CVE-2024-35818

LoongArch: Define the __io_aw() hook as mmiowb()

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: Define the __io_aw() hook as mmiowb()

Commit fb24ea52f78e0d595852e ("drivers: Remove explicit invocations of
mmiowb()") remove all mmiowb() in drivers, but it says:

"NOTE: mmiowb() has only ever guaranteed ordering in conjunction with
spin_unlock(). However, pairing each mmiowb() removal in this patch with
the corresponding call to spin_unlock() is not at all trivial, so there
is a small chance that this change may regress any drivers incorrectly
relying on mmiowb() to order MMIO writes between CPUs using lock-free
synchronisation."

The mmio in radeon_ring_commit() is protected by a mutex rather than a
spinlock, but in the mutex fastpath it behaves similar to spinlock. We
can add mmiowb() calls in the radeon driver but the maintainer says he
doesn't like such a workaround, and radeon is not the only example of
mutex protected mmio.

So we should extend the mmiowb tracking system from spinlock to mutex,
and maybe other locking primitives. This is not easy and error prone, so
we solve it in the architectural code, by simply defining the __io_aw()
hook as mmiowb(). And we no longer need to override queued_spin_unlock()
so use the generic definition.

Without this, we get such an error when run 'glxgears' on weak ordering
architectures such as LoongArch:

radeon 0000:04:00.0: ring 0 stalled for more than 10324msec
radeon 0000:04:00.0: ring 3 stalled for more than 10240msec
radeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3)
radeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0)
radeon 0000:04:00.0: scheduling IB failed (-35).
[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)
radeon 0000:04:00.0: scheduling IB failed (-35).
[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)
radeon 0000:04:00.0: scheduling IB failed (-35).
[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)
radeon 0000:04:00.0: scheduling IB failed (-35).
[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)
radeon 0000:04:00.0: scheduling IB failed (-35).
[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)
radeon 0000:04:00.0: scheduling IB failed (-35).
[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)
radeon 0000:04:00.0: scheduling IB failed (-35).
[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: LoongArch: define el gancho __io_aw() como mmiowb(). Confirmación fb24ea52f78e0d595852e ("drivers: elimina las invocaciones explícitas de mmiowb()") elimina todos los mmiowb() en los controladores, pero dice : "NOTA: mmiowb() solo ha garantizado el pedido junto con spin_unlock(). Sin embargo, emparejar cada eliminación de mmiowb() en este parche con la llamada correspondiente a spin_unlock() no es nada trivial, por lo que existe una pequeña posibilidad que este cambio puede hacer retroceder cualquier controlador que dependa incorrectamente de mmiowb() para ordenar escrituras MMIO entre CPU usando sincronización sin bloqueo". El mmio en radeon_ring_commit() está protegido por un mutex en lugar de un spinlock, pero en el mutex fastpath se comporta de manera similar al spinlock. Podemos agregar llamadas mmiowb() en el controlador radeon, pero el mantenedor dice que no le gusta esa solución, y radeon no es el único ejemplo de mmio protegido por mutex. Entonces deberíamos extender el sistema de seguimiento mmiowb de spinlock a mutex, y tal vez a otras primitivas de bloqueo. Esto no es fácil y propenso a errores, por lo que lo solucionamos en el código arquitectónico, simplemente definiendo el gancho __io_aw() como mmiowb(). Y ya no necesitamos anular queued_spin_unlock() así que use la definición genérica. Sin esto, obtenemos este error cuando ejecutamos 'glxgears' en arquitecturas de ordenamiento débiles como LoongArch: radeon 0000:04:00.0: el anillo 0 se detuvo durante más de 10324 mseg radeon 0000:04:00.0: el anillo 3 se detuvo durante más de 10240 mseg radeon 0000:04:00.0: bloqueo de GPU (ID de valla actual 0x000000000001f412 ID de última valla 0x000000000001f414 en el anillo 3) radeon 0000:04:00.0: Bloqueo de GPU (ID de valla actual 0x000000000000f940 ID de última valla 0x000 000000000f941 en el anillo 0) radeon 0000:04:00.0: la programación IB falló (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* No se pudo actualizar BO_VA (-35) radeon 0000:04:00.0: falló la programación de IB (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* No se pudo actualizar BO_VA (-35) radeon 0000:04:00.0: falló la programación de IB (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* No se pudo actualizar BO_VA (-35) radeon 0000:04:00.0: falló la programación de IB (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* No se pudo actualizar BO_VA (-35) radeon 0000:04:00.0: falló la programación de IB (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* No se pudo actualizar BO_VA (-35) radeon 0000:04:00.0: falló la programación de IB (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* No se pudo actualizar BO_VA (-35) radeon 0000:04:00.0: falló la programación de IB (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* No se pudo actualizar BO_VA (-35)

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-17 CVE Published
2024-05-18 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/97cd43ba824aec764f5ea2790d0c0a318f885167	2024-04-03
https://git.kernel.org/stable/c/d7d7c6cdea875be3b241d7d39873bb431db7154d	2024-04-03
https://git.kernel.org/stable/c/0b61a7dc6712b78799b3949997e8a5e94db5c4b0	2024-04-03
https://git.kernel.org/stable/c/9adec248bba33b1503252caf8e59d81febfc5ceb	2024-04-03
https://git.kernel.org/stable/c/9c68ece8b2a5c5ff9b2fcaea923dd73efeb174cd	2024-03-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " < 6.8.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.9 Search vendor "Linux" for product "Linux Kernel" and version " < 6.9"		en		Affected