cve/published/2024/CVE-2024-26984.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26984: nouveau: fix instmem race condition around ptr stores

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nouveau: fix instmem race condition around ptr stores

 Running a lot of VK CTS in parallel against nouveau, once every
 few hours you might see something like this crash.

 BUG: kernel NULL pointer dereference, address: 0000000000000008
 PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27
 Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021
 RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]
 Code: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1
 RSP: 0000:ffffac20c5857838 EFLAGS: 00010202
 RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001
 RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180
 RBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10
 R10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c
 R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c
 FS:  00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:

 ...

  ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]
  ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]
  nvkm_vmm_iter+0x351/0xa20 [nouveau]
  ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]
  ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
  ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
  ? __lock_acquire+0x3ed/0x2170
  ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
  nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]
  ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]
  ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
  nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]

 Adding any sort of useful debug usually makes it go away, so I hand
 wrote the function in a line, and debugged the asm.

 Every so often pt->memory->ptrs is NULL. This ptrs ptr is set in
 the nv50_instobj_acquire called from nvkm_kmap.

 If Thread A and Thread B both get to nv50_instobj_acquire around
 the same time, and Thread A hits the refcount_set line, and in
 lockstep thread B succeeds at refcount_inc_not_zero, there is a
 chance the ptrs value won't have been stored since refcount_set
 is unordered. Force a memory barrier here, I picked smp_mb, since
 we want it on all CPUs and it's write followed by a read.

 v2: use paired smp_rmb/smp_wmb.

 The Linux kernel CVE team has assigned CVE-2024-26984 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 4.19.313 with commit bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9
 	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 5.4.275 with commit 1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7
 	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 5.10.216 with commit 13d76b2f443dc371842916dd8768009ff1594716
 	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 5.15.157 with commit 3ab056814cd8ab84744c9a19ef51360b2271c572
 	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 6.1.88 with commit ad74d208f213c06d860916ad40f609ade8c13039
 	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 6.6.29 with commit a019b44b1bc6ed224c46fb5f88a8a10dd116e525
 	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 6.8.8 with commit 21ca9539f09360fd83654f78f2c361f2f5ddcb52
 	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 6.9 with commit fff1386cc889d8fb4089d285f883f8cba62d82ce

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26984
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv50.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9
 	https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7
 	https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716
 	https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572
 	https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039
 	https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525
 	https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52
 	https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26984: nouveau: fix instmem race condition around ptr stores

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nouveau: fix instmem race condition around ptr stores

	Running a lot of VK CTS in parallel against nouveau, once every
	few hours you might see something like this crash.

	BUG: kernel NULL pointer dereference, address: 0000000000000008
	PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0
	Oops: 0000 [#1] PREEMPT SMP PTI
	CPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27
	Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021
	RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]
	Code: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1
	RSP: 0000:ffffac20c5857838 EFLAGS: 00010202
	RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001
	RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180
	RBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10
	R10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c
	R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c
	FS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:

	...

	? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]
	? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]
	nvkm_vmm_iter+0x351/0xa20 [nouveau]
	? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]
	? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
	? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
	? __lock_acquire+0x3ed/0x2170
	? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
	nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]
	? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]
	? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
	nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]

	Adding any sort of useful debug usually makes it go away, so I hand
	wrote the function in a line, and debugged the asm.

	Every so often pt->memory->ptrs is NULL. This ptrs ptr is set in
	the nv50_instobj_acquire called from nvkm_kmap.

	If Thread A and Thread B both get to nv50_instobj_acquire around
	the same time, and Thread A hits the refcount_set line, and in
	lockstep thread B succeeds at refcount_inc_not_zero, there is a
	chance the ptrs value won't have been stored since refcount_set
	is unordered. Force a memory barrier here, I picked smp_mb, since
	we want it on all CPUs and it's write followed by a read.

	v2: use paired smp_rmb/smp_wmb.

	The Linux kernel CVE team has assigned CVE-2024-26984 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 4.19.313 with commit bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9
	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 5.4.275 with commit 1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7
	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 5.10.216 with commit 13d76b2f443dc371842916dd8768009ff1594716
	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 5.15.157 with commit 3ab056814cd8ab84744c9a19ef51360b2271c572
	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 6.1.88 with commit ad74d208f213c06d860916ad40f609ade8c13039
	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 6.6.29 with commit a019b44b1bc6ed224c46fb5f88a8a10dd116e525
	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 6.8.8 with commit 21ca9539f09360fd83654f78f2c361f2f5ddcb52
	Issue introduced in 4.15 with commit be55287aa5ba6895e9d4d3ed2f08a1be7a065957 and fixed in 6.9 with commit fff1386cc889d8fb4089d285f883f8cba62d82ce

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26984
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv50.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9
	https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7
	https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716
	https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572
	https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039
	https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525
	https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52
	https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce