CVE-2024-42302: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42302 is a use-after-free vulnerability discovered in the Linux kernel's PCI/DPC (Downstream Port Containment) subsystem. The vulnerability was identified when a DPC event occurs concurrently with hot-removal of the same portion of the hierarchy. The issue affects Linux kernel versions from 5.10 up to versions before 5.10.224, 5.15.165, 6.1.103, 6.6.44, and 6.10.3. The vulnerability was disclosed on August 17, 2024, and received a CVSS v3.1 base score of 7.8 (HIGH) (NVD).

The vulnerability occurs in the pcibridgewaitforsecondarybus() function when it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pcidev cause a kernel oops due to the function neglecting to hold a reference on the child device. The issue was introduced in v6.3 when the function began being called on DPC events through commit 53b54ad074de. Prior to v6.3, the function was only called during system sleep resume or runtime resume, where concurrent execution wasn't possible (Kernel Patch).

When successfully exploited, this vulnerability can cause a denial of service condition through a kernel crash. The vulnerability requires local access and low privileges to exploit, but can result in high impacts to confidentiality, integrity, and availability of the system as indicated by its CVSS metrics (NVD).

The vulnerability has been fixed by adding proper reference counting for the child device in the pcibridgewaitforsecondarybus() function. System administrators should update to Linux kernel versions 5.10.224, 5.15.165, 6.1.103, 6.6.44, or 6.10.3 or later to address this vulnerability. The fix involves adding missing reference acquisition using pcidevget() and corresponding pcidev_put() calls (Kernel Patch).