cve/published/2024/CVE-2024-47735.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47735: RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled

 Fix missuse of spin_lock_irq()/spin_unlock_irq() when
 spin_lock_irqsave()/spin_lock_irqrestore() was hold.

 This was discovered through the lock debugging, and the corresponding
 log is as follows:

 raw_local_irq_restore() called with IRQs enabled
 WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40
 ...
 Call trace:
  warn_bogus_irq_restore+0x30/0x40
  _raw_spin_unlock_irqrestore+0x84/0xc8
  add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]
  hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]
  hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]
  create_qp+0x138/0x258
  ib_create_qp_kernel+0x50/0xe8
  create_mad_qp+0xa8/0x128
  ib_mad_port_open+0x218/0x448
  ib_mad_init_device+0x70/0x1f8
  add_client_context+0xfc/0x220
  enable_device_and_get+0xd0/0x140
  ib_register_device.part.0+0xf4/0x1c8
  ib_register_device+0x34/0x50
  hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]
  hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]
  __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]
  hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]

 The Linux kernel CVE team has assigned CVE-2024-47735 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 5.10.227 with commit 07f0f643d7e570dbe8ef6f5c3367a43e3086a335
 	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 5.15.168 with commit 29c0f546d3fd66238b42cf25bcd5f193bb1cf794
 	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.1.113 with commit 425589d4af09c49574bd71ac31f811362a5126c3
 	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.6.54 with commit 094a1821903f33fb91de4b71087773ee16aeb3a0
 	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.10.13 with commit 2656336a84fcb6802f6e6c233f4661891deea24f
 	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.11.2 with commit a1a3403bb1826c8ec787f0d60c3e7b54f419129e
 	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.12 with commit 74d315b5af180220d561684d15897730135733a6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47735
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/hw/hns/hns_roce_qp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/07f0f643d7e570dbe8ef6f5c3367a43e3086a335
 	https://git.kernel.org/stable/c/29c0f546d3fd66238b42cf25bcd5f193bb1cf794
 	https://git.kernel.org/stable/c/425589d4af09c49574bd71ac31f811362a5126c3
 	https://git.kernel.org/stable/c/094a1821903f33fb91de4b71087773ee16aeb3a0
 	https://git.kernel.org/stable/c/2656336a84fcb6802f6e6c233f4661891deea24f
 	https://git.kernel.org/stable/c/a1a3403bb1826c8ec787f0d60c3e7b54f419129e
 	https://git.kernel.org/stable/c/74d315b5af180220d561684d15897730135733a6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47735: RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled

	Fix missuse of spin_lock_irq()/spin_unlock_irq() when
	spin_lock_irqsave()/spin_lock_irqrestore() was hold.

	This was discovered through the lock debugging, and the corresponding
	log is as follows:

	raw_local_irq_restore() called with IRQs enabled
	WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40
	...
	Call trace:
	warn_bogus_irq_restore+0x30/0x40
	_raw_spin_unlock_irqrestore+0x84/0xc8
	add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]
	hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]
	hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]
	create_qp+0x138/0x258
	ib_create_qp_kernel+0x50/0xe8
	create_mad_qp+0xa8/0x128
	ib_mad_port_open+0x218/0x448
	ib_mad_init_device+0x70/0x1f8
	add_client_context+0xfc/0x220
	enable_device_and_get+0xd0/0x140
	ib_register_device.part.0+0xf4/0x1c8
	ib_register_device+0x34/0x50
	hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]
	hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]
	__hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]
	hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]

	The Linux kernel CVE team has assigned CVE-2024-47735 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 5.10.227 with commit 07f0f643d7e570dbe8ef6f5c3367a43e3086a335
	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 5.15.168 with commit 29c0f546d3fd66238b42cf25bcd5f193bb1cf794
	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.1.113 with commit 425589d4af09c49574bd71ac31f811362a5126c3
	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.6.54 with commit 094a1821903f33fb91de4b71087773ee16aeb3a0
	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.10.13 with commit 2656336a84fcb6802f6e6c233f4661891deea24f
	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.11.2 with commit a1a3403bb1826c8ec787f0d60c3e7b54f419129e
	Issue introduced in 4.9 with commit 9a4435375cd151e07c0c38fa601b00115986091b and fixed in 6.12 with commit 74d315b5af180220d561684d15897730135733a6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47735
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/hw/hns/hns_roce_qp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/07f0f643d7e570dbe8ef6f5c3367a43e3086a335
	https://git.kernel.org/stable/c/29c0f546d3fd66238b42cf25bcd5f193bb1cf794
	https://git.kernel.org/stable/c/425589d4af09c49574bd71ac31f811362a5126c3
	https://git.kernel.org/stable/c/094a1821903f33fb91de4b71087773ee16aeb3a0
	https://git.kernel.org/stable/c/2656336a84fcb6802f6e6c233f4661891deea24f
	https://git.kernel.org/stable/c/a1a3403bb1826c8ec787f0d60c3e7b54f419129e
	https://git.kernel.org/stable/c/74d315b5af180220d561684d15897730135733a6