cve/published/2024/CVE-2024-50196.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50196: pinctrl: ocelot: fix system hang on level based interrupts

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 pinctrl: ocelot: fix system hang on level based interrupts

 The current implementation only calls chained_irq_enter() and
 chained_irq_exit() if it detects pending interrupts.

 ```
 for (i = 0; i < info->stride; i++) {
 	uregmap_read(info->map, id_reg + 4 * i, &reg);
 	if (!reg)
 		continue;

 	chained_irq_enter(parent_chip, desc);
 ```

 However, in case of GPIO pin configured in level mode and the parent
 controller configured in edge mode, GPIO interrupt might be lowered by the
 hardware. In the result, if the interrupt is short enough, the parent
 interrupt is still pending while the GPIO interrupt is cleared;
 chained_irq_enter() never gets called and the system hangs trying to
 service the parent interrupt.

 Moving chained_irq_enter() and chained_irq_exit() outside the for loop
 ensures that they are called even when GPIO interrupt is lowered by the
 hardware.

 The similar code with chained_irq_enter() / chained_irq_exit() functions
 wrapping interrupt checking loop may be found in many other drivers:
 ```
 grep -r -A 10 chained_irq_enter drivers/pinctrl
 ```

 The Linux kernel CVE team has assigned CVE-2024-50196 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 5.15.169 with commit 655f5d4662b958122b260be05aa6dfdf8768efe6
 	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 6.1.114 with commit 4a81800ef05bea5a9896f199677f7b7f5020776a
 	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 6.6.58 with commit 20728e86289ab463b99b7ab4425515bd26aba417
 	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 6.11.5 with commit dcbe9954634807ec54e22bde278b5b269f921381
 	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 6.12 with commit 93b8ddc54507a227087c60a0013ed833b6ae7d3c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50196
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/pinctrl/pinctrl-ocelot.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/655f5d4662b958122b260be05aa6dfdf8768efe6
 	https://git.kernel.org/stable/c/4a81800ef05bea5a9896f199677f7b7f5020776a
 	https://git.kernel.org/stable/c/20728e86289ab463b99b7ab4425515bd26aba417
 	https://git.kernel.org/stable/c/dcbe9954634807ec54e22bde278b5b269f921381
 	https://git.kernel.org/stable/c/93b8ddc54507a227087c60a0013ed833b6ae7d3c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50196: pinctrl: ocelot: fix system hang on level based interrupts

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	pinctrl: ocelot: fix system hang on level based interrupts

	The current implementation only calls chained_irq_enter() and
	chained_irq_exit() if it detects pending interrupts.

	```
	for (i = 0; i < info->stride; i++) {
	uregmap_read(info->map, id_reg + 4 * i, &reg);
	if (!reg)
	continue;

	chained_irq_enter(parent_chip, desc);
	```

	However, in case of GPIO pin configured in level mode and the parent
	controller configured in edge mode, GPIO interrupt might be lowered by the
	hardware. In the result, if the interrupt is short enough, the parent
	interrupt is still pending while the GPIO interrupt is cleared;
	chained_irq_enter() never gets called and the system hangs trying to
	service the parent interrupt.

	Moving chained_irq_enter() and chained_irq_exit() outside the for loop
	ensures that they are called even when GPIO interrupt is lowered by the
	hardware.

	The similar code with chained_irq_enter() / chained_irq_exit() functions
	wrapping interrupt checking loop may be found in many other drivers:
	```
	grep -r -A 10 chained_irq_enter drivers/pinctrl
	```

	The Linux kernel CVE team has assigned CVE-2024-50196 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 5.15.169 with commit 655f5d4662b958122b260be05aa6dfdf8768efe6
	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 6.1.114 with commit 4a81800ef05bea5a9896f199677f7b7f5020776a
	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 6.6.58 with commit 20728e86289ab463b99b7ab4425515bd26aba417
	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 6.11.5 with commit dcbe9954634807ec54e22bde278b5b269f921381
	Issue introduced in 4.16 with commit ce8dc0943357a5d10b05dcf0556b537c1d7b8b1f and fixed in 6.12 with commit 93b8ddc54507a227087c60a0013ed833b6ae7d3c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50196
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/pinctrl/pinctrl-ocelot.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/655f5d4662b958122b260be05aa6dfdf8768efe6
	https://git.kernel.org/stable/c/4a81800ef05bea5a9896f199677f7b7f5020776a
	https://git.kernel.org/stable/c/20728e86289ab463b99b7ab4425515bd26aba417
	https://git.kernel.org/stable/c/dcbe9954634807ec54e22bde278b5b269f921381
	https://git.kernel.org/stable/c/93b8ddc54507a227087c60a0013ed833b6ae7d3c