cve/published/2024/CVE-2024-50138.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50138: bpf: Use raw_spinlock_t in ringbuf

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: Use raw_spinlock_t in ringbuf

 The function __bpf_ringbuf_reserve is invoked from a tracepoint, which
 disables preemption. Using spinlock_t in this context can lead to a
 "sleep in atomic" warning in the RT variant. This issue is illustrated
 in the example below:

 BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 556208, name: test_progs
 preempt_count: 1, expected: 0
 RCU nest depth: 1, expected: 1
 INFO: lockdep is turned off.
 Preemption disabled at:
 [<ffffd33a5c88ea44>] migrate_enable+0xc0/0x39c
 CPU: 7 PID: 556208 Comm: test_progs Tainted: G
 Hardware name: Qualcomm SA8775P Ride (DT)
 Call trace:
  dump_backtrace+0xac/0x130
  show_stack+0x1c/0x30
  dump_stack_lvl+0xac/0xe8
  dump_stack+0x18/0x30
  __might_resched+0x3bc/0x4fc
  rt_spin_lock+0x8c/0x1a4
  __bpf_ringbuf_reserve+0xc4/0x254
  bpf_ringbuf_reserve_dynptr+0x5c/0xdc
  bpf_prog_ac3d15160d62622a_test_read_write+0x104/0x238
  trace_call_bpf+0x238/0x774
  perf_call_bpf_enter.isra.0+0x104/0x194
  perf_syscall_enter+0x2f8/0x510
  trace_sys_enter+0x39c/0x564
  syscall_trace_enter+0x220/0x3c0
  do_el0_svc+0x138/0x1dc
  el0_svc+0x54/0x130
  el0t_64_sync_handler+0x134/0x150
  el0t_64_sync+0x17c/0x180

 Switch the spinlock to raw_spinlock_t to avoid this error.

 The Linux kernel CVE team has assigned CVE-2024-50138 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.8 with commit 457f44363a8894135c85b7a9afd2bd8196db24ab and fixed in 6.1.115 with commit 5eb34999d118e69a20dc0c6556f315fcb0a1f8d3
 	Issue introduced in 5.8 with commit 457f44363a8894135c85b7a9afd2bd8196db24ab and fixed in 6.6.84 with commit f9543375d9b150b2bcf16bb182e6b62309db0888
 	Issue introduced in 5.8 with commit 457f44363a8894135c85b7a9afd2bd8196db24ab and fixed in 6.11.6 with commit ca30e682e5d6de44d12c4610767811c9a21d59ba
 	Issue introduced in 5.8 with commit 457f44363a8894135c85b7a9afd2bd8196db24ab and fixed in 6.12 with commit 8b62645b09f870d70c7910e7550289d444239a46

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50138
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/bpf/ringbuf.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5eb34999d118e69a20dc0c6556f315fcb0a1f8d3
 	https://git.kernel.org/stable/c/f9543375d9b150b2bcf16bb182e6b62309db0888
 	https://git.kernel.org/stable/c/ca30e682e5d6de44d12c4610767811c9a21d59ba
 	https://git.kernel.org/stable/c/8b62645b09f870d70c7910e7550289d444239a46
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50138: bpf: Use raw_spinlock_t in ringbuf

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: Use raw_spinlock_t in ringbuf

	The function __bpf_ringbuf_reserve is invoked from a tracepoint, which
	disables preemption. Using spinlock_t in this context can lead to a
	"sleep in atomic" warning in the RT variant. This issue is illustrated
	in the example below:

	BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
	in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 556208, name: test_progs
	preempt_count: 1, expected: 0
	RCU nest depth: 1, expected: 1
	INFO: lockdep is turned off.
	Preemption disabled at:
	[<ffffd33a5c88ea44>] migrate_enable+0xc0/0x39c
	CPU: 7 PID: 556208 Comm: test_progs Tainted: G
	Hardware name: Qualcomm SA8775P Ride (DT)
	Call trace:
	dump_backtrace+0xac/0x130
	show_stack+0x1c/0x30
	dump_stack_lvl+0xac/0xe8
	dump_stack+0x18/0x30
	__might_resched+0x3bc/0x4fc
	rt_spin_lock+0x8c/0x1a4
	__bpf_ringbuf_reserve+0xc4/0x254
	bpf_ringbuf_reserve_dynptr+0x5c/0xdc
	bpf_prog_ac3d15160d62622a_test_read_write+0x104/0x238
	trace_call_bpf+0x238/0x774
	perf_call_bpf_enter.isra.0+0x104/0x194
	perf_syscall_enter+0x2f8/0x510
	trace_sys_enter+0x39c/0x564
	syscall_trace_enter+0x220/0x3c0
	do_el0_svc+0x138/0x1dc
	el0_svc+0x54/0x130
	el0t_64_sync_handler+0x134/0x150
	el0t_64_sync+0x17c/0x180

	Switch the spinlock to raw_spinlock_t to avoid this error.

	The Linux kernel CVE team has assigned CVE-2024-50138 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.8 with commit 457f44363a8894135c85b7a9afd2bd8196db24ab and fixed in 6.1.115 with commit 5eb34999d118e69a20dc0c6556f315fcb0a1f8d3
	Issue introduced in 5.8 with commit 457f44363a8894135c85b7a9afd2bd8196db24ab and fixed in 6.6.84 with commit f9543375d9b150b2bcf16bb182e6b62309db0888
	Issue introduced in 5.8 with commit 457f44363a8894135c85b7a9afd2bd8196db24ab and fixed in 6.11.6 with commit ca30e682e5d6de44d12c4610767811c9a21d59ba
	Issue introduced in 5.8 with commit 457f44363a8894135c85b7a9afd2bd8196db24ab and fixed in 6.12 with commit 8b62645b09f870d70c7910e7550289d444239a46

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50138
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/bpf/ringbuf.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5eb34999d118e69a20dc0c6556f315fcb0a1f8d3
	https://git.kernel.org/stable/c/f9543375d9b150b2bcf16bb182e6b62309db0888
	https://git.kernel.org/stable/c/ca30e682e5d6de44d12c4610767811c9a21d59ba
	https://git.kernel.org/stable/c/8b62645b09f870d70c7910e7550289d444239a46