cve/published/2024/CVE-2024-38555.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38555: net/mlx5: Discard command completions in internal error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/mlx5: Discard command completions in internal error

 Fix use after free when FW completion arrives while device is in
 internal error state. Avoid calling completion handler in this case,
 since the device will flush the command interface and trigger all
 completions manually.

 Kernel log:
 ------------[ cut here ]------------
 refcount_t: underflow; use-after-free.
 ...
 RIP: 0010:refcount_warn_saturate+0xd8/0xe0
 ...
 Call Trace:
 <IRQ>
 ? __warn+0x79/0x120
 ? refcount_warn_saturate+0xd8/0xe0
 ? report_bug+0x17c/0x190
 ? handle_bug+0x3c/0x60
 ? exc_invalid_op+0x14/0x70
 ? asm_exc_invalid_op+0x16/0x20
 ? refcount_warn_saturate+0xd8/0xe0
 cmd_ent_put+0x13b/0x160 [mlx5_core]
 mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]
 cmd_comp_notifier+0x1f/0x30 [mlx5_core]
 notifier_call_chain+0x35/0xb0
 atomic_notifier_call_chain+0x16/0x20
 mlx5_eq_async_int+0xf6/0x290 [mlx5_core]
 notifier_call_chain+0x35/0xb0
 atomic_notifier_call_chain+0x16/0x20
 irq_int_handler+0x19/0x30 [mlx5_core]
 __handle_irq_event_percpu+0x4b/0x160
 handle_irq_event+0x2e/0x80
 handle_edge_irq+0x98/0x230
 __common_interrupt+0x3b/0xa0
 common_interrupt+0x7b/0xa0
 </IRQ>
 <TASK>
 asm_common_interrupt+0x22/0x40

 The Linux kernel CVE team has assigned CVE-2024-38555 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.20 with commit 27c79b3a9212cf4ba634c157e07d29548181a208 and fixed in 5.10.219 with commit f6fbb8535e990f844371086ab2c1221f71f993d3
 	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 5.15.161 with commit 3cb92b0ad73d3f1734e812054e698d655e9581b0
 	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.1.93 with commit bf8aaf0ae01c27ae3c06aa8610caf91e50393396
 	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.6.33 with commit 1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb
 	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.8.12 with commit 1d5dce5e92a70274de67a59e1e674c3267f94cd7
 	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.9.3 with commit 7ac4c69c34240c6de820492c0a28a0bd1494265a
 	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.10 with commit db9b31aa9bc56ff0d15b78f7e827d61c4a096e40
 	Issue introduced in 5.11.3 with commit 2e5d24b3bf091802c5456dc8f8f6a6be4493c8ca

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38555
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlx5/core/cmd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3
 	https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0
 	https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396
 	https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb
 	https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7
 	https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a
 	https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38555: net/mlx5: Discard command completions in internal error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/mlx5: Discard command completions in internal error

	Fix use after free when FW completion arrives while device is in
	internal error state. Avoid calling completion handler in this case,
	since the device will flush the command interface and trigger all
	completions manually.

	Kernel log:
	------------[ cut here ]------------
	refcount_t: underflow; use-after-free.
	...
	RIP: 0010:refcount_warn_saturate+0xd8/0xe0
	...
	Call Trace:
	<IRQ>
	? __warn+0x79/0x120
	? refcount_warn_saturate+0xd8/0xe0
	? report_bug+0x17c/0x190
	? handle_bug+0x3c/0x60
	? exc_invalid_op+0x14/0x70
	? asm_exc_invalid_op+0x16/0x20
	? refcount_warn_saturate+0xd8/0xe0
	cmd_ent_put+0x13b/0x160 [mlx5_core]
	mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]
	cmd_comp_notifier+0x1f/0x30 [mlx5_core]
	notifier_call_chain+0x35/0xb0
	atomic_notifier_call_chain+0x16/0x20
	mlx5_eq_async_int+0xf6/0x290 [mlx5_core]
	notifier_call_chain+0x35/0xb0
	atomic_notifier_call_chain+0x16/0x20
	irq_int_handler+0x19/0x30 [mlx5_core]
	__handle_irq_event_percpu+0x4b/0x160
	handle_irq_event+0x2e/0x80
	handle_edge_irq+0x98/0x230
	__common_interrupt+0x3b/0xa0
	common_interrupt+0x7b/0xa0
	</IRQ>
	<TASK>
	asm_common_interrupt+0x22/0x40

	The Linux kernel CVE team has assigned CVE-2024-38555 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.20 with commit 27c79b3a9212cf4ba634c157e07d29548181a208 and fixed in 5.10.219 with commit f6fbb8535e990f844371086ab2c1221f71f993d3
	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 5.15.161 with commit 3cb92b0ad73d3f1734e812054e698d655e9581b0
	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.1.93 with commit bf8aaf0ae01c27ae3c06aa8610caf91e50393396
	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.6.33 with commit 1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb
	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.8.12 with commit 1d5dce5e92a70274de67a59e1e674c3267f94cd7
	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.9.3 with commit 7ac4c69c34240c6de820492c0a28a0bd1494265a
	Issue introduced in 5.12 with commit 51d138c2610a236c1ed0059d034ee4c74f452b86 and fixed in 6.10 with commit db9b31aa9bc56ff0d15b78f7e827d61c4a096e40
	Issue introduced in 5.11.3 with commit 2e5d24b3bf091802c5456dc8f8f6a6be4493c8ca

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38555
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlx5/core/cmd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3
	https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0
	https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396
	https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb
	https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7
	https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a
	https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40