CVE-2024-26725 – dpll: fix possible deadlock during netlink dump operation
https://notcve.org/view.php?id=CVE-2024-26725
In the Linux kernel, the following vulnerability has been resolved: dpll: fix possible deadlock during netlink dump operation Recently, I've been hitting following deadlock warning during dpll pin dump: [52804.637962] ====================================================== [52804.638536] WARNING: possible circular locking dependency detected [52804.639111] 6.8.0-rc2jiri+ #1 Not tainted [52804.639529] ------------------------------------------------------ [52804.640104] python3/2984 is trying to acquire lock: [52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}, at: netlink_dump+0xb3/0x780 [52804.641417] but task is already holding lock: [52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, at: dpll_lock_dumpit+0x13/0x20 [52804.642747] which lock already depends on the new lock. [52804.643551] the existing dependency chain (in reverse order) is: [52804.644259] -> #1 (dpll_lock){+.+.}-{3:3}: [52804.644836] lock_acquire+0x174/0x3e0 [52804.645271] __mutex_lock+0x119/0x1150 [52804.645723] dpll_lock_dumpit+0x13/0x20 [52804.646169] genl_start+0x266/0x320 [52804.646578] __netlink_dump_start+0x321/0x450 [52804.647056] genl_family_rcv_msg_dumpit+0x155/0x1e0 [52804.647575] genl_rcv_msg+0x1ed/0x3b0 [52804.648001] netlink_rcv_skb+0xdc/0x210 [52804.648440] genl_rcv+0x24/0x40 [52804.648831] netlink_unicast+0x2f1/0x490 [52804.649290] netlink_sendmsg+0x36d/0x660 [52804.649742] __sock_sendmsg+0x73/0xc0 [52804.650165] __sys_sendto+0x184/0x210 [52804.650597] __x64_sys_sendto+0x72/0x80 [52804.651045] do_syscall_64+0x6f/0x140 [52804.651474] entry_SYSCALL_64_after_hwframe+0x46/0x4e [52804.652001] -> #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}: [52804.652650] check_prev_add+0x1ae/0x1280 [52804.653107] __lock_acquire+0x1ed3/0x29a0 [52804.653559] lock_acquire+0x174/0x3e0 [52804.653984] __mutex_lock+0x119/0x1150 [52804.654423] netlink_dump+0xb3/0x780 [52804.654845] __netlink_dump_start+0x389/0x450 [52804.655321] genl_family_rcv_msg_dumpit+0x155/0x1e0 [52804.655842] genl_rcv_msg+0x1ed/0x3b0 [52804.656272] netlink_rcv_skb+0xdc/0x210 [52804.656721] genl_rcv+0x24/0x40 [52804.657119] netlink_unicast+0x2f1/0x490 [52804.657570] netlink_sendmsg+0x36d/0x660 [52804.658022] __sock_sendmsg+0x73/0xc0 [52804.658450] __sys_sendto+0x184/0x210 [52804.658877] __x64_sys_sendto+0x72/0x80 [52804.659322] do_syscall_64+0x6f/0x140 [52804.659752] entry_SYSCALL_64_after_hwframe+0x46/0x4e [52804.660281] other info that might help us debug this: [52804.661077] Possible unsafe locking scenario: [52804.661671] CPU0 CPU1 [52804.662129] ---- ---- [52804.662577] lock(dpll_lock); [52804.662924] lock(nlk_cb_mutex-GENERIC); [52804.663538] lock(dpll_lock); [52804.664073] lock(nlk_cb_mutex-GENERIC); [52804.664490] The issue as follows: __netlink_dump_start() calls control->start(cb) with nlk->cb_mutex held. In control->start(cb) the dpll_lock is taken. Then nlk->cb_mutex is released and taken again in netlink_dump(), while dpll_lock still being held. That leads to ABBA deadlock when another CPU races with the same operation. Fix this by moving dpll_lock taking into dumpit() callback which ensures correct lock taking order. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dpll: soluciona un posible punto muerto durante la operación de volcado de netlink Recientemente, he estado recibiendo la siguiente advertencia de punto muerto durante el volcado de pin de dpll: [52804.637962] =========== =========================================== [52804.638536] ADVERTENCIA: posible circular dependencia de bloqueo detectada [52804.639111] 6.8.0-rc2jiri+ #1 No contaminado [52804.639529] -------------------------------- ---------------------- [52804.640104] python3/2984 está intentando adquirir el bloqueo: [52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}- {3:3}, en: netlink_dump+0xb3/0x780 [52804.641417] pero la tarea ya mantiene el bloqueo: [52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, en: dpll_lock_dumpit+0x13/0x20 [52804.642747] qué bloqueo ya depende del nuevo bloqueo. [52804.643551] la cadena de dependencia existente (en orden inverso) es: [52804.644259] -> #1 (dpll_lock){+.+.}-{3:3}: [52804.644836] lock_acquire+0x174/0x3e0 [52804.645271] __mutex_lock+ 0x119/0x1150 [52804.645723] dpll_lock_dumpit+0x13/0x20 [52804.646169] genl_start+0x266/0x320 [52804.646578] __netlink_dump_start+0x321/0x450 [52804.647056 ] genl_family_rcv_msg_dumpit+0x155/0x1e0 [52804.647575] genl_rcv_msg+0x1ed/0x3b0 [52804.648001] netlink_rcv_skb+0xdc/ 0x210 [52804.648440] genl_rcv+0x24/0x40 [52804.648831] netlink_unicast+0x2f1/0x490 [52804.649290] netlink_sendmsg+0x36d/0x660 [52804.649742] __sock_sendmsg +0x73/0xc0 [52804.650165] __sys_sendto+0x184/0x210 [52804.650597] __x64_sys_sendto+0x72/0x80 [ 52804.651045] do_syscall_64+0x6f/0x140 [52804.651474] Entry_SYSCALL_64_after_hwframe+0x46/0x4e [52804.652001] -> #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}: [52804.6 52650] check_prev_add+0x1ae/0x1280 [52804.653107 ] __lock_acquire+0x1ed3/0x29a0 [52804.653559] lock_acquire+0x174/0x3e0 [52804.653984] __mutex_lock+0x119/0x1150 [52804.654423] netlink_dump+0xb3/0x780 [52804.654 845] __netlink_dump_start+0x389/0x450 [52804.655321] genl_family_rcv_msg_dumpit+0x155/0x1e0 [52804.655842] genl_rcv_msg +0x1ed/0x3b0 [52804.656272] netlink_rcv_skb+0xdc/0x210 [52804.656721] genl_rcv+0x24/0x40 [52804.657119] netlink_unicast+0x2f1/0x490 [52804.657570] netlink_sendm sg+0x36d/0x660 [52804.658022] __sock_sendmsg+0x73/0xc0 [52804.658450] __sys_sendto+0x184 /0x210 [52804.658877] __x64_sys_sendto+0x72/0x80 [52804.659322] do_syscall_64+0x6f/0x140 [52804.659752] Entry_SYSCALL_64_after_hwframe+0x46/0x4e [52804.66 0281] otra información que podría ayudarnos a depurar esto: [52804.661077] Posible escenario de bloqueo inseguro: [52804.661671] CPU0 CPU1 [52804.662129] ---- ---- [52804.662577] bloqueo(dpll_lock); [52804.662924] bloqueo (nlk_cb_mutex-GENERIC); [52804.663538] bloqueo(dpll_lock); [52804.664073] bloqueo (nlk_cb_mutex-GENERIC); [52804.664490] El problema es el siguiente: __netlink_dump_start() llama a control->start(cb) con nlk->cb_mutex retenido. En control->start(cb) se toma dpll_lock. • https://git.kernel.org/stable/c/9d71b54b65b1fb6c0d3a6c5c88ba9b915c783fbc https://git.kernel.org/stable/c/087739cbd0d0b87b6cec2c0799436ac66e24acc8 https://git.kernel.org/stable/c/53c0441dd2c44ee93fddb5473885fd41e4bc2361 •
CVE-2024-26724 – net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers
https://notcve.org/view.php?id=CVE-2024-26724
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers I managed to hit following use after free warning recently: [ 2169.711665] ================================================================== [ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0 [ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0 [ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2 [ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 2169.722457] Call Trace: [ 2169.722756] <IRQ> [ 2169.723024] dump_stack_lvl+0x58/0xb0 [ 2169.723417] print_report+0xc5/0x630 [ 2169.723807] ? __virt_addr_valid+0x126/0x2b0 [ 2169.724268] kasan_report+0xbe/0xf0 [ 2169.724667] ? __run_timers.part.0+0x179/0x4c0 [ 2169.725116] ? __run_timers.part.0+0x179/0x4c0 [ 2169.725570] __run_timers.part.0+0x179/0x4c0 [ 2169.726003] ? call_timer_fn+0x320/0x320 [ 2169.726404] ? • https://git.kernel.org/stable/c/496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56 https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685 •
CVE-2024-26723 – lan966x: Fix crash when adding interface under a lag
https://notcve.org/view.php?id=CVE-2024-26723
In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix crash when adding interface under a lag There is a crash when adding one of the lan966x interfaces under a lag interface. The issue can be reproduced like this: ip link add name bond0 type bond miimon 100 mode balance-xor ip link set dev eth0 master bond0 The reason is because when adding a interface under the lag it would go through all the ports and try to figure out which other ports are under that lag interface. And the issue is that lan966x can have ports that are NULL pointer as they are not probed. So then iterating over these ports it would just crash as they are NULL pointers. The fix consists in actually checking for NULL pointers before accessing something from the ports. Like we do in other places. • https://git.kernel.org/stable/c/cabc9d49333df72fe0f6d58bdcf9057ba341e701 https://git.kernel.org/stable/c/b9357489c46c7a43999964628db8b47d3a1f8672 https://git.kernel.org/stable/c/48fae67d837488c87379f0c9f27df7391718477c https://git.kernel.org/stable/c/2a492f01228b7d091dfe38974ef40dccf8f9f2f1 https://git.kernel.org/stable/c/15faa1f67ab405d47789d4702f587ec7df7ef03e • CWE-400: Uncontrolled Resource Consumption •
CVE-2024-26722 – ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
https://notcve.org/view.php?id=CVE-2024-26722
In the Linux kernel, the following vulnerability has been resolved: ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() There is a path in rt5645_jack_detect_work(), where rt5645->jd_mutex is left locked forever. That may lead to deadlock when rt5645_jack_detect_work() is called for the second time. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: rt5645: corrige el punto muerto en rt5645_jack_detect_work() Hay una ruta en rt5645_jack_detect_work(), donde rt5645->jd_mutex queda bloqueado para siempre. Eso puede provocar un punto muerto cuando se llama a rt5645_jack_detect_work() por segunda vez. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/48ce529c83522944f116f03884819051f44f0fb6 https://git.kernel.org/stable/c/b67005b284ddaf62043468d1ce5905c17d85b0e6 https://git.kernel.org/stable/c/ffe13302b8fd486f80c98019bdcb7f3e512d0eda https://git.kernel.org/stable/c/7a3ff8a2bb2620ba6a806f0967c38be1a8d306d9 https://git.kernel.org/stable/c/1613195bf31e68b192bc731bea71726773e3482f https://git.kernel.org/stable/c/8f82f2e4d9c4966282e494ae67b0bc05a6c2b904 https://git.kernel.org/stable/c/cdba4301adda7c60a2064bf808e48fccd352aaa9 https://git.kernel.org/stable/c/3dd2d99e2352903d0e0b8769e6c9b8293 •
CVE-2024-26721 – drm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address
https://notcve.org/view.php?id=CVE-2024-26721
In the Linux kernel, the following vulnerability has been resolved: drm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address Commit bd077259d0a9 ("drm/i915/vdsc: Add function to read any PPS register") defines a new macro to calculate the DSC PPS register addresses with PPS number as an input. This macro correctly calculates the addresses till PPS 11 since the addresses increment by 4. So in that case the following macro works correctly to give correct register address: _MMIO(_DSCA_PPS_0 + (pps) * 4) However after PPS 11, the register address for PPS 12 increments by 12 because of RC Buffer memory allocation in between. Because of this discontinuity in the address space, the macro calculates wrong addresses for PPS 12 - 16 resulting into incorrect DSC PPS parameter value read/writes causing DSC corruption. This fixes it by correcting this macro to add the offset of 12 for PPS >=12. v3: Add correct paranthesis for pps argument (Jani Nikula) (cherry picked from commit 6074be620c31dc2ae11af96a1a5ea95580976fb5) En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm/i915/dsc: corrige la macro que calcula la dirección de registro DSCC_/DSCA_ PPS Commit bd077259d0a9 ("drm/i915/vdsc: Agregar función para leer cualquier registro PPS") define un Nueva macro para calcular las direcciones de registro DSC PPS con el número PPS como entrada. Esta macro calcula correctamente las direcciones hasta PPS 11 ya que las direcciones se incrementan en 4. • https://git.kernel.org/stable/c/bd077259d0a9c9bf453e7e9751bf41f1996e6585 https://git.kernel.org/stable/c/ff5999fb03f467e1e7159f0ddb199c787f7512b9 https://git.kernel.org/stable/c/962ac2dce56bb3aad1f82a4bbe3ada57a020287c •