cve/published/2024/CVE-2024-26854.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26854: ice: fix uninitialized dplls mutex usage

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ice: fix uninitialized dplls mutex usage

 The pf->dplls.lock mutex is initialized too late, after its first use.
 Move it to the top of ice_dpll_init.
 Note that the "err_exit" error path destroys the mutex. And the mutex is
 the last thing destroyed in ice_dpll_deinit.
 This fixes the following warning with CONFIG_DEBUG_MUTEXES:

  ice 0000:10:00.0: The DDP package was successfully loaded: ICE OS Default Package version 1.3.36.0
  ice 0000:10:00.0: 252.048 Gb/s available PCIe bandwidth (16.0 GT/s PCIe x16 link)
  ice 0000:10:00.0: PTP init successful
  ------------[ cut here ]------------
  DEBUG_LOCKS_WARN_ON(lock->magic != lock)
  WARNING: CPU: 0 PID: 410 at kernel/locking/mutex.c:587 __mutex_lock+0x773/0xd40
  Modules linked in: crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ice(+) nvme nvme_c>
  CPU: 0 PID: 410 Comm: kworker/0:4 Not tainted 6.8.0-rc5+ #3
  Hardware name: HPE ProLiant DL110 Gen10 Plus/ProLiant DL110 Gen10 Plus, BIOS U56 10/19/2023
  Workqueue: events work_for_cpu_fn
  RIP: 0010:__mutex_lock+0x773/0xd40
  Code: c0 0f 84 1d f9 ff ff 44 8b 35 0d 9c 69 01 45 85 f6 0f 85 0d f9 ff ff 48 c7 c6 12 a2 a9 85 48 c7 c7 12 f1 a>
  RSP: 0018:ff7eb1a3417a7ae0 EFLAGS: 00010286
  RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
  RDX: 0000000000000002 RSI: ffffffff85ac2bff RDI: 00000000ffffffff
  RBP: ff7eb1a3417a7b80 R08: 0000000000000000 R09: 00000000ffffbfff
  R10: ff7eb1a3417a7978 R11: ff32b80f7fd2e568 R12: 0000000000000000
  R13: 0000000000000000 R14: 0000000000000000 R15: ff32b7f02c50e0d8
  FS:  0000000000000000(0000) GS:ff32b80efe800000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 000055b5852cc000 CR3: 000000003c43a004 CR4: 0000000000771ef0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  PKRU: 55555554
  Call Trace:
   <TASK>
   ? __warn+0x84/0x170
   ? __mutex_lock+0x773/0xd40
   ? report_bug+0x1c7/0x1d0
   ? prb_read_valid+0x1b/0x30
   ? handle_bug+0x42/0x70
   ? exc_invalid_op+0x18/0x70
   ? asm_exc_invalid_op+0x1a/0x20
   ? __mutex_lock+0x773/0xd40
   ? rcu_is_watching+0x11/0x50
   ? __kmalloc_node_track_caller+0x346/0x490
   ? ice_dpll_lock_status_get+0x28/0x50 [ice]
   ? __pfx_ice_dpll_lock_status_get+0x10/0x10 [ice]
   ? ice_dpll_lock_status_get+0x28/0x50 [ice]
   ice_dpll_lock_status_get+0x28/0x50 [ice]
   dpll_device_get_one+0x14f/0x2e0
   dpll_device_event_send+0x7d/0x150
   dpll_device_register+0x124/0x180
   ice_dpll_init_dpll+0x7b/0xd0 [ice]
   ice_dpll_init+0x224/0xa40 [ice]
   ? _dev_info+0x70/0x90
   ice_load+0x468/0x690 [ice]
   ice_probe+0x75b/0xa10 [ice]
   ? _raw_spin_unlock_irqrestore+0x4f/0x80
   ? process_one_work+0x1a3/0x500
   local_pci_probe+0x47/0xa0
   work_for_cpu_fn+0x17/0x30
   process_one_work+0x20d/0x500
   worker_thread+0x1df/0x3e0
   ? __pfx_worker_thread+0x10/0x10
   kthread+0x103/0x140
   ? __pfx_kthread+0x10/0x10
   ret_from_fork+0x31/0x50
   ? __pfx_kthread+0x10/0x10
   ret_from_fork_asm+0x1b/0x30
   </TASK>
  irq event stamp: 125197
  hardirqs last  enabled at (125197): [<ffffffff8416409d>] finish_task_switch.isra.0+0x12d/0x3d0
  hardirqs last disabled at (125196): [<ffffffff85134044>] __schedule+0xea4/0x19f0
  softirqs last  enabled at (105334): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
  softirqs last disabled at (105332): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
  ---[ end trace 0000000000000000 ]---

 The Linux kernel CVE team has assigned CVE-2024-26854 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.7 with commit d7999f5ea64bb10d2857b8cbfe973be373bac7c9 and fixed in 6.7.10 with commit db29ceff3e25c48907016da456a7cbee6310fd83
 	Issue introduced in 6.7 with commit d7999f5ea64bb10d2857b8cbfe973be373bac7c9 and fixed in 6.8 with commit 9224fc86f1776193650a33a275cac628952f80a9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26854
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/ice/ice_dpll.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/db29ceff3e25c48907016da456a7cbee6310fd83
 	https://git.kernel.org/stable/c/9224fc86f1776193650a33a275cac628952f80a9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26854: ice: fix uninitialized dplls mutex usage

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ice: fix uninitialized dplls mutex usage

	The pf->dplls.lock mutex is initialized too late, after its first use.
	Move it to the top of ice_dpll_init.
	Note that the "err_exit" error path destroys the mutex. And the mutex is
	the last thing destroyed in ice_dpll_deinit.
	This fixes the following warning with CONFIG_DEBUG_MUTEXES:

	ice 0000:10:00.0: The DDP package was successfully loaded: ICE OS Default Package version 1.3.36.0
	ice 0000:10:00.0: 252.048 Gb/s available PCIe bandwidth (16.0 GT/s PCIe x16 link)
	ice 0000:10:00.0: PTP init successful
	------------[ cut here ]------------
	DEBUG_LOCKS_WARN_ON(lock->magic != lock)
	WARNING: CPU: 0 PID: 410 at kernel/locking/mutex.c:587 __mutex_lock+0x773/0xd40
	Modules linked in: crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ice(+) nvme nvme_c>
	CPU: 0 PID: 410 Comm: kworker/0:4 Not tainted 6.8.0-rc5+ #3
	Hardware name: HPE ProLiant DL110 Gen10 Plus/ProLiant DL110 Gen10 Plus, BIOS U56 10/19/2023
	Workqueue: events work_for_cpu_fn
	RIP: 0010:__mutex_lock+0x773/0xd40
	Code: c0 0f 84 1d f9 ff ff 44 8b 35 0d 9c 69 01 45 85 f6 0f 85 0d f9 ff ff 48 c7 c6 12 a2 a9 85 48 c7 c7 12 f1 a>
	RSP: 0018:ff7eb1a3417a7ae0 EFLAGS: 00010286
	RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
	RDX: 0000000000000002 RSI: ffffffff85ac2bff RDI: 00000000ffffffff
	RBP: ff7eb1a3417a7b80 R08: 0000000000000000 R09: 00000000ffffbfff
	R10: ff7eb1a3417a7978 R11: ff32b80f7fd2e568 R12: 0000000000000000
	R13: 0000000000000000 R14: 0000000000000000 R15: ff32b7f02c50e0d8
	FS: 0000000000000000(0000) GS:ff32b80efe800000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000055b5852cc000 CR3: 000000003c43a004 CR4: 0000000000771ef0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	PKRU: 55555554
	Call Trace:
	<TASK>
	? __warn+0x84/0x170
	? __mutex_lock+0x773/0xd40
	? report_bug+0x1c7/0x1d0
	? prb_read_valid+0x1b/0x30
	? handle_bug+0x42/0x70
	? exc_invalid_op+0x18/0x70
	? asm_exc_invalid_op+0x1a/0x20
	? __mutex_lock+0x773/0xd40
	? rcu_is_watching+0x11/0x50
	? __kmalloc_node_track_caller+0x346/0x490
	? ice_dpll_lock_status_get+0x28/0x50 [ice]
	? __pfx_ice_dpll_lock_status_get+0x10/0x10 [ice]
	? ice_dpll_lock_status_get+0x28/0x50 [ice]
	ice_dpll_lock_status_get+0x28/0x50 [ice]
	dpll_device_get_one+0x14f/0x2e0
	dpll_device_event_send+0x7d/0x150
	dpll_device_register+0x124/0x180
	ice_dpll_init_dpll+0x7b/0xd0 [ice]
	ice_dpll_init+0x224/0xa40 [ice]
	? _dev_info+0x70/0x90
	ice_load+0x468/0x690 [ice]
	ice_probe+0x75b/0xa10 [ice]
	? _raw_spin_unlock_irqrestore+0x4f/0x80
	? process_one_work+0x1a3/0x500
	local_pci_probe+0x47/0xa0
	work_for_cpu_fn+0x17/0x30
	process_one_work+0x20d/0x500
	worker_thread+0x1df/0x3e0
	? __pfx_worker_thread+0x10/0x10
	kthread+0x103/0x140
	? __pfx_kthread+0x10/0x10
	ret_from_fork+0x31/0x50
	? __pfx_kthread+0x10/0x10
	ret_from_fork_asm+0x1b/0x30
	</TASK>
	irq event stamp: 125197
	hardirqs last enabled at (125197): [<ffffffff8416409d>] finish_task_switch.isra.0+0x12d/0x3d0
	hardirqs last disabled at (125196): [<ffffffff85134044>] __schedule+0xea4/0x19f0
	softirqs last enabled at (105334): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
	softirqs last disabled at (105332): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
	---[ end trace 0000000000000000 ]---

	The Linux kernel CVE team has assigned CVE-2024-26854 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.7 with commit d7999f5ea64bb10d2857b8cbfe973be373bac7c9 and fixed in 6.7.10 with commit db29ceff3e25c48907016da456a7cbee6310fd83
	Issue introduced in 6.7 with commit d7999f5ea64bb10d2857b8cbfe973be373bac7c9 and fixed in 6.8 with commit 9224fc86f1776193650a33a275cac628952f80a9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26854
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/ice/ice_dpll.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/db29ceff3e25c48907016da456a7cbee6310fd83
	https://git.kernel.org/stable/c/9224fc86f1776193650a33a275cac628952f80a9