CVE-2024-27009 – s390/cio: fix race condition during online processing
https://notcve.org/view.php?id=CVE-2024-27009
In the Linux kernel, the following vulnerability has been resolved: s390/cio: fix race condition during online processing A race condition exists in ccw_device_set_online() that can cause the online process to fail, leaving the affected device in an inconsistent state. As a result, subsequent attempts to set that device online fail with return code ENODEV. The problem occurs when a path verification request arrives after a wait for final device state completed, but before the result state is evaluated. Fix this by ensuring that the CCW-device lock is held between determining final state and checking result state. Note that since: commit 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") path verification requests are much more likely to occur during boot, resulting in an increased chance of this race condition occurring. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: s390/cio: corrige la condición de ejecución durante el procesamiento en línea Existe una condición de ejecución en ccw_device_set_online() que puede causar que el proceso en línea falle, dejando el dispositivo afectado en un estado inconsistente. Como resultado, los intentos posteriores de configurar ese dispositivo en línea fallan con el código de retorno ENODEV. El problema se produce cuando llega una solicitud de verificación de ruta después de que se complete la espera hasta que se complete el estado final del dispositivo, pero antes de que se evalúe el estado del resultado. • https://git.kernel.org/stable/c/2297791c92d04a154ad29ba5a073f9f627982110 https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538 https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49 https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48 •
CVE-2024-27008 – drm: nv04: Fix out of bounds access
https://notcve.org/view.php?id=CVE-2024-27008
In the Linux kernel, the following vulnerability has been resolved: drm: nv04: Fix out of bounds access When Output Resource (dcb->or) value is assigned in fabricate_dcb_output(), there may be out of bounds access to dac_users array in case dcb->or is zero because ffs(dcb->or) is used as index there. The 'or' argument of fabricate_dcb_output() must be interpreted as a number of bit to set, not value. Utilize macros from 'enum nouveau_or' in calls instead of hardcoding. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm: nv04: corregir el acceso fuera de los límites Cuando se asigna el valor del recurso de salida (dcb->or) en fabricate_dcb_output(), puede haber acceso fuera de los límites a la matriz dac_users en caso de que dcb->or es cero porque ffs(dcb->or) se usa como índice allí. El argumento 'o' de fabricate_dcb_output() debe interpretarse como un número de bits a configurar, no como un valor. Utilice macros de 'enum nouveau_or' en las llamadas en lugar de codificarlas. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/2e5702aff39532662198459726c624d5eadbdd78 https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1 https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062 https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04 https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042 https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a8 •
CVE-2024-27005 – interconnect: Don't access req_list while it's being manipulated
https://notcve.org/view.php?id=CVE-2024-27005
In the Linux kernel, the following vulnerability has been resolved: interconnect: Don't access req_list while it's being manipulated The icc_lock mutex was split into separate icc_lock and icc_bw_lock mutexes in [1] to avoid lockdep splats. However, this didn't adequately protect access to icc_node::req_list. The icc_set_bw() function will eventually iterate over req_list while only holding icc_bw_lock, but req_list can be modified while only holding icc_lock. This causes races between icc_set_bw(), of_icc_get(), and icc_put(). Example A: CPU0 CPU1 ---- ---- icc_set_bw(path_a) mutex_lock(&icc_bw_lock); icc_put(path_b) mutex_lock(&icc_lock); aggregate_requests() hlist_for_each_entry(r, ... hlist_del(... <r = invalid pointer> Example B: CPU0 CPU1 ---- ---- icc_set_bw(path_a) mutex_lock(&icc_bw_lock); path_b = of_icc_get() of_icc_get_by_index() mutex_lock(&icc_lock); path_find() path_init() aggregate_requests() hlist_for_each_entry(r, ... hlist_add_head(... <r = invalid pointer> Fix this by ensuring icc_bw_lock is always held before manipulating icc_node::req_list. The additional places icc_bw_lock is held don't perform any memory allocations, so we should still be safe from the original lockdep splats that motivated the separate locks. [1] commit af42269c3523 ("interconnect: Fix locking for runpm vs reclaim") En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: interconexión: no acceder a req_list mientras se está manipulando. El mutex icc_lock se dividió en mutex icc_lock e icc_bw_lock separados en [1] para evitar símbolos de bloqueo. • https://git.kernel.org/stable/c/af42269c3523492d71ebbe11fefae2653e9cdc78 https://git.kernel.org/stable/c/9be2957f014d91088db1eb5dd09d9a03d7184dce https://git.kernel.org/stable/c/fe549d8e976300d0dd75bd904eb216bed8b145e0 https://git.kernel.org/stable/c/ee42bfc791aa3cd78e29046f26a09d189beb3efb https://git.kernel.org/stable/c/19ec82b3cad1abef2a929262b8c1528f4e0c192d https://git.kernel.org/stable/c/2f3a124696d43de3c837f87a9f767c56ee86cf2a https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42 https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c86883 •
CVE-2024-27004 – clk: Get runtime PM before walking tree during disable_unused
https://notcve.org/view.php?id=CVE-2024-27004
In the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walking tree during disable_unused Doug reported [1] the following hung task: INFO: task swapper/0:1 blocked for more than 122 seconds. Not tainted 5.15.149-21875-gf795ebc40eb8 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008 Call trace: __switch_to+0xf4/0x1f4 __schedule+0x418/0xb80 schedule+0x5c/0x10c rpm_resume+0xe0/0x52c rpm_resume+0x178/0x52c __pm_runtime_resume+0x58/0x98 clk_pm_runtime_get+0x30/0xb0 clk_disable_unused_subtree+0x58/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused+0x4c/0xe4 do_one_initcall+0xcc/0x2d8 do_initcall_level+0xa4/0x148 do_initcalls+0x5c/0x9c do_basic_setup+0x24/0x30 kernel_init_freeable+0xec/0x164 kernel_init+0x28/0x120 ret_from_fork+0x10/0x20 INFO: task kworker/u16:0:9 blocked for more than 122 seconds. Not tainted 5.15.149-21875-gf795ebc40eb8 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008 Workqueue: events_unbound deferred_probe_work_func Call trace: __switch_to+0xf4/0x1f4 __schedule+0x418/0xb80 schedule+0x5c/0x10c schedule_preempt_disabled+0x2c/0x48 __mutex_lock+0x238/0x488 __mutex_lock_slowpath+0x1c/0x28 mutex_lock+0x50/0x74 clk_prepare_lock+0x7c/0x9c clk_core_prepare_lock+0x20/0x44 clk_prepare+0x24/0x30 clk_bulk_prepare+0x40/0xb0 mdss_runtime_resume+0x54/0x1c8 pm_generic_runtime_resume+0x30/0x44 __genpd_runtime_resume+0x68/0x7c genpd_runtime_resume+0x108/0x1f4 __rpm_callback+0x84/0x144 rpm_callback+0x30/0x88 rpm_resume+0x1f4/0x52c rpm_resume+0x178/0x52c __pm_runtime_resume+0x58/0x98 __device_attach+0xe0/0x170 device_initial_probe+0x1c/0x28 bus_probe_device+0x3c/0x9c device_add+0x644/0x814 mipi_dsi_device_register_full+0xe4/0x170 devm_mipi_dsi_device_register_full+0x28/0x70 ti_sn_bridge_probe+0x1dc/0x2c0 auxiliary_bus_probe+0x4c/0x94 really_probe+0xcc/0x2c8 __driver_probe_device+0xa8/0x130 driver_probe_device+0x48/0x110 __device_attach_driver+0xa4/0xcc bus_for_each_drv+0x8c/0xd8 __device_attach+0xf8/0x170 device_initial_probe+0x1c/0x28 bus_probe_device+0x3c/0x9c deferred_probe_work_func+0x9c/0xd8 process_one_work+0x148/0x518 worker_thread+0x138/0x350 kthread+0x138/0x1e0 ret_from_fork+0x10/0x20 The first thread is walking the clk tree and calling clk_pm_runtime_get() to power on devices required to read the clk hardware via struct clk_ops::is_enabled(). This thread holds the clk prepare_lock, and is trying to runtime PM resume a device, when it finds that the device is in the process of resuming so the thread schedule()s away waiting for the device to finish resuming before continuing. The second thread is runtime PM resuming the same device, but the runtime resume callback is calling clk_prepare(), trying to grab the prepare_lock waiting on the first thread. This is a classic ABBA deadlock. To properly fix the deadlock, we must never runtime PM resume or suspend a device with the clk prepare_lock held. Actually doing that is near impossible today because the global prepare_lock would have to be dropped in the middle of the tree, the device runtime PM resumed/suspended, and then the prepare_lock grabbed again to ensure consistency of the clk tree topology. • https://git.kernel.org/stable/c/9a34b45397e5a389e25a0c5d39983300d040e5e2 https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123 https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034 https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5 https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90 •
CVE-2024-27002 – clk: mediatek: Do a runtime PM get on controllers during probe
https://notcve.org/view.php?id=CVE-2024-27002
In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: Do a runtime PM get on controllers during probe mt8183-mfgcfg has a mutual dependency with genpd during the probing stage, which leads to a deadlock in the following call stack: CPU0: genpd_lock --> clk_prepare_lock genpd_power_off_work_fn() genpd_lock() generic_pm_domain::power_off() clk_unprepare() clk_prepare_lock() CPU1: clk_prepare_lock --> genpd_lock clk_register() __clk_core_init() clk_prepare_lock() clk_pm_runtime_get() genpd_lock() Do a runtime PM get at the probe function to make sure clk_register() won't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg, do this on all mediatek clock controller probings because we don't believe this would cause any regression. Verified on MT8183 and MT8192 Chromebooks. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: clk: mediatek: realice un PM en tiempo de ejecución en los controladores durante la prueba mt8183-mfgcfg tiene una dependencia mutua con genpd durante la etapa de prueba, lo que conduce a un punto muerto en la siguiente pila de llamadas: CPU0: genpd_lock --> clk_prepare_lock genpd_power_off_work_fn() genpd_lock() generic_pm_domain::power_off() clk_unprepare() clk_prepare_lock() CPU1: clk_prepare_lock --> genpd_lock clk_register() __clk_core_init() clk_prepare_lock() clk_pm_runtime_get() genpd_lock() Hacer un tiempo de ejecución PM acceda a la función de sonda para asegurarse de que clk_register() no adquiera el bloqueo genpd. En lugar de modificar únicamente mt8183-mfgcfg, haga esto en todas las pruebas del controlador de reloj mediatek porque no creemos que esto cause ninguna regresión. Verificado en Chromebooks MT8183 y MT8192. • https://git.kernel.org/stable/c/acddfc2c261b3653ab1c1b567a427299bac20d31 https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8 https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5 https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3 •