cve/published/2024/CVE-2024-53224.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53224: RDMA/mlx5: Move events notifier registration to be after device registration

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/mlx5: Move events notifier registration to be after device registration

 Move pkey change work initialization and cleanup from device resources
 stage to notifier stage, since this is the stage which handles this work
 events.

 Fix a race between the device deregistration and pkey change work by moving
 MLX5_IB_STAGE_DEVICE_NOTIFIER to be after MLX5_IB_STAGE_IB_REG in order to
 ensure that the notifier is deregistered before the device during cleanup.
 Which ensures there are no works that are being executed after the
 device has already unregistered which can cause the panic below.

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 1 PID: 630071 Comm: kworker/1:2 Kdump: loaded Tainted: G W OE --------- --- 5.14.0-162.6.1.el9_1.x86_64 #1
 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 02/27/2023
 Workqueue: events pkey_change_handler [mlx5_ib]
 RIP: 0010:setup_qp+0x38/0x1f0 [mlx5_ib]
 Code: ee 41 54 45 31 e4 55 89 f5 53 48 89 fb 48 83 ec 20 8b 77 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 8d 4c 24 16 <4c> 8b 38 49 8b 87 80 0b 00 00 4c 89 ff 48 8b 80 08 05 00 00 8b 40
 RSP: 0018:ffffbcc54068be20 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff954054494128 RCX: ffffbcc54068be36
 RDX: ffff954004934000 RSI: 0000000000000001 RDI: ffff954054494128
 RBP: 0000000000000023 R08: ffff954001be2c20 R09: 0000000000000001
 R10: ffff954001be2c20 R11: ffff9540260133c0 R12: 0000000000000000
 R13: 0000000000000023 R14: 0000000000000000 R15: ffff9540ffcb0905
 FS: 0000000000000000(0000) GS:ffff9540ffc80000(0000) knlGS:0000000000000000
 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 000000010625c001 CR4: 00000000003706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
 mlx5_ib_gsi_pkey_change+0x20/0x40 [mlx5_ib]
 process_one_work+0x1e8/0x3c0
 worker_thread+0x50/0x3b0
 ? rescuer_thread+0x380/0x380
 kthread+0x149/0x170
 ? set_kthread_struct+0x50/0x50
 ret_from_fork+0x22/0x30
 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) mlx5_fwctl(OE) fwctl(OE) ib_uverbs(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlx_compat(OE) psample mlxfw(OE) tls knem(OE) netconsole nfsv3 nfs_acl nfs lockd grace fscache netfs qrtr rfkill sunrpc intel_rapl_msr intel_rapl_common rapl hv_balloon hv_utils i2c_piix4 pcspkr joydev fuse ext4 mbcache jbd2 sr_mod sd_mod cdrom t10_pi sg ata_generic pci_hyperv pci_hyperv_intf hyperv_drm drm_shmem_helper drm_kms_helper hv_storvsc syscopyarea hv_netvsc sysfillrect sysimgblt hid_hyperv fb_sys_fops scsi_transport_fc hyperv_keyboard drm ata_piix crct10dif_pclmul crc32_pclmul crc32c_intel libata ghash_clmulni_intel hv_vmbus serio_raw [last unloaded: ib_core]
 CR2: 0000000000000000
 ---[ end trace f6f8be4eae12f7bc ]---

 The Linux kernel CVE team has assigned CVE-2024-53224 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.6 with commit 7722f47e71e58592a2ba4437d27c802ba1c64e08 and fixed in 6.6.64 with commit 921fcf2971a1e8d3b904ba2c2905b96f4ec3d4ad
 	Issue introduced in 4.6 with commit 7722f47e71e58592a2ba4437d27c802ba1c64e08 and fixed in 6.11.11 with commit 542bd62b7a7f37182c9ef192c2bd25d118c144e4
 	Issue introduced in 4.6 with commit 7722f47e71e58592a2ba4437d27c802ba1c64e08 and fixed in 6.12.2 with commit 6b0acf6a94c31efa43fce4edc22413a3390f9c05
 	Issue introduced in 4.6 with commit 7722f47e71e58592a2ba4437d27c802ba1c64e08 and fixed in 6.13 with commit ede132a5cf559f3ab35a4c28bac4f4a6c20334d8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53224
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/hw/mlx5/main.c
 	drivers/infiniband/hw/mlx5/mlx5_ib.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/921fcf2971a1e8d3b904ba2c2905b96f4ec3d4ad
 	https://git.kernel.org/stable/c/542bd62b7a7f37182c9ef192c2bd25d118c144e4
 	https://git.kernel.org/stable/c/6b0acf6a94c31efa43fce4edc22413a3390f9c05
 	https://git.kernel.org/stable/c/ede132a5cf559f3ab35a4c28bac4f4a6c20334d8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53224: RDMA/mlx5: Move events notifier registration to be after device registration

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/mlx5: Move events notifier registration to be after device registration

	Move pkey change work initialization and cleanup from device resources
	stage to notifier stage, since this is the stage which handles this work
	events.

	Fix a race between the device deregistration and pkey change work by moving
	MLX5_IB_STAGE_DEVICE_NOTIFIER to be after MLX5_IB_STAGE_IB_REG in order to
	ensure that the notifier is deregistered before the device during cleanup.
	Which ensures there are no works that are being executed after the
	device has already unregistered which can cause the panic below.

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	PGD 0 P4D 0
	Oops: 0000 [#1] PREEMPT SMP PTI
	CPU: 1 PID: 630071 Comm: kworker/1:2 Kdump: loaded Tainted: G W OE --------- --- 5.14.0-162.6.1.el9_1.x86_64 #1
	Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 02/27/2023
	Workqueue: events pkey_change_handler [mlx5_ib]
	RIP: 0010:setup_qp+0x38/0x1f0 [mlx5_ib]
	Code: ee 41 54 45 31 e4 55 89 f5 53 48 89 fb 48 83 ec 20 8b 77 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 8d 4c 24 16 <4c> 8b 38 49 8b 87 80 0b 00 00 4c 89 ff 48 8b 80 08 05 00 00 8b 40
	RSP: 0018:ffffbcc54068be20 EFLAGS: 00010282
	RAX: 0000000000000000 RBX: ffff954054494128 RCX: ffffbcc54068be36
	RDX: ffff954004934000 RSI: 0000000000000001 RDI: ffff954054494128
	RBP: 0000000000000023 R08: ffff954001be2c20 R09: 0000000000000001
	R10: ffff954001be2c20 R11: ffff9540260133c0 R12: 0000000000000000
	R13: 0000000000000023 R14: 0000000000000000 R15: ffff9540ffcb0905
	FS: 0000000000000000(0000) GS:ffff9540ffc80000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000000 CR3: 000000010625c001 CR4: 00000000003706e0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	mlx5_ib_gsi_pkey_change+0x20/0x40 [mlx5_ib]
	process_one_work+0x1e8/0x3c0
	worker_thread+0x50/0x3b0
	? rescuer_thread+0x380/0x380
	kthread+0x149/0x170
	? set_kthread_struct+0x50/0x50
	ret_from_fork+0x22/0x30
	Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) mlx5_fwctl(OE) fwctl(OE) ib_uverbs(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlx_compat(OE) psample mlxfw(OE) tls knem(OE) netconsole nfsv3 nfs_acl nfs lockd grace fscache netfs qrtr rfkill sunrpc intel_rapl_msr intel_rapl_common rapl hv_balloon hv_utils i2c_piix4 pcspkr joydev fuse ext4 mbcache jbd2 sr_mod sd_mod cdrom t10_pi sg ata_generic pci_hyperv pci_hyperv_intf hyperv_drm drm_shmem_helper drm_kms_helper hv_storvsc syscopyarea hv_netvsc sysfillrect sysimgblt hid_hyperv fb_sys_fops scsi_transport_fc hyperv_keyboard drm ata_piix crct10dif_pclmul crc32_pclmul crc32c_intel libata ghash_clmulni_intel hv_vmbus serio_raw [last unloaded: ib_core]
	CR2: 0000000000000000
	---[ end trace f6f8be4eae12f7bc ]---

	The Linux kernel CVE team has assigned CVE-2024-53224 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.6 with commit 7722f47e71e58592a2ba4437d27c802ba1c64e08 and fixed in 6.6.64 with commit 921fcf2971a1e8d3b904ba2c2905b96f4ec3d4ad
	Issue introduced in 4.6 with commit 7722f47e71e58592a2ba4437d27c802ba1c64e08 and fixed in 6.11.11 with commit 542bd62b7a7f37182c9ef192c2bd25d118c144e4
	Issue introduced in 4.6 with commit 7722f47e71e58592a2ba4437d27c802ba1c64e08 and fixed in 6.12.2 with commit 6b0acf6a94c31efa43fce4edc22413a3390f9c05
	Issue introduced in 4.6 with commit 7722f47e71e58592a2ba4437d27c802ba1c64e08 and fixed in 6.13 with commit ede132a5cf559f3ab35a4c28bac4f4a6c20334d8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53224
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/hw/mlx5/main.c
	drivers/infiniband/hw/mlx5/mlx5_ib.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/921fcf2971a1e8d3b904ba2c2905b96f4ec3d4ad
	https://git.kernel.org/stable/c/542bd62b7a7f37182c9ef192c2bd25d118c144e4
	https://git.kernel.org/stable/c/6b0acf6a94c31efa43fce4edc22413a3390f9c05
	https://git.kernel.org/stable/c/ede132a5cf559f3ab35a4c28bac4f4a6c20334d8