Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-40980.mbox
blob: de69434457f45d91ef9a4aece6bd23d2024990e4 [file] [log] [blame]
From bippy-1.2.0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@kernel.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-40980: drop_monitor: replace spin_lock by raw_spin_lock
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
drop_monitor: replace spin_lock by raw_spin_lock
trace_drop_common() is called with preemption disabled, and it acquires
a spin_lock. This is problematic for RT kernels because spin_locks are
sleeping locks in this configuration, which causes the following splat:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47
preempt_count: 1, expected: 0
RCU nest depth: 2, expected: 2
5 locks held by rcuc/47/449:
#0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210
#1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130
#2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210
#3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70
#4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290
irq event stamp: 139909
hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80
hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290
softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170
softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0
Preemption disabled at:
[<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0
CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7
Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022
Call Trace:
<TASK>
dump_stack_lvl+0x8c/0xd0
dump_stack+0x14/0x20
__might_resched+0x21e/0x2f0
rt_spin_lock+0x5e/0x130
? trace_drop_common.constprop.0+0xb5/0x290
? skb_queue_purge_reason.part.0+0x1bf/0x230
trace_drop_common.constprop.0+0xb5/0x290
? preempt_count_sub+0x1c/0xd0
? _raw_spin_unlock_irqrestore+0x4a/0x80
? __pfx_trace_drop_common.constprop.0+0x10/0x10
? rt_mutex_slowunlock+0x26a/0x2e0
? skb_queue_purge_reason.part.0+0x1bf/0x230
? __pfx_rt_mutex_slowunlock+0x10/0x10
? skb_queue_purge_reason.part.0+0x1bf/0x230
trace_kfree_skb_hit+0x15/0x20
trace_kfree_skb+0xe9/0x150
kfree_skb_reason+0x7b/0x110
skb_queue_purge_reason.part.0+0x1bf/0x230
? __pfx_skb_queue_purge_reason.part.0+0x10/0x10
? mark_lock.part.0+0x8a/0x520
...
trace_drop_common() also disables interrupts, but this is a minor issue
because we could easily replace it with a local_lock.
Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic
context.
The Linux kernel CVE team has assigned CVE-2024-40980 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.31 with commit 4ea7e38696c7e798c47ebbecadfd392f23f814f9 and fixed in 5.4.279 with commit 594e47957f3fe034645e6885393ce96c12286334
Issue introduced in 2.6.31 with commit 4ea7e38696c7e798c47ebbecadfd392f23f814f9 and fixed in 5.10.221 with commit 96941f29ebcc1e9cbf570dc903f30374909562f5
Issue introduced in 2.6.31 with commit 4ea7e38696c7e798c47ebbecadfd392f23f814f9 and fixed in 5.15.162 with commit b3722fb69468693555f531cddda5c30444726dac
Issue introduced in 2.6.31 with commit 4ea7e38696c7e798c47ebbecadfd392f23f814f9 and fixed in 6.1.96 with commit f251ccef1d864790e5253386e95544420b7cd8f3
Issue introduced in 2.6.31 with commit 4ea7e38696c7e798c47ebbecadfd392f23f814f9 and fixed in 6.6.36 with commit 76ce2f9125244e1708d29c1d3f9d1d50b347bda0
Issue introduced in 2.6.31 with commit 4ea7e38696c7e798c47ebbecadfd392f23f814f9 and fixed in 6.9.7 with commit 07ea878684dfb78a9d4f564c39d07e855a9e242e
Issue introduced in 2.6.31 with commit 4ea7e38696c7e798c47ebbecadfd392f23f814f9 and fixed in 6.10 with commit f1e197a665c2148ebc25fe09c53689e60afea195
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-40980
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/core/drop_monitor.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334
https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5
https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac
https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3
https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0
https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e
https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195