cve/published/2024/CVE-2024-26680.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26680: net: atlantic: Fix DMA mapping for PTP hwts ring

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: atlantic: Fix DMA mapping for PTP hwts ring

 Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes
 for PTP HWTS ring but then generic aq_ring_free() does not take this
 into account.
 Create and use a specific function to free HWTS ring to fix this
 issue.

 Trace:
 [  215.351607] ------------[ cut here ]------------
 [  215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]
 [  215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360
 ...
 [  215.581176] Call Trace:
 [  215.583632]  <TASK>
 [  215.585745]  ? show_trace_log_lvl+0x1c4/0x2df
 [  215.590114]  ? show_trace_log_lvl+0x1c4/0x2df
 [  215.594497]  ? debug_dma_free_coherent+0x196/0x210
 [  215.599305]  ? check_unmap+0xa6f/0x2360
 [  215.603147]  ? __warn+0xca/0x1d0
 [  215.606391]  ? check_unmap+0xa6f/0x2360
 [  215.610237]  ? report_bug+0x1ef/0x370
 [  215.613921]  ? handle_bug+0x3c/0x70
 [  215.617423]  ? exc_invalid_op+0x14/0x50
 [  215.621269]  ? asm_exc_invalid_op+0x16/0x20
 [  215.625480]  ? check_unmap+0xa6f/0x2360
 [  215.629331]  ? mark_lock.part.0+0xca/0xa40
 [  215.633445]  debug_dma_free_coherent+0x196/0x210
 [  215.638079]  ? __pfx_debug_dma_free_coherent+0x10/0x10
 [  215.643242]  ? slab_free_freelist_hook+0x11d/0x1d0
 [  215.648060]  dma_free_attrs+0x6d/0x130
 [  215.651834]  aq_ring_free+0x193/0x290 [atlantic]
 [  215.656487]  aq_ptp_ring_free+0x67/0x110 [atlantic]
 ...
 [  216.127540] ---[ end trace 6467e5964dd2640b ]---
 [  216.132160] DMA-API: Mapped at:
 [  216.132162]  debug_dma_alloc_coherent+0x66/0x2f0
 [  216.132165]  dma_alloc_attrs+0xf5/0x1b0
 [  216.132168]  aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]
 [  216.132193]  aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]
 [  216.132213]  aq_nic_init+0x4a1/0x760 [atlantic]

 The Linux kernel CVE team has assigned CVE-2024-26680 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit 94ad94558b0fbf18dd6fb0987540af1693157556 and fixed in 6.1.78 with commit 466ceebe48cbba3f4506f165fca7111f9eb8bb12
 	Issue introduced in 5.5 with commit 94ad94558b0fbf18dd6fb0987540af1693157556 and fixed in 6.6.17 with commit 004fe5b7f59286a926a45e0cafc7870e9cdddd56
 	Issue introduced in 5.5 with commit 94ad94558b0fbf18dd6fb0987540af1693157556 and fixed in 6.7.5 with commit e42e334c645575be5432adee224975d4f536fdb1
 	Issue introduced in 5.5 with commit 94ad94558b0fbf18dd6fb0987540af1693157556 and fixed in 6.8 with commit 2e7d3b67630dfd8f178c41fa2217aa00e79a5887

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26680
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/aquantia/atlantic/aq_ptp.c
 	drivers/net/ethernet/aquantia/atlantic/aq_ring.c
 	drivers/net/ethernet/aquantia/atlantic/aq_ring.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12
 	https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56
 	https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1
 	https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26680: net: atlantic: Fix DMA mapping for PTP hwts ring

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: atlantic: Fix DMA mapping for PTP hwts ring

	Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes
	for PTP HWTS ring but then generic aq_ring_free() does not take this
	into account.
	Create and use a specific function to free HWTS ring to fix this
	issue.

	Trace:
	[ 215.351607] ------------[ cut here ]------------
	[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]
	[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360
	...
	[ 215.581176] Call Trace:
	[ 215.583632] <TASK>
	[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df
	[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df
	[ 215.594497] ? debug_dma_free_coherent+0x196/0x210
	[ 215.599305] ? check_unmap+0xa6f/0x2360
	[ 215.603147] ? __warn+0xca/0x1d0
	[ 215.606391] ? check_unmap+0xa6f/0x2360
	[ 215.610237] ? report_bug+0x1ef/0x370
	[ 215.613921] ? handle_bug+0x3c/0x70
	[ 215.617423] ? exc_invalid_op+0x14/0x50
	[ 215.621269] ? asm_exc_invalid_op+0x16/0x20
	[ 215.625480] ? check_unmap+0xa6f/0x2360
	[ 215.629331] ? mark_lock.part.0+0xca/0xa40
	[ 215.633445] debug_dma_free_coherent+0x196/0x210
	[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10
	[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0
	[ 215.648060] dma_free_attrs+0x6d/0x130
	[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]
	[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]
	...
	[ 216.127540] ---[ end trace 6467e5964dd2640b ]---
	[ 216.132160] DMA-API: Mapped at:
	[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0
	[ 216.132165] dma_alloc_attrs+0xf5/0x1b0
	[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]
	[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]
	[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]

	The Linux kernel CVE team has assigned CVE-2024-26680 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit 94ad94558b0fbf18dd6fb0987540af1693157556 and fixed in 6.1.78 with commit 466ceebe48cbba3f4506f165fca7111f9eb8bb12
	Issue introduced in 5.5 with commit 94ad94558b0fbf18dd6fb0987540af1693157556 and fixed in 6.6.17 with commit 004fe5b7f59286a926a45e0cafc7870e9cdddd56
	Issue introduced in 5.5 with commit 94ad94558b0fbf18dd6fb0987540af1693157556 and fixed in 6.7.5 with commit e42e334c645575be5432adee224975d4f536fdb1
	Issue introduced in 5.5 with commit 94ad94558b0fbf18dd6fb0987540af1693157556 and fixed in 6.8 with commit 2e7d3b67630dfd8f178c41fa2217aa00e79a5887

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26680
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/aquantia/atlantic/aq_ptp.c
	drivers/net/ethernet/aquantia/atlantic/aq_ring.c
	drivers/net/ethernet/aquantia/atlantic/aq_ring.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12
	https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56
	https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1
	https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887