CVE-2024-35809: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: PCI/PM: Drain runtime-idle callbacks before driver removal A race condition between the .runtime_idle() callback and the .remove() callback in the rtsx_pcr PCI driver leads to a kernel crash due to an unhandled page fault [1]. The problem is that rtsx_pci_runtime_idle() is not expected to be running after pm_runtime_get_sync() has been called, but the latter doesn't really guarantee that. It only guarantees that the suspend and resume callbacks will not be running when it returns. However, if a .runtime_idle() callback is already running when pm_runtime_get_sync() is called, the latter will notice that the runtime PM status of the device is RPM_ACTIVE and it will return right away without waiting for the former to complete. In fact, it cannot wait for .runtime_idle() to complete because it may be called from that callback (it arguably does not make much sense to do that, but it is not strictly prohibited). Thus in general, whoever is providing a .runtime_idle() callback needs to protect it from running in parallel with whatever code runs after pm_runtime_get_sync(). [Note that .runtime_idle() will not start after pm_runtime_get_sync() has returned, but it may continue running then if it has started earlier.] One way to address that race condition is to call pm_runtime_barrier() after pm_runtime_get_sync() (not before it, because a nonzero value of the runtime PM usage counter is necessary to prevent runtime PM callbacks from being invoked) to wait for the .runtime_idle() callback to complete should it be running at that point. A suitable place for doing that is in pci_device_remove() which calls pm_runtime_get_sync() before removing the driver, so it may as well call pm_runtime_barrier() subsequently, which will prevent the race in question from occurring, not just in the rtsx_pcr driver, but in any PCI drivers providing .runtime_idle() callbacks.
AI Analysis
Technical Summary
CVE-2024-35809 is a medium-severity vulnerability in the Linux kernel affecting the PCI runtime power management (PM) subsystem, specifically within the rtsx_pcr PCI driver. The issue arises from a race condition between the .runtime_idle() callback and the .remove() callback during driver removal. The .runtime_idle() callback is intended to be invoked when the device is idle, while .remove() is called when the driver is being removed. The vulnerability occurs because pm_runtime_get_sync(), which is called before driver removal to synchronize runtime PM state, does not guarantee that any already running .runtime_idle() callbacks have completed. If a .runtime_idle() callback is running concurrently, this can lead to a kernel crash caused by an unhandled page fault. This is due to the fact that pm_runtime_get_sync() returns immediately if the device runtime PM status is RPM_ACTIVE, without waiting for the .runtime_idle() callback to finish. The root cause is that .runtime_idle() can still be executing after pm_runtime_get_sync() returns, and the driver removal code does not protect against this concurrency. The recommended fix involves calling pm_runtime_barrier() after pm_runtime_get_sync() in pci_device_remove(), which waits for any ongoing .runtime_idle() callbacks to complete before proceeding with driver removal. This approach prevents the race condition not only in the rtsx_pcr driver but also in any PCI drivers that implement .runtime_idle() callbacks. The vulnerability does not affect confidentiality or integrity but impacts availability by causing kernel crashes. Exploitation requires local privileges (PR:L), no user interaction (UI:N), and has low attack vector scope (AV:L), meaning an attacker must have local access to the system. The CVSS 3.1 base score is 5.5 (medium severity), reflecting the potential for denial of service via kernel crash but limited exploitability and impact scope.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with the affected rtsx_pcr PCI driver or other PCI drivers using .runtime_idle() callbacks without proper synchronization. The impact is a potential denial of service through kernel crashes, which can disrupt critical services, especially in environments relying on Linux servers for infrastructure, industrial control, or embedded systems. Organizations in sectors such as telecommunications, manufacturing, finance, and public administration that use Linux-based systems with PCI devices may experience system instability or outages. Although the vulnerability does not allow privilege escalation or data compromise directly, repeated crashes could lead to operational downtime and increased maintenance costs. Given that exploitation requires local access, the threat is more significant in environments where untrusted users have shell or physical access, such as shared hosting, multi-tenant cloud environments, or poorly secured endpoints. The vulnerability could also be leveraged as part of a multi-stage attack to cause disruption or cover tracks by crashing systems.
Mitigation Recommendations
European organizations should ensure that Linux kernel versions are updated to include the patch that calls pm_runtime_barrier() after pm_runtime_get_sync() in pci_device_remove(), thereby eliminating the race condition. System administrators should: 1) Apply the latest Linux kernel updates from trusted sources promptly, especially for kernels used in production environments. 2) Audit PCI drivers in use, particularly rtsx_pcr and others implementing .runtime_idle() callbacks, to verify if they have incorporated the recommended synchronization fix. 3) Limit local access to critical Linux systems by enforcing strict access controls, using multi-factor authentication, and monitoring for unauthorized login attempts. 4) Implement kernel crash monitoring and automated recovery mechanisms to reduce downtime in case of unexpected crashes. 5) For environments where patching is delayed, consider disabling runtime power management features for affected devices as a temporary workaround, understanding the trade-offs in power consumption. 6) Engage with Linux distribution vendors or maintainers to confirm that the fix is included in their kernel packages and backported to supported versions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-35809: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: PCI/PM: Drain runtime-idle callbacks before driver removal A race condition between the .runtime_idle() callback and the .remove() callback in the rtsx_pcr PCI driver leads to a kernel crash due to an unhandled page fault [1]. The problem is that rtsx_pci_runtime_idle() is not expected to be running after pm_runtime_get_sync() has been called, but the latter doesn't really guarantee that. It only guarantees that the suspend and resume callbacks will not be running when it returns. However, if a .runtime_idle() callback is already running when pm_runtime_get_sync() is called, the latter will notice that the runtime PM status of the device is RPM_ACTIVE and it will return right away without waiting for the former to complete. In fact, it cannot wait for .runtime_idle() to complete because it may be called from that callback (it arguably does not make much sense to do that, but it is not strictly prohibited). Thus in general, whoever is providing a .runtime_idle() callback needs to protect it from running in parallel with whatever code runs after pm_runtime_get_sync(). [Note that .runtime_idle() will not start after pm_runtime_get_sync() has returned, but it may continue running then if it has started earlier.] One way to address that race condition is to call pm_runtime_barrier() after pm_runtime_get_sync() (not before it, because a nonzero value of the runtime PM usage counter is necessary to prevent runtime PM callbacks from being invoked) to wait for the .runtime_idle() callback to complete should it be running at that point. A suitable place for doing that is in pci_device_remove() which calls pm_runtime_get_sync() before removing the driver, so it may as well call pm_runtime_barrier() subsequently, which will prevent the race in question from occurring, not just in the rtsx_pcr driver, but in any PCI drivers providing .runtime_idle() callbacks.
AI-Powered Analysis
Technical Analysis
CVE-2024-35809 is a medium-severity vulnerability in the Linux kernel affecting the PCI runtime power management (PM) subsystem, specifically within the rtsx_pcr PCI driver. The issue arises from a race condition between the .runtime_idle() callback and the .remove() callback during driver removal. The .runtime_idle() callback is intended to be invoked when the device is idle, while .remove() is called when the driver is being removed. The vulnerability occurs because pm_runtime_get_sync(), which is called before driver removal to synchronize runtime PM state, does not guarantee that any already running .runtime_idle() callbacks have completed. If a .runtime_idle() callback is running concurrently, this can lead to a kernel crash caused by an unhandled page fault. This is due to the fact that pm_runtime_get_sync() returns immediately if the device runtime PM status is RPM_ACTIVE, without waiting for the .runtime_idle() callback to finish. The root cause is that .runtime_idle() can still be executing after pm_runtime_get_sync() returns, and the driver removal code does not protect against this concurrency. The recommended fix involves calling pm_runtime_barrier() after pm_runtime_get_sync() in pci_device_remove(), which waits for any ongoing .runtime_idle() callbacks to complete before proceeding with driver removal. This approach prevents the race condition not only in the rtsx_pcr driver but also in any PCI drivers that implement .runtime_idle() callbacks. The vulnerability does not affect confidentiality or integrity but impacts availability by causing kernel crashes. Exploitation requires local privileges (PR:L), no user interaction (UI:N), and has low attack vector scope (AV:L), meaning an attacker must have local access to the system. The CVSS 3.1 base score is 5.5 (medium severity), reflecting the potential for denial of service via kernel crash but limited exploitability and impact scope.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with the affected rtsx_pcr PCI driver or other PCI drivers using .runtime_idle() callbacks without proper synchronization. The impact is a potential denial of service through kernel crashes, which can disrupt critical services, especially in environments relying on Linux servers for infrastructure, industrial control, or embedded systems. Organizations in sectors such as telecommunications, manufacturing, finance, and public administration that use Linux-based systems with PCI devices may experience system instability or outages. Although the vulnerability does not allow privilege escalation or data compromise directly, repeated crashes could lead to operational downtime and increased maintenance costs. Given that exploitation requires local access, the threat is more significant in environments where untrusted users have shell or physical access, such as shared hosting, multi-tenant cloud environments, or poorly secured endpoints. The vulnerability could also be leveraged as part of a multi-stage attack to cause disruption or cover tracks by crashing systems.
Mitigation Recommendations
European organizations should ensure that Linux kernel versions are updated to include the patch that calls pm_runtime_barrier() after pm_runtime_get_sync() in pci_device_remove(), thereby eliminating the race condition. System administrators should: 1) Apply the latest Linux kernel updates from trusted sources promptly, especially for kernels used in production environments. 2) Audit PCI drivers in use, particularly rtsx_pcr and others implementing .runtime_idle() callbacks, to verify if they have incorporated the recommended synchronization fix. 3) Limit local access to critical Linux systems by enforcing strict access controls, using multi-factor authentication, and monitoring for unauthorized login attempts. 4) Implement kernel crash monitoring and automated recovery mechanisms to reduce downtime in case of unexpected crashes. 5) For environments where patching is delayed, consider disabling runtime power management features for affected devices as a temporary workaround, understanding the trade-offs in power consumption. 6) Engage with Linux distribution vendors or maintainers to confirm that the fix is included in their kernel packages and backported to supported versions.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T12:19:12.342Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3520
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:10:27 PM
Last updated: 7/31/2025, 3:04:54 PM
Views: 10
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.