CVE-2024-27010 – net/sched: Fix mirred deadlock on device recursion
https://notcve.org/view.php?id=CVE-2024-27010
In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix mirred deadlock on device recursion When the mirred action is used on a classful egress qdisc and a packet is mirrored or redirected to self we hit a qdisc lock deadlock. See trace below. [..... other info removed for brevity....] [ 82.890906] [ 82.890906] ============================================ [ 82.890906] WARNING: possible recursive locking detected [ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W [ 82.890906] -------------------------------------------- [ 82.890906] ping/418 is trying to acquire lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] but task is already holding lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] other info that might help us debug this: [ 82.890906] Possible unsafe locking scenario: [ 82.890906] [ 82.890906] CPU0 [ 82.890906] ---- [ 82.890906] lock(&sch->q.lock); [ 82.890906] lock(&sch->q.lock); [ 82.890906] [ 82.890906] *** DEADLOCK *** [ 82.890906] [..... other info removed for brevity....] Example setup (eth0->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 Another example(eth0->eth1->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth1 tc qdisc add dev eth1 root handle 1: htb default 30 tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 We fix this by adding an owner field (CPU id) to struct Qdisc set after root qdisc is entered. When the softirq enters it a second time, if the qdisc owner is the same CPU, the packet is dropped to break the loop. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/sched: corrige el punto muerto reflejado en la recursividad del dispositivo Cuando la acción reflejada se utiliza en una qdisc de salida con clase y un paquete se refleja o redirige a uno mismo, llegamos a un punto muerto de bloqueo de qdisc. Vea el rastro a continuación. [..... otra información eliminada por brevedad....] [ 82.890906] [ 82.890906] ============================= ================ [82.890906] ADVERTENCIA: posible bloqueo recursivo detectado [82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Contaminado: GW [82.890906] ----- --------------------------------------- [ 82.890906] ping/418 está intentando adquirir el bloqueo : [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, en: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] pero la tarea ya mantiene el bloqueo: [ 82.890906] 88006994110 (&sch->q.lock){+.-.}-{3:3}, en: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] otra información que podría ayudarnos a depurar esto: [ 82.890906] Posible escenario de bloqueo inseguro : [ 82.890906] [ 82.890906] CPU0 [ 82.890906] ---- [ 82.890906] bloqueo(&sch->q.lock); [ 82.890906] bloqueo(&sch->q.lock); [ 82.890906] [ 82.890906] *** DEADLOCK *** [ 82.890906] [..... otra información eliminada por brevedad....] Ejemplo de configuración (eth0->eth0) para recrear tc qdisc agregar dev eth0 identificador raíz 1 : htb default 30 tc filter add dev eth0 handle 1: protocolo ip prio 2 matchall \ action mirred egress redirigir dev eth0 Otro ejemplo (eth0->eth1->eth0) para recrear tc qdisc add dev eth0 root handle 1: htb default 30 tc filtro agregar dev eth0 identificador 1: protocolo ip prio 2 matchall \ acción redirección de salida reflejada dev eth1 tc qdisc agregar dev eth1 identificador raíz 1: htb predeterminado 30 tc filtro agregar dev eth1 identificador 1: protocolo ip prio 2 matchall \ acción duplicada redirección de salida dev eth0 Solucionamos esto agregando un campo de propietario (ID de CPU) a la estructura Qdisc establecida después de ingresar la qdisc raíz. • https://git.kernel.org/stable/c/e578d9c02587d57bfa7b560767c698a668a468c6 https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11 https://access.redhat.com/security/cve/CVE-2024-27010 https://bugzilla.redhat.com/show_bug.cgi?id=2278279 •
CVE-2024-27008 – drm: nv04: Fix out of bounds access
https://notcve.org/view.php?id=CVE-2024-27008
In the Linux kernel, the following vulnerability has been resolved: drm: nv04: Fix out of bounds access When Output Resource (dcb->or) value is assigned in fabricate_dcb_output(), there may be out of bounds access to dac_users array in case dcb->or is zero because ffs(dcb->or) is used as index there. The 'or' argument of fabricate_dcb_output() must be interpreted as a number of bit to set, not value. Utilize macros from 'enum nouveau_or' in calls instead of hardcoding. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm: nv04: corregir el acceso fuera de los límites Cuando se asigna el valor del recurso de salida (dcb->or) en fabricate_dcb_output(), puede haber acceso fuera de los límites a la matriz dac_users en caso de que dcb->or es cero porque ffs(dcb->or) se usa como índice allí. El argumento 'o' de fabricate_dcb_output() debe interpretarse como un número de bits a configurar, no como un valor. Utilice macros de 'enum nouveau_or' en las llamadas en lugar de codificarlas. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/2e5702aff39532662198459726c624d5eadbdd78 https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1 https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062 https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04 https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042 https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a8 •
CVE-2024-27004 – clk: Get runtime PM before walking tree during disable_unused
https://notcve.org/view.php?id=CVE-2024-27004
In the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walking tree during disable_unused Doug reported [1] the following hung task: INFO: task swapper/0:1 blocked for more than 122 seconds. Not tainted 5.15.149-21875-gf795ebc40eb8 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008 Call trace: __switch_to+0xf4/0x1f4 __schedule+0x418/0xb80 schedule+0x5c/0x10c rpm_resume+0xe0/0x52c rpm_resume+0x178/0x52c __pm_runtime_resume+0x58/0x98 clk_pm_runtime_get+0x30/0xb0 clk_disable_unused_subtree+0x58/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused+0x4c/0xe4 do_one_initcall+0xcc/0x2d8 do_initcall_level+0xa4/0x148 do_initcalls+0x5c/0x9c do_basic_setup+0x24/0x30 kernel_init_freeable+0xec/0x164 kernel_init+0x28/0x120 ret_from_fork+0x10/0x20 INFO: task kworker/u16:0:9 blocked for more than 122 seconds. Not tainted 5.15.149-21875-gf795ebc40eb8 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008 Workqueue: events_unbound deferred_probe_work_func Call trace: __switch_to+0xf4/0x1f4 __schedule+0x418/0xb80 schedule+0x5c/0x10c schedule_preempt_disabled+0x2c/0x48 __mutex_lock+0x238/0x488 __mutex_lock_slowpath+0x1c/0x28 mutex_lock+0x50/0x74 clk_prepare_lock+0x7c/0x9c clk_core_prepare_lock+0x20/0x44 clk_prepare+0x24/0x30 clk_bulk_prepare+0x40/0xb0 mdss_runtime_resume+0x54/0x1c8 pm_generic_runtime_resume+0x30/0x44 __genpd_runtime_resume+0x68/0x7c genpd_runtime_resume+0x108/0x1f4 __rpm_callback+0x84/0x144 rpm_callback+0x30/0x88 rpm_resume+0x1f4/0x52c rpm_resume+0x178/0x52c __pm_runtime_resume+0x58/0x98 __device_attach+0xe0/0x170 device_initial_probe+0x1c/0x28 bus_probe_device+0x3c/0x9c device_add+0x644/0x814 mipi_dsi_device_register_full+0xe4/0x170 devm_mipi_dsi_device_register_full+0x28/0x70 ti_sn_bridge_probe+0x1dc/0x2c0 auxiliary_bus_probe+0x4c/0x94 really_probe+0xcc/0x2c8 __driver_probe_device+0xa8/0x130 driver_probe_device+0x48/0x110 __device_attach_driver+0xa4/0xcc bus_for_each_drv+0x8c/0xd8 __device_attach+0xf8/0x170 device_initial_probe+0x1c/0x28 bus_probe_device+0x3c/0x9c deferred_probe_work_func+0x9c/0xd8 process_one_work+0x148/0x518 worker_thread+0x138/0x350 kthread+0x138/0x1e0 ret_from_fork+0x10/0x20 The first thread is walking the clk tree and calling clk_pm_runtime_get() to power on devices required to read the clk hardware via struct clk_ops::is_enabled(). This thread holds the clk prepare_lock, and is trying to runtime PM resume a device, when it finds that the device is in the process of resuming so the thread schedule()s away waiting for the device to finish resuming before continuing. The second thread is runtime PM resuming the same device, but the runtime resume callback is calling clk_prepare(), trying to grab the prepare_lock waiting on the first thread. This is a classic ABBA deadlock. To properly fix the deadlock, we must never runtime PM resume or suspend a device with the clk prepare_lock held. Actually doing that is near impossible today because the global prepare_lock would have to be dropped in the middle of the tree, the device runtime PM resumed/suspended, and then the prepare_lock grabbed again to ensure consistency of the clk tree topology. • https://git.kernel.org/stable/c/9a34b45397e5a389e25a0c5d39983300d040e5e2 https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123 https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034 https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5 https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90 •
CVE-2024-27001 – comedi: vmk80xx: fix incomplete endpoint checking
https://notcve.org/view.php?id=CVE-2024-27001
In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix incomplete endpoint checking While vmk80xx does have endpoint checking implemented, some things can fall through the cracks. Depending on the hardware model, URBs can have either bulk or interrupt type, and current version of vmk80xx_find_usb_endpoints() function does not take that fully into account. While this warning does not seem to be too harmful, at the very least it will crash systems with 'panic_on_warn' set on them. Fix the issue found by Syzkaller [1] by somewhat simplifying the endpoint checking process with usb_find_common_endpoints() and ensuring that only expected endpoint types are present. This patch has not been tested on real hardware. [1] Syzkaller report: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline] vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818 comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 ... Similar issue also found by Syzkaller: En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: vmk80xx: corrige la verificación de endpoints incompleta Si bien vmk80xx tiene implementada la verificación de endpoints, algunas cosas pueden pasar desapercibidas. Dependiendo del modelo de hardware, las URB pueden tener un tipo masivo o de interrupción, y la versión actual de la función vmk80xx_find_usb_endpoints() no lo tiene completamente en cuenta. • https://git.kernel.org/stable/c/49253d542cc0f5f771dc254d248162a2a666649d https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9 https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54 https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696 https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f6 •
CVE-2024-27000 – serial: mxs-auart: add spinlock around changing cts state
https://notcve.org/view.php?id=CVE-2024-27000
In the Linux kernel, the following vulnerability has been resolved: serial: mxs-auart: add spinlock around changing cts state The uart_handle_cts_change() function in serial_core expects the caller to hold uport->lock. For example, I have seen the below kernel splat, when the Bluetooth driver is loaded on an i.MX28 board. [ 85.119255] ------------[ cut here ]------------ [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1 [ 85.151396] Hardware name: Freescale MXS (Device Tree) [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth] (...) [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4 [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210 (...) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: serial: mxs-auart: agrega spinlock para cambiar el estado de cts. La función uart_handle_cts_change() en serial_core espera que la persona que llama mantenga uport->lock. Por ejemplo, he visto el siguiente símbolo del kernel, cuando el controlador Bluetooth está cargado en una placa i.MX28. [85.119255] ------------[ cortar aquí ]------------ [ 85.124413] ADVERTENCIA: CPU: 0 PID: 27 en /drivers/tty/serial/ serial_core.c:3453 uart_handle_cts_change+0xb4/0xec [85.134694] Módulos vinculados en: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs [85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 No contaminado 6.6.3-00021-gd6 2a2f068f92 #1 [85.151396] Nombre de hardware: Freescale MXS (árbol de dispositivos) [85.156679] Cola de trabajo: hci0 hci_power_on [bluetooth] (...) [85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4 [ 85.198787] q_handle de __handle_irq_event_percpu+0x88/0x210 (.. .) • https://git.kernel.org/stable/c/4d90bb147ef6b91f529a21b498ff2b5fdc6785b4 https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37 https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495 https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270 https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37 https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f76 •