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

References