cve/published/2024/CVE-2024-44982.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44982: drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails

 If the dpu_format_populate_layout() fails, then FB is prepared, but not
 cleaned up. This ends up leaking the pin_count on the GEM object and
 causes a splat during DRM file closure:

 msm_obj->pin_count
 WARNING: CPU: 2 PID: 569 at drivers/gpu/drm/msm/msm_gem.c:121 update_lru_locked+0xc4/0xcc
 [...]
 Call trace:
  update_lru_locked+0xc4/0xcc
  put_pages+0xac/0x100
  msm_gem_free_object+0x138/0x180
  drm_gem_object_free+0x1c/0x30
  drm_gem_object_handle_put_unlocked+0x108/0x10c
  drm_gem_object_release_handle+0x58/0x70
  idr_for_each+0x68/0xec
  drm_gem_release+0x28/0x40
  drm_file_free+0x174/0x234
  drm_release+0xb0/0x160
  __fput+0xc0/0x2c8
  __fput_sync+0x50/0x5c
  __arm64_sys_close+0x38/0x7c
  invoke_syscall+0x48/0x118
  el0_svc_common.constprop.0+0x40/0xe0
  do_el0_svc+0x1c/0x28
  el0_svc+0x4c/0x120
  el0t_64_sync_handler+0x100/0x12c
  el0t_64_sync+0x190/0x194
 irq event stamp: 129818
 hardirqs last  enabled at (129817): [<ffffa5f6d953fcc0>] console_unlock+0x118/0x124
 hardirqs last disabled at (129818): [<ffffa5f6da7dcf04>] el1_dbg+0x24/0x8c
 softirqs last  enabled at (129808): [<ffffa5f6d94afc18>] handle_softirqs+0x4c8/0x4e8
 softirqs last disabled at (129785): [<ffffa5f6d94105e4>] __do_softirq+0x14/0x20

 Patchwork: https://patchwork.freedesktop.org/patch/600714/

 The Linux kernel CVE team has assigned CVE-2024-44982 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 5.15.166 with commit 9b8b65211a880af8fe8330a101e1e239a2d4008f
 	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 6.1.107 with commit 7ecf85542169012765e4c2817cd3be6c2e009962
 	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 6.6.48 with commit a3c5815b07f4ee19d0b7e2ddf91ff9f03ecbf27d
 	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 6.10.7 with commit 02193c70723118889281f75b88722b26b58bf4ae
 	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 6.11 with commit bfa1a6283be390947d3649c482e5167186a37016

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44982
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9b8b65211a880af8fe8330a101e1e239a2d4008f
 	https://git.kernel.org/stable/c/7ecf85542169012765e4c2817cd3be6c2e009962
 	https://git.kernel.org/stable/c/a3c5815b07f4ee19d0b7e2ddf91ff9f03ecbf27d
 	https://git.kernel.org/stable/c/02193c70723118889281f75b88722b26b58bf4ae
 	https://git.kernel.org/stable/c/bfa1a6283be390947d3649c482e5167186a37016
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44982: drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails

	If the dpu_format_populate_layout() fails, then FB is prepared, but not
	cleaned up. This ends up leaking the pin_count on the GEM object and
	causes a splat during DRM file closure:

	msm_obj->pin_count
	WARNING: CPU: 2 PID: 569 at drivers/gpu/drm/msm/msm_gem.c:121 update_lru_locked+0xc4/0xcc
	[...]
	Call trace:
	update_lru_locked+0xc4/0xcc
	put_pages+0xac/0x100
	msm_gem_free_object+0x138/0x180
	drm_gem_object_free+0x1c/0x30
	drm_gem_object_handle_put_unlocked+0x108/0x10c
	drm_gem_object_release_handle+0x58/0x70
	idr_for_each+0x68/0xec
	drm_gem_release+0x28/0x40
	drm_file_free+0x174/0x234
	drm_release+0xb0/0x160
	__fput+0xc0/0x2c8
	__fput_sync+0x50/0x5c
	__arm64_sys_close+0x38/0x7c
	invoke_syscall+0x48/0x118
	el0_svc_common.constprop.0+0x40/0xe0
	do_el0_svc+0x1c/0x28
	el0_svc+0x4c/0x120
	el0t_64_sync_handler+0x100/0x12c
	el0t_64_sync+0x190/0x194
	irq event stamp: 129818
	hardirqs last enabled at (129817): [<ffffa5f6d953fcc0>] console_unlock+0x118/0x124
	hardirqs last disabled at (129818): [<ffffa5f6da7dcf04>] el1_dbg+0x24/0x8c
	softirqs last enabled at (129808): [<ffffa5f6d94afc18>] handle_softirqs+0x4c8/0x4e8
	softirqs last disabled at (129785): [<ffffa5f6d94105e4>] __do_softirq+0x14/0x20

	Patchwork: https://patchwork.freedesktop.org/patch/600714/

	The Linux kernel CVE team has assigned CVE-2024-44982 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 5.15.166 with commit 9b8b65211a880af8fe8330a101e1e239a2d4008f
	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 6.1.107 with commit 7ecf85542169012765e4c2817cd3be6c2e009962
	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 6.6.48 with commit a3c5815b07f4ee19d0b7e2ddf91ff9f03ecbf27d
	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 6.10.7 with commit 02193c70723118889281f75b88722b26b58bf4ae
	Issue introduced in 4.19 with commit 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef and fixed in 6.11 with commit bfa1a6283be390947d3649c482e5167186a37016

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44982
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9b8b65211a880af8fe8330a101e1e239a2d4008f
	https://git.kernel.org/stable/c/7ecf85542169012765e4c2817cd3be6c2e009962
	https://git.kernel.org/stable/c/a3c5815b07f4ee19d0b7e2ddf91ff9f03ecbf27d
	https://git.kernel.org/stable/c/02193c70723118889281f75b88722b26b58bf4ae
	https://git.kernel.org/stable/c/bfa1a6283be390947d3649c482e5167186a37016