"value":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix use-after-free of slot->bus on hot remove\n\nDennis reports a boot crash on recent Lenovo laptops with a USB4 dock.\n\nSince commit 0fc70886569c (\"thunderbolt: Reset USB4 v2 host router\") and\ncommit 59a54c5f3dbd (\"thunderbolt: Reset topology created by the boot\nfirmware\"), USB4 v2 and v1 Host Routers are reset on probe of the\nthunderbolt driver.\n\nThe reset clears the Presence Detect State and Data Link Layer Link Active\nbits at the USB4 Host Router's Root Port and thus causes hot removal of the\ndock.\n\nThe crash occurs when pciehp is unbound from one of the dock's Downstream\nPorts: pciehp creates a pci_slot on bind and destroys it on unbind. The\npci_slot contains a pointer to the pci_bus below the Downstream Port, but\na reference on that pci_bus is never acquired. The pci_bus is destroyed\nbefore the pci_slot, so a use-after-free ensues when pci_slot_release()\naccesses slot->bus.\n\nIn principle this should not happen because pci_stop_bus_device() unbinds\npciehp (and therefore destroys the pci_slot) before the pci_bus is\ndestroyed by pci_remove_bus_device().\n\nHowever the stacktrace provided by Dennis shows that pciehp is unbound from\npci_remove_bus_device() instead of pci_stop_bus_device(). To understand\nthe significance of this, one needs to know that the PCI core uses a two\nstep process to remove a portion of the hierarchy: It first unbinds all\ndrivers in the sub-hierarchy in pci_stop_bus_device() and then actually\nremoves the devices in pci_remove_bus_device(). There is no precaution to\nprevent driver binding in-between pci_stop_bus_device() and\npci_remove_bus_device().\n\nIn Dennis' case, it seems removal of the hierarchy by pciehp races with\ndriver binding by pci_bus_add_devices(). pciehp is bound to the\nDownstream Port after pci_stop_bus_device() has run, so it is unbound by\npci_remove_bus_device() instead of pci_stop_bus_device(). Because the\npci_bus has already been destroyed at that point, accesses to it result in\na use-after-free.\n\nOne might conclude that driver binding needs to be prevented after\npci_stop_bus_device() has run. However it seems risky that pci_slot points\nto pci_bus without holding a reference. Solely relying on correct ordering\nof driver unbind versus pci_bus destruction is certainly not defensive\nprogramming.\n\nIf pci_slot has a need to access data in pci_bus, it ought to acquire a\nreference. Amend pci_create_slot() accordingly. Dennis reports that the\ncrash is not reproducible with this change.\n\nAbridged stacktrace:\n\n pcieport 0000:00:07.0: PME: Signaling with IRQ 156\n pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+\n pci_bus 0000:20: dev 00, created physical slot 12\n pcieport 0000:00:07.0: pciehp: Slot(12): Card not present\n ...\n pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0\n Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1\n RIP: 0010:dev_driver_string+0x12/0x40\n pci_destroy_slot\n pciehp_remove\n pcie_port_remove_service\n device_release_driver_internal\n bus_remove_device\n device_del\n device_unregister\n remove_iter\n device_for_each_child\n pcie_portdrv_remove\n pci_device_remove\n device_release_driver_internal\n bus_remove_device\n device_del\n pci_remove_bus_device (recursive invocation)\n pci_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist"
"value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PCI: Fix use-after-free of slot->bus on hot remove Dennis informa un fallo de arranque en port\u00e1tiles Lenovo recientes con un dock USB4. Desde el commit 0fc70886569c (\"thunderbolt: Reset USB4 v2 host router\") y el commit 59a54c5f3dbd (\"thunderbolt: Reset topology created by the boot firmware\"),losroutershostUSB4v2yv1serestablecenalsondearelcontroladorThunderbolt.Elrestablecimientoborralosbitsdeestadodedetecci\u00f3ndepresenciaydeenlacedecapadeenlacededatosactivoenelpuertora\u00edzdelrouterhostUSB4y,porlotanto,provocalaeliminaci\u00f3nencalientedeldock.Elfalloseproducecuandopciehpsedesvinculadeunodelospuertosdebajadadeldock:pciehpcreaunpci_slotalvincularloylodestruyealdesvincularlo.Elpci_slotcontieneunpunteroalpci_busdebajodelpuertodebajada,peronuncaseadquiereunareferenciaenesepci_bus.Elpci_bussedestruyeantesqueelpci_slot,porloqueseproduceunuse-after-freecuandopci_slot_release()accedeaslot->bus.Enprincipio,estonodeber\u00edasucederporquepci_stop_bus_device()desvinculapciehp(y,porlotanto,destruyeelpci_slot)antesdequepci_remove_bus_device()destruyaelpci_bus.Sinembargo,elseguimientodelapilaproporcionadoporDennismuestraquepciehpsedesvinculadepci_remove_bus_device()enlugardepci_stop_bus_device().Paracomprenderlaimportanciadeesto,esnecesariosaberqueeln\u00facleoPCIutilizaunprocesodedospasosparaeliminarunapartedelajerarqu\u00eda:primerodesvinculatodosloscontroladoresenlasubjerarqu\u00edaenpci_stop_bus_device()yluegoeliminalosdispositivosenpci_remove_bus_device().Nohayningunaprecauci\u00f3nparaevitarlavinculaci\u00f3ndelcontroladorentrepci_stop_bus_device()ypci_remove_bus_device().EnelcasodeDennis,parecequelaeliminaci\u00f3ndelajerarqu\u00edaporpartedepciehpcompiteconlavinculaci\u00f3ndelcontroladorporpartedepci_bus_add_devices().pciehpest\u00e1vinculadoalpuertodescendentedespu\u00e9sdequesehayaejecutadopci_stop_bus_device(),porloquesedesvinculamediantepci_remove_bus_device()enlugardepci_stop_bus_device().Debidoaquepci_busyasehadestruidoenesepunto,losaccesosa\u00e9ldancomoresultadounuse-after-free.Sepodr\u00edaconcluirqueesnecesarioevitarlavinculaci\u00f3ndelcontroladordespu\u00e9sdequesehayaejecutadopci_stop_bus_device().Sinembargo,parecearriesgadoquepci_slotapunteapci_bussincontenerunareferencia.Confiar\u00fanicamenteenelordencorrectodeladesvinculaci\u00f3ndelcontroladorfrentealadestrucci\u00f3ndepci_busciertamentenoesprogramaci\u00f3ndefensiva.Sipci_slotnecesitaaccederadatosenpci_bus,debeadquirirunareferencia.Modifiquepci_create_slot()enconsecuencia.Dennisinformaqueelbloqueonosepuedereproducirconestecambio.Rastreodepilaabreviado:pcieport0000:00:07.0:PME:Se\u00f1alizaci\u00f3nconIRQ156pcieport0000:00:07.0:pciehp:Ranuran.\u00ba12AttnBtn-PwrCtrl-MRL-AttnInd-PwrInd-HotPlug+Surprise+Interlock-NoCompl+IbPresDis-LLActRep+pci_bus0000:20:dev00,cre\u00f3laranuraf\u00edsica12pcieport0000:00:07.0:pciehp:Ranura(12):Tarjetanopresente...pcieport0000:21:02.0:pciehp:pcie_disable_notification:SLOTCTRLd8comandodeescritura0Oops:errordeprotecci\u00f3ngeneral,probablementeparaunadirecci\u00f3nnocan\u00f3nica0x6b6b6b6b6b6b6b6b6b:0000[#1]PREEMPTSMPNOPTICPU:13UID:0PID:134Comm:irq/156-pciehpNocontaminado6.11.0-devel+#1RIP:0010:dev_driver_string+0x12/0x40ranuradedestrucci\u00f3npcipciehp_removeserviciodeeliminaci\u00f3ndepuertopciedispositivodeliberaci\u00f3ndecontroladorinternodebuseliminardispositivo_eliminar_dispositivoanular_registro_dispositivoeliminar_iterdispositivo_para_cada_hijo_eliminar_puerto_pciedispositivo_eliminar_dispositivo_liberaci\u00f3n_controlador_interno_bus_
