CVE-2024-42302: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
In the Linux kernel, the following vulnerability has been resolved:
PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
Keith reports a use-after-free when a DPC event occurs concurrently to
hot-removal of the same portion of the hierarchy:
The dpc_handler() awaits readiness of the secondary bus below the
Downstream Port where the DPC event occurred. To do so, it polls the
config space of the first child device on the secondary bus. If that
child device is concurrently removed, accesses to its struct pci_dev
cause the kernel to oops.
That's because pci_bridge_wait_for_secondary_bus() neglects to hold a
reference on the child device. Before v6.3, the function was only
called on resume from system sleep or on runtime resume. Holding a
reference wasn't necessary back then because the pciehp IRQ thread
could never run concurrently. (On resume from system sleep, IRQs are
not enabled until after the resume_noirq phase. And runtime resume is
always awaited before a PCI device is removed.)
However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also
called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness
of secondary bus after reset"), which introduced that, failed to
appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a
reference on the child device because dpc_handler() and pciehp may
indeed run concurrently. The commit was backported to v5.10+ stable
kernels, so that's the oldest one affected.
Add the missing reference acquisition.
Abridged stack trace:
BUG: unable to handle page fault for address: 00000000091400c0
CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0
RIP: pci_bus_read_config_dword+0x17/0x50
pci_dev_wait()
pci_bridge_wait_for_secondary_bus()
dpc_reset_link()
pcie_do_recovery()
dpc_handler()
Security readout for executives and security teams
Plain-English summary
This Linux kernel flaw can crash a system when a PCIe Downstream Port Containment event happens at the same time as PCIe hot-removal. The documented impact is a kernel oops from use-after-free, so business urgency is mainly availability for systems using affected kernels and PCIe hot-plug or fault recovery paths.
Executive priority
Treat this as a targeted availability risk, not an internet-wide emergency based on current evidence. Patch during the next appropriate kernel maintenance window, with faster action for critical systems using hot-pluggable PCIe or vendor appliances that list this CVE.
Technical view
The bug is in pci_bridge_wait_for_secondary_bus(), called from DPC recovery since v6.3 and backported to v5.10+ stable. It polls a child pci_dev without holding a reference, allowing concurrent pciehp removal to free the object while dpc_handler() still uses it.
Likely exposure
Exposure is most likely on Linux systems running affected v5.10+ stable or v6.3+ kernel lines with PCIe DPC and hot-removal capability. Servers, appliances, and industrial systems with hot-pluggable PCIe hardware deserve priority review. The bundle does not identify user-space applications as directly affected.
Exploitation context
The sources describe a concurrency race causing a kernel oops during DPC recovery and hot-removal. They do not provide evidence of active exploitation, public weaponization, KEV listing, remote exploitation, or privilege escalation. Exploitability beyond causing availability impact is not established in the provided evidence.
Researcher notes
The key root cause is missing pci_dev reference acquisition in a DPC recovery path introduced by commit 53b54ad074de and backported to v5.10+ stable. The provided stack trace shows pci_bus_read_config_dword through dpc_handler. No CVSS, CWE, or confirmed exploit status is included.
Mitigation direction
Update to a vendor kernel build that includes the referenced PCI/DPC fix.
Prioritize systems with PCIe hot-plug, DPC support, or removable PCIe devices.
Check distribution and appliance vendor advisories for fixed package versions.
Avoid nonessential PCIe hot-removal on affected systems until patched where operationally feasible.
Monitor kernel logs for DPC, pciehp, and kernel oops events.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and embedded systems.
Check whether running kernels include the CVE-2024-42302 stable fix commits.
Review vendor advisories for affected and fixed versions for each platform.
Identify hosts with PCIe DPC and hot-plug hardware exposure.
Search kernel logs for pci_bridge_wait_for_secondary_bus, dpc_handler, and pciehp oops traces.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-42302 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.