CVE-2024-56699: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56699 addresses a potential double removal vulnerability in the Linux kernel's s390/pci subsystem. The issue was discovered in the hotplug slot removal functionality, specifically in the zpcireleasedevice() function. The vulnerability was introduced in commit 6ee600bfbe0f when the zpciexitslot() function was moved from zpcidevicereserved() to zpcireleasedevice() (Kernel Commit).

The vulnerability stems from the zpcireleasedevice() function containing code to tear down both configured and standby states, despite only being called when all references are dropped and the device is in a reserved state. For the standby case, this includes the removal of the hotplug slot, which could cause a double removal if a device was removed in either configured or standby state. The fix implements a WARN_ON() check for devices in non-reserved states and removes the redundant code cases (Kernel Commit).

If exploited, this vulnerability could lead to system instability or potential crashes when removing PCI devices on s390 systems, particularly during hotplug operations. The issue specifically affects the zPCI subsystem's device removal process (NVD).

The issue has been fixed in the Linux kernel through a patch that adds explicit state checking and removes redundant code paths. Users should update their kernel to a version containing the fix. The patch has been reviewed by Matthew Rosato and Gerd Bayer, and tested by Gerd Bayer (Kernel Commit).