In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pcibuslock() One of the true positives that the cfgaccesslock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pcibridgesecondarybusreset+0x5d/0x70 RIP: 0010:pcibridgesecondarybusreset+0x5d/0x70 Call Trace: <TASK> ? _warn+0x8c/0x190 ? pcibridgesecondarybusreset+0x5d/0x70 ? reportbug+0x1f8/0x200 ? handlebug+0x3c/0x70 ? excinvalidop+0x18/0x70 ? asmexcinvalidop+0x1a/0x20 ? pcibridgesecondarybusreset+0x5d/0x70 pciresetbus+0x1d8/0x270 vmdprobe+0x778/0xa10 pcideviceprobe+0x95/0x120 Where pciresetbus() users are triggering unlocked secondary bus resets. Ironically pcibusreset(), several calls down from pciresetbus(), uses pcibuslock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pciupstreambridge(dev); if (bridge) pcidevlock(bridge); to pciresetfunction() for the "bus" and "cxlbus" reset cases, add pcidevlock() for @bus->self to pcibuslock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]