Bug 2271795 (CVE-2024-26650)

Summary: CVE-2024-26650 kernel: p2sb_bar() calls during PCI device probe
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sidakwo, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A deadlock issue was identified in the Linux kernel within the platform/x86 P2SB subsystem. The issue arises when the p2sb_bar() function, used to unhide the P2SB device for resource retrieval, locks pci_rescan_remove_lock during PCI device probing. If a PCI bus rescan is triggered (e.g., via /sys/bus/pci/rescan), it can lead to a deadlock when the rescan also locks pci_rescan_remove_lock and probes devices that call p2sb_bar(). This deadlock could cause a system hang or unresponsiveness during PCI bus rescans or device probing, affecting system stability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2271798    
Bug Blocks: 2271799, 2271782    

Description Rohit Keshri 2024-03-27 11:40:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe

p2sb_bar() unhides P2SB device to get resources from the device. It
guards the operation by locking pci_rescan_remove_lock so that parallel
rescans do not find the P2SB device. However, this lock causes deadlock
when PCI bus rescan is triggered by /sys/bus/pci/rescan. The rescan
locks pci_rescan_remove_lock and probes PCI devices. When PCI devices
call p2sb_bar() during probe, it locks pci_rescan_remove_lock again.
Hence the deadlock.

To avoid the deadlock, do not lock pci_rescan_remove_lock in p2sb_bar().
Instead, do the lock at fs_initcall. Introduce p2sb_cache_resources()
for fs_initcall which gets and caches the P2SB resources. At p2sb_bar(),
refer the cache and return to the caller.

Before operating the device at P2SB DEVFN for resource cache, check
that its device class is PCI_CLASS_MEMORY_OTHER 0x0580 that PCH
specifications define. This avoids unexpected operation to other devices
at the same DEVFN.

Tested-by Klara Modin <klarasmodin>

https://git.kernel.org/stable/c/2841631a03652f32b595c563695d0461072e0de4
https://git.kernel.org/stable/c/5913320eb0b3ec88158cfcb0fa5e996bf4ef681b
https://git.kernel.org/stable/c/847e1eb30e269a094da046c08273abe3f3361cf2
https://git.kernel.org/stable/c/d281ac9a987c553d93211b90fd4fe97d8eca32cd
Comment 1 Rohit Keshri 2024-03-27 11:47:19 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2271798]
Comment 4 Justin M. Forbes 2024-03-27 20:27:13 UTC 
This was fixed for Fedora with the 6.7.3 stable kernel updates.
Comment 6 Alex 2024-06-09 16:34:32 UTC 
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2024-26650 is: CHECK	Maybe valid. Check manually. with impact LOW (that is an approximation based on flags DEADLOCK INIT IMPROVEONLY  ; these flags parsed automatically based on patch data). Such automatic check happens only for Low/Moderates (and only when not from reporter, but parsing already existing CVE). Highs always checked manually (I check it myself and then we check it again in Remediation team). In rare cases some of the Moderates could be increased to High later.
Comment 7 errata-xmlrpc 2024-11-12 09:20:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9315 https://access.redhat.com/errata/RHSA-2024:9315
Comment 8 TEJ RATHI 2024-12-02 11:01:24 UTC 
This CVE has been rejected upstream:- https://lore.kernel.org/linux-cve-announce/2024052359-REJECTED-006a@gregkh/