| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-53090: afs: Fix lock recursion |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| afs: Fix lock recursion |
| |
| afs_wake_up_async_call() can incur lock recursion. The problem is that it |
| is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to |
| take a ref on the afs_call struct in order to pass it to a work queue - but |
| if the afs_call is already queued, we then have an extraneous ref that must |
| be put... calling afs_put_call() may call back down into AF_RXRPC through |
| rxrpc_kernel_shutdown_call(), however, which might try taking the |
| ->notify_lock again. |
| |
| This case isn't very common, however, so defer it to a workqueue. The oops |
| looks something like: |
| |
| BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646 |
| lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0 |
| CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351 |
| Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 |
| Call Trace: |
| <TASK> |
| dump_stack_lvl+0x47/0x70 |
| do_raw_spin_lock+0x3c/0x90 |
| rxrpc_kernel_shutdown_call+0x83/0xb0 |
| afs_put_call+0xd7/0x180 |
| rxrpc_notify_socket+0xa0/0x190 |
| rxrpc_input_split_jumbo+0x198/0x1d0 |
| rxrpc_input_data+0x14b/0x1e0 |
| ? rxrpc_input_call_packet+0xc2/0x1f0 |
| rxrpc_input_call_event+0xad/0x6b0 |
| rxrpc_input_packet_on_conn+0x1e1/0x210 |
| rxrpc_input_packet+0x3f2/0x4d0 |
| rxrpc_io_thread+0x243/0x410 |
| ? __pfx_rxrpc_io_thread+0x10/0x10 |
| kthread+0xcf/0xe0 |
| ? __pfx_kthread+0x10/0x10 |
| ret_from_fork+0x24/0x40 |
| ? __pfx_kthread+0x10/0x10 |
| ret_from_fork_asm+0x1a/0x30 |
| </TASK> |
| |
| The Linux kernel CVE team has assigned CVE-2024-53090 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 6.11.9 with commit d7cbf81df996b1eae2dee8deb6df08e2eba78661 |
| Fixed in 6.12 with commit 610a79ffea02102899a1373fe226d949944a7ed6 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-53090 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/afs/internal.h |
| fs/afs/rxrpc.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/d7cbf81df996b1eae2dee8deb6df08e2eba78661 |
| https://git.kernel.org/stable/c/610a79ffea02102899a1373fe226d949944a7ed6 |
