cve/published/2024/CVE-2024-35989.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35989: dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

 During the removal of the idxd driver, registered offline callback is
 invoked as part of the clean up process. However, on systems with only
 one CPU online, no valid target is available to migrate the
 perf context, resulting in a kernel oops:

     BUG: unable to handle page fault for address: 000000000002a2b8
     #PF: supervisor write access in kernel mode
     #PF: error_code(0x0002) - not-present page
     PGD 1470e1067 P4D 0
     Oops: 0002 [#1] PREEMPT SMP NOPTI
     CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57
     Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023
     RIP: 0010:mutex_lock+0x2e/0x50
     ...
     Call Trace:
     <TASK>
     __die+0x24/0x70
     page_fault_oops+0x82/0x160
     do_user_addr_fault+0x65/0x6b0
     __pfx___rdmsr_safe_on_cpu+0x10/0x10
     exc_page_fault+0x7d/0x170
     asm_exc_page_fault+0x26/0x30
     mutex_lock+0x2e/0x50
     mutex_lock+0x1e/0x50
     perf_pmu_migrate_context+0x87/0x1f0
     perf_event_cpu_offline+0x76/0x90 [idxd]
     cpuhp_invoke_callback+0xa2/0x4f0
     __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]
     cpuhp_thread_fun+0x98/0x150
     smpboot_thread_fn+0x27/0x260
     smpboot_thread_fn+0x1af/0x260
     __pfx_smpboot_thread_fn+0x10/0x10
     kthread+0x103/0x140
     __pfx_kthread+0x10/0x10
     ret_from_fork+0x31/0x50
     __pfx_kthread+0x10/0x10
     ret_from_fork_asm+0x1b/0x30
     <TASK>

 Fix the issue by preventing the migration of the perf context to an
 invalid target.

 The Linux kernel CVE team has assigned CVE-2024-35989 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 5.15.158 with commit 9edd3aa34d50f27b97be30b2ba4a6af0945ff56b
 	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 6.1.90 with commit 023b6390a15a98f9c3aa5e7da78d485d5384a08e
 	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 6.6.30 with commit f976eca36cdf94e32fa4f865db0e7c427c9aa33c
 	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 6.8.9 with commit 47533176fdcef17b114a6f688bc872901c1ec6bb
 	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 6.9 with commit f221033f5c24659dc6ad7e5cf18fb1b075f4a8be

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35989
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/dma/idxd/perfmon.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b
 	https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e
 	https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c
 	https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb
 	https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35989: dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

	During the removal of the idxd driver, registered offline callback is
	invoked as part of the clean up process. However, on systems with only
	one CPU online, no valid target is available to migrate the
	perf context, resulting in a kernel oops:

	BUG: unable to handle page fault for address: 000000000002a2b8
	#PF: supervisor write access in kernel mode
	#PF: error_code(0x0002) - not-present page
	PGD 1470e1067 P4D 0
	Oops: 0002 [#1] PREEMPT SMP NOPTI
	CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57
	Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023
	RIP: 0010:mutex_lock+0x2e/0x50
	...
	Call Trace:
	<TASK>
	__die+0x24/0x70
	page_fault_oops+0x82/0x160
	do_user_addr_fault+0x65/0x6b0
	__pfx___rdmsr_safe_on_cpu+0x10/0x10
	exc_page_fault+0x7d/0x170
	asm_exc_page_fault+0x26/0x30
	mutex_lock+0x2e/0x50
	mutex_lock+0x1e/0x50
	perf_pmu_migrate_context+0x87/0x1f0
	perf_event_cpu_offline+0x76/0x90 [idxd]
	cpuhp_invoke_callback+0xa2/0x4f0
	__pfx_perf_event_cpu_offline+0x10/0x10 [idxd]
	cpuhp_thread_fun+0x98/0x150
	smpboot_thread_fn+0x27/0x260
	smpboot_thread_fn+0x1af/0x260
	__pfx_smpboot_thread_fn+0x10/0x10
	kthread+0x103/0x140
	__pfx_kthread+0x10/0x10
	ret_from_fork+0x31/0x50
	__pfx_kthread+0x10/0x10
	ret_from_fork_asm+0x1b/0x30
	<TASK>

	Fix the issue by preventing the migration of the perf context to an
	invalid target.

	The Linux kernel CVE team has assigned CVE-2024-35989 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 5.15.158 with commit 9edd3aa34d50f27b97be30b2ba4a6af0945ff56b
	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 6.1.90 with commit 023b6390a15a98f9c3aa5e7da78d485d5384a08e
	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 6.6.30 with commit f976eca36cdf94e32fa4f865db0e7c427c9aa33c
	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 6.8.9 with commit 47533176fdcef17b114a6f688bc872901c1ec6bb
	Issue introduced in 5.13 with commit 81dd4d4d6178306ab31db91bdc7353d485bdafce and fixed in 6.9 with commit f221033f5c24659dc6ad7e5cf18fb1b075f4a8be

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35989
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/dma/idxd/perfmon.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b
	https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e
	https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c
	https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb
	https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be