CVE-2025-38623
EUVD-2025-2557822.08.2025, 16:15
In the Linux kernel, the following vulnerability has been resolved:
PCI: pnv_php: Fix surprise plug detection and recovery
The existing PowerNV hotplug code did not handle surprise plug events
correctly, leading to a complete failure of the hotplug system after device
removal and a required reboot to detect new devices.
This comes down to two issues:
1) When a device is surprise removed, often the bridge upstream
port will cause a PE freeze on the PHB. If this freeze is not
cleared, the MSI interrupts from the bridge hotplug notification
logic will not be received by the kernel, stalling all plug events
on all slots associated with the PE.
2) When a device is removed from a slot, regardless of surprise or
programmatic removal, the associated PHB/PE ls left frozen.
If this freeze is not cleared via a fundamental reset, skiboot
is unable to clear the freeze and cannot retrain / rescan the
slot. This also requires a reboot to clear the freeze and redetect
the device in the slot.
Issue the appropriate unfreeze and rescan commands on hotplug events,
and don't oops on hotplug if pci_bus_to_OF_node() returns NULL.
[bhelgaas: tidy comments]EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 4.9 ≤ 𝑥 < 5.10.241 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.190 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.148 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.102 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.42 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.15.10 |
| linux | linux_kernel | 6.16 ≤ 𝑥 < 6.16.1 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Debian Releases
References