| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-47143: dma-debug: fix a possible deadlock on radix_lock |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| dma-debug: fix a possible deadlock on radix_lock |
| |
| radix_lock() shouldn't be held while holding dma_hash_entry[idx].lock |
| otherwise, there's a possible deadlock scenario when |
| dma debug API is called holding rq_lock(): |
| |
| CPU0 CPU1 CPU2 |
| dma_free_attrs() |
| check_unmap() add_dma_entry() __schedule() //out |
| (A) rq_lock() |
| get_hash_bucket() |
| (A) dma_entry_hash |
| check_sync() |
| (A) radix_lock() (W) dma_entry_hash |
| dma_entry_free() |
| (W) radix_lock() |
| // CPU2's one |
| (W) rq_lock() |
| |
| CPU1 situation can happen when it extending radix tree and |
| it tries to wake up kswapd via wake_all_kswapd(). |
| |
| CPU2 situation can happen while perf_event_task_sched_out() |
| (i.e. dma sync operation is called while deleting perf_event using |
| etm and etr tmc which are Arm Coresight hwtracing driver backends). |
| |
| To remove this possible situation, call dma_entry_free() after |
| put_hash_bucket() in check_unmap(). |
| |
| The Linux kernel CVE team has assigned CVE-2024-47143 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.10.231 with commit 3ccce34a5c3f5c9541108a451657ade621524b32 |
| Fixed in 5.15.174 with commit efe1b9bbf356357fdff0399af361133d6e3ba18e |
| Fixed in 6.1.120 with commit 8c1b4fea8d62285f5e1a8194889b39661608bd8a |
| Fixed in 6.6.66 with commit c212d91070beca0d03fef7bf988baf4ff4b3eee4 |
| Fixed in 6.12.5 with commit f2b95248a16c5186d1c658fc0aeb2f3bd95e5259 |
| Fixed in 6.13 with commit 7543c3e3b9b88212fcd0aaf5cab5588797bdc7de |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-47143 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| kernel/dma/debug.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/3ccce34a5c3f5c9541108a451657ade621524b32 |
| https://git.kernel.org/stable/c/efe1b9bbf356357fdff0399af361133d6e3ba18e |
| https://git.kernel.org/stable/c/8c1b4fea8d62285f5e1a8194889b39661608bd8a |
| https://git.kernel.org/stable/c/c212d91070beca0d03fef7bf988baf4ff4b3eee4 |
| https://git.kernel.org/stable/c/f2b95248a16c5186d1c658fc0aeb2f3bd95e5259 |
| https://git.kernel.org/stable/c/7543c3e3b9b88212fcd0aaf5cab5588797bdc7de |
