CVE-2024-44952
driver core: Fix uevent_show() vs driver detach race
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
driver core: Fix uevent_show() vs driver detach race
uevent_show() wants to de-reference dev->driver->name. There is no clean
way for a device attribute to de-reference dev->driver unless that
attribute is defined via (struct device_driver).dev_groups. Instead, the
anti-pattern of taking the device_lock() in the attribute handler risks
deadlocks with code paths that remove device attributes while holding
the lock.
This deadlock is typically invisible to lockdep given the device_lock()
is marked lockdep_set_novalidate_class(), but some subsystems allocate a
local lockdep key for @dev->mutex to reveal reports of the form:
======================================================
WARNING: possible circular locking dependency detected
6.10.0-rc7+ #275 Tainted: G OE N
------------------------------------------------------
modprobe/2374 is trying to acquire lock:
ffff8c2270070de0 (kn->active#6){++++}-{0:0}, at: __kernfs_remove+0xde/0x220
but task is already holding lock:
ffff8c22016e88f8 (&cxl_root_key){+.+.}-{3:3}, at: device_release_driver_internal+0x39/0x210
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&cxl_root_key){+.+.}-{3:3}:
__mutex_lock+0x99/0xc30
uevent_show+0xac/0x130
dev_attr_show+0x18/0x40
sysfs_kf_seq_show+0xac/0xf0
seq_read_iter+0x110/0x450
vfs_read+0x25b/0x340
ksys_read+0x67/0xf0
do_syscall_64+0x75/0x190
entry_SYSCALL_64_after_hwframe+0x76/0x7e
-> #0 (kn->active#6){++++}-{0:0}:
__lock_acquire+0x121a/0x1fa0
lock_acquire+0xd6/0x2e0
kernfs_drain+0x1e9/0x200
__kernfs_remove+0xde/0x220
kernfs_remove_by_name_ns+0x5e/0xa0
device_del+0x168/0x410
device_unregister+0x13/0x60
devres_release_all+0xb8/0x110
device_unbind_cleanup+0xe/0x70
device_release_driver_internal+0x1c7/0x210
driver_detach+0x47/0x90
bus_remove_driver+0x6c/0xf0
cxl_acpi_exit+0xc/0x11 [cxl_acpi]
__do_sys_delete_module.isra.0+0x181/0x260
do_syscall_64+0x75/0x190
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The observation though is that driver objects are typically much longer
lived than device objects. It is reasonable to perform lockless
de-reference of a @driver pointer even if it is racing detach from a
device. Given the infrequency of driver unregistration, use
synchronize_rcu() in module_remove_driver() to close any potential
races. It is potentially overkill to suffer synchronize_rcu() just to
handle the rare module removal racing uevent_show() event.
Thanks to Tetsuo Handa for the debug analysis of the syzbot report [1].
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-08-21 CVE Reserved
- 2024-09-04 CVE Published
- 2024-09-07 EPSS Updated
- 2024-09-15 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (16)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/bb3641a5831789d83a58a39ed4a928bcbece7080 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/13d25e82b6d00d743c7961dcb260329f86bedf7c | Vuln. Introduced | |
| https://git.kernel.org/stable/c/760603e30bf19d7b4c28e9d81f18b54fa3b745ad | Vuln. Introduced | |
| https://git.kernel.org/stable/c/ec772ed7cb21b46fb132f89241682553efd0b721 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/08891eeaa97c079b7f95d60b62dcf0e3ce034b69 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/a42b0060d6ff2f7e59290a26d5f162a3c6329b90 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/c0a40097f0bc81deafc15f9195d1fb54595cd6d0 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/95d03d369ea647b89e950667f1c3363ea6f564e6 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.19.317 < 4.19.320 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.317 < 4.19.320" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4.279 < 5.4.282 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.279 < 5.4.282" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10.221 < 5.10.224 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.221 < 5.10.224" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15.162 < 5.15.165 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.162 < 5.15.165" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1.95 < 6.1.105 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.95 < 6.1.105" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6.35 < 6.6.46 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.35 < 6.6.46" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.10 < 6.10.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.10 < 6.10.5" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.10 < 6.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.10 < 6.11" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.9.6 Search vendor "Linux" for product "Linux Kernel" and version "6.9.6" | en |
Affected
| ||||||