cve/published/2024/CVE-2024-40922.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-40922: io_uring/rsrc: don't lock while !TASK_RUNNING

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 io_uring/rsrc: don't lock while !TASK_RUNNING

 There is a report of io_rsrc_ref_quiesce() locking a mutex while not
 TASK_RUNNING, which is due to forgetting restoring the state back after
 io_run_task_work_sig() and attempts to break out of the waiting loop.

 do not call blocking ops when !TASK_RUNNING; state=1 set at
 [<ffffffff815d2494>] prepare_to_wait+0xa4/0x380
 kernel/sched/wait.c:237
 WARNING: CPU: 2 PID: 397056 at kernel/sched/core.c:10099
 __might_sleep+0x114/0x160 kernel/sched/core.c:10099
 RIP: 0010:__might_sleep+0x114/0x160 kernel/sched/core.c:10099
 Call Trace:
  <TASK>
  __mutex_lock_common kernel/locking/mutex.c:585 [inline]
  __mutex_lock+0xb4/0x940 kernel/locking/mutex.c:752
  io_rsrc_ref_quiesce+0x590/0x940 io_uring/rsrc.c:253
  io_sqe_buffers_unregister+0xa2/0x340 io_uring/rsrc.c:799
  __io_uring_register io_uring/register.c:424 [inline]
  __do_sys_io_uring_register+0x5b9/0x2400 io_uring/register.c:613
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x6f/0x77

 The Linux kernel CVE team has assigned CVE-2024-40922 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit 4ea15b56f0810f0d8795d475db1bb74b3a7c1b2f and fixed in 6.6.35 with commit 0c9df3df0c888d9ec8d11a68474a4aa04d371cff
 	Issue introduced in 6.4 with commit 4ea15b56f0810f0d8795d475db1bb74b3a7c1b2f and fixed in 6.9.6 with commit 4429c6c77e176a4c5aa7a3bbd1632f9fc0582518
 	Issue introduced in 6.4 with commit 4ea15b56f0810f0d8795d475db1bb74b3a7c1b2f and fixed in 6.10 with commit 54559642b96116b45e4b5ca7fd9f7835b8561272

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-40922
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	io_uring/rsrc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0c9df3df0c888d9ec8d11a68474a4aa04d371cff
 	https://git.kernel.org/stable/c/4429c6c77e176a4c5aa7a3bbd1632f9fc0582518
 	https://git.kernel.org/stable/c/54559642b96116b45e4b5ca7fd9f7835b8561272
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-40922: io_uring/rsrc: don't lock while !TASK_RUNNING

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	io_uring/rsrc: don't lock while !TASK_RUNNING

	There is a report of io_rsrc_ref_quiesce() locking a mutex while not
	TASK_RUNNING, which is due to forgetting restoring the state back after
	io_run_task_work_sig() and attempts to break out of the waiting loop.

	do not call blocking ops when !TASK_RUNNING; state=1 set at
	[<ffffffff815d2494>] prepare_to_wait+0xa4/0x380
	kernel/sched/wait.c:237
	WARNING: CPU: 2 PID: 397056 at kernel/sched/core.c:10099
	__might_sleep+0x114/0x160 kernel/sched/core.c:10099
	RIP: 0010:__might_sleep+0x114/0x160 kernel/sched/core.c:10099
	Call Trace:
	<TASK>
	__mutex_lock_common kernel/locking/mutex.c:585 [inline]
	__mutex_lock+0xb4/0x940 kernel/locking/mutex.c:752
	io_rsrc_ref_quiesce+0x590/0x940 io_uring/rsrc.c:253
	io_sqe_buffers_unregister+0xa2/0x340 io_uring/rsrc.c:799
	__io_uring_register io_uring/register.c:424 [inline]
	__do_sys_io_uring_register+0x5b9/0x2400 io_uring/register.c:613
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x6f/0x77

	The Linux kernel CVE team has assigned CVE-2024-40922 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit 4ea15b56f0810f0d8795d475db1bb74b3a7c1b2f and fixed in 6.6.35 with commit 0c9df3df0c888d9ec8d11a68474a4aa04d371cff
	Issue introduced in 6.4 with commit 4ea15b56f0810f0d8795d475db1bb74b3a7c1b2f and fixed in 6.9.6 with commit 4429c6c77e176a4c5aa7a3bbd1632f9fc0582518
	Issue introduced in 6.4 with commit 4ea15b56f0810f0d8795d475db1bb74b3a7c1b2f and fixed in 6.10 with commit 54559642b96116b45e4b5ca7fd9f7835b8561272

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-40922
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	io_uring/rsrc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0c9df3df0c888d9ec8d11a68474a4aa04d371cff
	https://git.kernel.org/stable/c/4429c6c77e176a4c5aa7a3bbd1632f9fc0582518
	https://git.kernel.org/stable/c/54559642b96116b45e4b5ca7fd9f7835b8561272