CVE-2024-26605: 
Linux Kernel vulnerability analysis and mitigation

A potential deadlock vulnerability was discovered in the Linux kernel version 6.7.0 when enabling Active State Power Management (ASPM) during probe of Qualcomm PCIe controllers. The issue was introduced by a last-minute revert in the 6.7-final release and is tracked as CVE-2024-26605. The vulnerability affects Linux kernel versions from 6.7.0 up to (excluding) 6.7.5 (Kernel Git).

The vulnerability occurs due to a recursive locking scenario with the PCI bus semaphore (pci_bus_sem). The deadlock happens when one thread already holds the lock and attempts to acquire it again during ASPM enablement. The issue can be reproduced on devices like the Lenovo ThinkPad X13s by adding a delay to increase the race window during asynchronous probe where another thread can take a write lock. The CVSS v3.1 base score for this vulnerability is 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system deadlock when enabling ASPM during PCIe controller probe operations, potentially causing system unavailability or requiring a system restart. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NVD).

The issue has been fixed by adding a new pci_set_power_state_locked() function and associated helper functions that can be called with the PCI bus semaphore held to avoid taking the read lock twice. The fix has been implemented in the Linux kernel through a patch that modifies the PCI subsystem's locking behavior (Kernel Git).