| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025082230-CVE-2025-38624-81fa@gregkh> Date: Fri, 22 Aug 2025 18:00:33 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38624: PCI: pnv_php: Clean up allocated IRQs on unplug From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Clean up allocated IRQs on unplug When the root of a nested PCIe bridge configuration is unplugged, the pnv_php driver leaked the allocated IRQ resources for the child bridges' hotplug event notifications, resulting in a panic. Fix this by walking all child buses and deallocating all its IRQ resources before calling pci_hp_remove_devices(). Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so that it is only destroyed in pnv_php_free_slot(), instead of pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will now be called by workers triggered by hot unplug interrupts, so the workqueue needs to stay allocated. The abridged kernel panic that occurs without this patch is as follows: WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2 Call Trace: msi_device_data_release+0x34/0x9c (unreliable) release_nodes+0x64/0x13c devres_release_all+0xc0/0x140 device_del+0x2d4/0x46c pci_destroy_dev+0x5c/0x194 pci_hp_remove_devices+0x90/0x128 pci_hp_remove_devices+0x44/0x128 pnv_php_disable_slot+0x54/0xd4 power_write_file+0xf8/0x18c pci_slot_attr_store+0x40/0x5c sysfs_kf_write+0x64/0x78 kernfs_fop_write_iter+0x1b0/0x290 vfs_write+0x3bc/0x50c ksys_write+0x84/0x140 system_call_exception+0x124/0x230 system_call_vectored_common+0x15c/0x2ec [bhelgaas: tidy comments] The Linux kernel CVE team has assigned CVE-2025-38624 to this issue. Affected and fixed versions =========================== Fixed in 6.1.148 with commit 398170b7fd0e0db2f8096df5206c75e5ff41415a Fixed in 6.6.102 with commit 32173edf3fe2d447e14e5e3b299387c6f9602a88 Fixed in 6.12.42 with commit 28aa3cfce12487614219e7667ec84424e1f43227 Fixed in 6.15.10 with commit 1773c19fa55e944cdd2634e2d9e552f87f2d38d5 Fixed in 6.16.1 with commit bbd302c4b79df10197ffa7270ca3aa572eeca33c Fixed in 6.17-rc1 with commit 4668619092554e1b95c9a5ac2941ca47ba6d548a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38624 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/pci/hotplug/pnv_php.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/398170b7fd0e0db2f8096df5206c75e5ff41415a https://git.kernel.org/stable/c/32173edf3fe2d447e14e5e3b299387c6f9602a88 https://git.kernel.org/stable/c/28aa3cfce12487614219e7667ec84424e1f43227 https://git.kernel.org/stable/c/1773c19fa55e944cdd2634e2d9e552f87f2d38d5 https://git.kernel.org/stable/c/bbd302c4b79df10197ffa7270ca3aa572eeca33c https://git.kernel.org/stable/c/4668619092554e1b95c9a5ac2941ca47ba6d548a
Powered by blists - more mailing lists