cve/published/2024/CVE-2024-38600.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38600: ALSA: Fix deadlocks with kctl removals at disconnection

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ALSA: Fix deadlocks with kctl removals at disconnection

 In snd_card_disconnect(), we set card->shutdown flag at the beginning,
 call callbacks and do sync for card->power_ref_sleep waiters at the
 end.  The callback may delete a kctl element, and this can lead to a
 deadlock when the device was in the suspended state.  Namely:

 * A process waits for the power up at snd_power_ref_and_wait() in
   snd_ctl_info() or read/write() inside card->controls_rwsem.

 * The system gets disconnected meanwhile, and the driver tries to
   delete a kctl via snd_ctl_remove*(); it tries to take
   card->controls_rwsem again, but this is already locked by the
   above.  Since the sleeper isn't woken up, this deadlocks.

 An easy fix is to wake up sleepers before processing the driver
 disconnect callbacks but right after setting the card->shutdown flag.
 Then all sleepers will abort immediately, and the code flows again.

 So, basically this patch moves the wait_event() call at the right
 timing.  While we're at it, just to be sure, call wait_event_all()
 instead of wait_event(), although we don't use exclusive events on
 this queue for now.

 The Linux kernel CVE team has assigned CVE-2024-38600 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 5.15.161 with commit ff80185e7b7b547a0911fcfc8aefc61c3e8304d7
 	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.1.93 with commit c2fb439f4f1425a961d20bec818fed2c2d9ef70a
 	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.6.33 with commit 2f103287ef7960854808930499d1181bd0145d68
 	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.8.12 with commit 88ce3fe255d58a93624b467af036dc3519f309c7
 	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.9.3 with commit 6b55e879e7bd023a03888fc6c8339edf82f576f4
 	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.10 with commit 87988a534d8e12f2e6fc01fe63e6c1925dc5307c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38600
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	sound/core/init.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7
 	https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a
 	https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68
 	https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7
 	https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4
 	https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38600: ALSA: Fix deadlocks with kctl removals at disconnection

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ALSA: Fix deadlocks with kctl removals at disconnection

	In snd_card_disconnect(), we set card->shutdown flag at the beginning,
	call callbacks and do sync for card->power_ref_sleep waiters at the
	end. The callback may delete a kctl element, and this can lead to a
	deadlock when the device was in the suspended state. Namely:

	* A process waits for the power up at snd_power_ref_and_wait() in
	snd_ctl_info() or read/write() inside card->controls_rwsem.

	* The system gets disconnected meanwhile, and the driver tries to
	delete a kctl via snd_ctl_remove*(); it tries to take
	card->controls_rwsem again, but this is already locked by the
	above. Since the sleeper isn't woken up, this deadlocks.

	An easy fix is to wake up sleepers before processing the driver
	disconnect callbacks but right after setting the card->shutdown flag.
	Then all sleepers will abort immediately, and the code flows again.

	So, basically this patch moves the wait_event() call at the right
	timing. While we're at it, just to be sure, call wait_event_all()
	instead of wait_event(), although we don't use exclusive events on
	this queue for now.

	The Linux kernel CVE team has assigned CVE-2024-38600 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 5.15.161 with commit ff80185e7b7b547a0911fcfc8aefc61c3e8304d7
	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.1.93 with commit c2fb439f4f1425a961d20bec818fed2c2d9ef70a
	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.6.33 with commit 2f103287ef7960854808930499d1181bd0145d68
	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.8.12 with commit 88ce3fe255d58a93624b467af036dc3519f309c7
	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.9.3 with commit 6b55e879e7bd023a03888fc6c8339edf82f576f4
	Issue introduced in 5.14 with commit e94fdbd7b25d87e64688bb109e2c550217a4c879 and fixed in 6.10 with commit 87988a534d8e12f2e6fc01fe63e6c1925dc5307c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38600
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	sound/core/init.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7
	https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a
	https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68
	https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7
	https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4
	https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c