Home

Description

In the Linux kernel, the following vulnerability has been resolved: PCI: Fix use-after-free in pci_bus_release_domain_nr() Commit c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()") introduced a use-after-free bug in the bus removal cleanup. The issue was found with kfence: [ 19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70 [ 19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115): [ 19.309677] pci_bus_release_domain_nr+0x10/0x70 [ 19.309691] dw_pcie_host_deinit+0x28/0x78 [ 19.309702] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] [ 19.309734] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] [ 19.309752] platform_probe+0x90/0xd8 ... [ 19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k [ 19.311469] allocated by task 96 on cpu 10 at 19.279323s: [ 19.311562] __kmem_cache_alloc_node+0x260/0x278 [ 19.311571] kmalloc_trace+0x24/0x30 [ 19.311580] pci_alloc_bus+0x24/0xa0 [ 19.311590] pci_register_host_bridge+0x48/0x4b8 [ 19.311601] pci_scan_root_bus_bridge+0xc0/0xe8 [ 19.311613] pci_host_probe+0x18/0xc0 [ 19.311623] dw_pcie_host_init+0x2c0/0x568 [ 19.311630] tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194] [ 19.311647] platform_probe+0x90/0xd8 ... [ 19.311782] freed by task 96 on cpu 10 at 19.285833s: [ 19.311799] release_pcibus_dev+0x30/0x40 [ 19.311808] device_release+0x30/0x90 [ 19.311814] kobject_put+0xa8/0x120 [ 19.311832] device_unregister+0x20/0x30 [ 19.311839] pci_remove_bus+0x78/0x88 [ 19.311850] pci_remove_root_bus+0x5c/0x98 [ 19.311860] dw_pcie_host_deinit+0x28/0x78 [ 19.311866] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] [ 19.311883] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] [ 19.311900] platform_probe+0x90/0xd8 ... [ 19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4 [ 19.320171] Hardware name: /, BIOS 1.0-d7fb19b 08/10/2022 [ 19.325852] Workqueue: events_unbound deferred_probe_work_func The stack trace is a bit misleading as dw_pcie_host_deinit() doesn't directly call pci_bus_release_domain_nr(). The issue turns out to be in pci_remove_root_bus() which first calls pci_remove_bus() which frees the struct pci_bus when its struct device is released. Then pci_bus_release_domain_nr() is called and accesses the freed struct pci_bus. Reordering these fixes the issue.

PUBLISHED Reserved 2025-09-17 | Published 2025-09-17 | Updated 2025-09-17 | Assigner Linux

Product status

Default status
unaffected

f8b6bd6c04d4dfc4c200e6fa306e61e3b42ec5fc (git) before 52b0343c7d628f37b38e3279ba585526b850ad3b
affected

db273126bf548a2dc611372e8f6a817b2b16b563 (git) before ad367516b1c09317111255ecfbf5e42c33e31918
affected

ead4d69b3ef047b0f670511d81e9ced7ac876b44 (git) before fbf45385e3419b8698b5e0a434847072375cfec2
affected

c14f7ccc9f5dcf9d06ddeec706f85405b2c80600 (git) before 07a75c0050e59c50f038cc5f4e2a3258c8f8c9d0
affected

c14f7ccc9f5dcf9d06ddeec706f85405b2c80600 (git) before 30ba2d09edb5ea857a1473ae3d820911347ada62
affected

Default status
affected

6.2
affected

Any version before 6.2
unaffected

6.2.12 (semver)
unaffected

6.3 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/52b0343c7d628f37b38e3279ba585526b850ad3b

git.kernel.org/...c/ad367516b1c09317111255ecfbf5e42c33e31918

git.kernel.org/...c/fbf45385e3419b8698b5e0a434847072375cfec2

git.kernel.org/...c/07a75c0050e59c50f038cc5f4e2a3258c8f8c9d0

git.kernel.org/...c/30ba2d09edb5ea857a1473ae3d820911347ada62

cve.org (CVE-2023-53363)

nvd.nist.gov (CVE-2023-53363)

Download JSON