{"id":"CVE-2024-35809","summary":"PCI/PM: Drain runtime-idle callbacks before driver removal","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that.  It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete.  In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync().  [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point.  A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.","modified":"2026-03-20T12:36:39.351758Z","published":"2024-05-17T13:23:16.168Z","related":["ALSA-2024:7000","ALSA-2024:7001","SUSE-SU-2024:1979-1","SUSE-SU-2024:1983-1","SUSE-SU-2024:2008-1","SUSE-SU-2024:2019-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:2184-1","SUSE-SU-2024:2190-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20249-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35809.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674"},{"type":"WEB","url":"https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35809.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35809"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f3ec4f87d607f40497afdb5ac03f11e2ea253d52"},{"fixed":"9a87375bb586515c0af63d5dcdcd58ec4acf20a6"},{"fixed":"47d8aafcfe313511a98f165a54d0adceb34e54b1"},{"fixed":"bbe068b24409ef740657215605284fc7cdddd491"},{"fixed":"7cc94dd36e48879e76ae7a8daea4ff322b7d9674"},{"fixed":"900b81caf00c89417172afe0e7e49ac4eb110f4b"},{"fixed":"d86ad8c3e152349454b82f37007ff6ba45f26989"},{"fixed":"d534198311c345e4b062c4b88bb609efb8bd91d5"},{"fixed":"6347348c6aba52dda0b33296684cbb627bdc6970"},{"fixed":"9d5286d4e7f68beab450deddbb6a32edd5ecf4bf"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35809.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}