CVE-2024-46750: PCI: Add missing bridge lock to pci_bus_lock()
In the Linux kernel, the following vulnerability has been resolved:
PCI: Add missing bridge lock to pci_bus_lock()
One of the true positives that the cfg_access_lock lockdep effort
identified is this sequence:
WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70
RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70
Call Trace:
<TASK>
? __warn+0x8c/0x190
? pci_bridge_secondary_bus_reset+0x5d/0x70
? report_bug+0x1f8/0x200
? handle_bug+0x3c/0x70
? exc_invalid_op+0x18/0x70
? asm_exc_invalid_op+0x1a/0x20
? pci_bridge_secondary_bus_reset+0x5d/0x70
pci_reset_bus+0x1d8/0x270
vmd_probe+0x778/0xa10
pci_device_probe+0x95/0x120
Where pci_reset_bus() users are triggering unlocked secondary bus resets.
Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses
pci_bus_lock() before issuing the reset which locks everything *but* the
bridge itself.
For the same motivation as adding:
bridge = pci_upstream_bridge(dev);
if (bridge)
pci_dev_lock(bridge);
to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add
pci_dev_lock() for @bus->self to pci_bus_lock().
[bhelgaas: squash in recursive locking deadlock fix from Keith Busch:
https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]
Security readout for executives and security teams
Plain-English summary
CVE-2024-46750 is a Linux kernel PCI locking flaw. During some PCI bus reset paths, the kernel failed to lock the bridge device, which could allow unsafe concurrent reset behavior. The public record frames this as a kernel correctness and stability fix, not a confirmed remote compromise issue.
Executive priority
Treat this as a routine-to-moderate kernel maintenance item unless your environment depends on affected Linux-based appliances or PCI-heavy infrastructure. There is no sourced evidence of exploitation, but kernel stability defects still warrant timely patching through normal maintenance windows.
Technical view
The issue is in Linux PCI reset locking. pci_bus_lock() locked devices below a bus but missed bus->self, the bridge itself. Lockdep identified unlocked secondary bus resets through pci_reset_bus() and vmd_probe(). Stable fixes add bridge locking while avoiding recursive locking deadlock.
Likely exposure
Exposure is limited to systems running affected Linux kernel builds with the vulnerable PCI code. The bundle does not prove that every Linux deployment is practically reachable; validate kernel package versions, vendor backports, and whether the fix is included in your distribution.
Exploitation context
No source in the bundle reports active exploitation, and KEV is false. The evidence describes an internal kernel locking defect found by lockdep, with call traces around PCI/VMD reset handling. Practical exploitability, attacker prerequisites, and impact are not specified in the provided sources.
Researcher notes
The key technical point is missing locking of bus->self in pci_bus_lock(). The source bundle provides fix commits and advisory references but lacks CVSS, CWE, exploit prerequisites, or demonstrated impact. Version status appears incomplete, so rely on vendor backport evidence rather than raw upstream version strings alone.
Mitigation direction
Update to a vendor kernel release containing the stable PCI locking fix.
Apply Debian LTS or distribution security updates where applicable.
Check Siemens advisories for affected industrial products using bundled Linux kernels.
Avoid direct wrangler-style assumptions; follow your OS or device vendor guidance.
Track kernel stable commits listed in the CVE record for backport confirmation.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and embedded devices.
Confirm whether vendor packages include the referenced stable commits or equivalent backports.
Review distribution security advisories for CVE-2024-46750 coverage.
Prioritize systems using PCI reset paths, VMD, or vendor appliances named in advisories.
Document exceptions where vendor guidance is unavailable or deferred.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-46750 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.