CVE-2024-27005
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
interconnect: Don't access req_list while it's being manipulated
The icc_lock mutex was split into separate icc_lock and icc_bw_lock mutexes in [1] to avoid lockdep splats. However, this didn't adequately protect access to icc_node::req_list.
The icc_set_bw() function will eventually iterate over req_list while only holding icc_bw_lock, but req_list can be modified while only holding icc_lock. This causes races between icc_set_bw(), of_icc_get(), and icc_put().
Example A:
CPU0 CPU1
icc_set_bw(path_a) mutex_lock(&icc_bw_lock); icc_put(path_b) mutex_lock(&icc_lock); aggregate_requests() hlist_for_each_entry(r, … hlist_del(… <r = invalid pointer>
Example B:
CPU0 CPU1
icc_set_bw(path_a) mutex_lock(&icc_bw_lock); path_b = of_icc_get() of_icc_get_by_index() mutex_lock(&icc_lock); path_find() path_init() aggregate_requests() hlist_for_each_entry(r, … hlist_add_head(… <r = invalid pointer>
Fix this by ensuring icc_bw_lock is always held before manipulating icc_node::req_list. The additional places icc_bw_lock is held don't perform any memory allocations, so we should still be safe from the original lockdep splats that motivated the separate locks.
[1] commit af42269c3523 ("interconnect: Fix locking for runpm vs reclaim")
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 9be2957f014d91088db1eb5dd09d9a03d7184dce < fe549d8e976300d0dd75bd904eb216bed8b145e0 | affected |
| Linux | Linux | ee42bfc791aa3cd78e29046f26a09d189beb3efb < 19ec82b3cad1abef2a929262b8c1528f4e0c192d | affected |
| Linux | Linux | af42269c3523492d71ebbe11fefae2653e9cdc78 < d0d04efa2e367921654b5106cc5c05e3757c2b42 | affected |
| Linux | Linux | af42269c3523492d71ebbe11fefae2653e9cdc78 < 4c65507121ea8e0b47fae6d2049c8688390d46b6 | affected |
| Linux | Linux | af42269c3523492d71ebbe11fefae2653e9cdc78 < de1bf25b6d771abdb52d43546cf57ad775fb68a1 | affected |
| Linux | Linux | 2f3a124696d43de3c837f87a9f767c56ee86cf2a | affected |
| Linux | Linux | 5.15.133 < 5.15.151 | affected |
| Linux | Linux | 6.1.55 < 6.1.81 | affected |
| Linux | Linux | 6.5.5 < 6.6 | affected |
| Linux | Linux | 6.6 | affected |
| Linux | Linux | 0 < 6.6 | unaffected |
| Linux | Linux | 5.15.151 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.81 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.29 <= 6.6.* | unaffected |
| Linux | Linux | 6.8.8 <= 6.8.* | unaffected |
| Linux | Linux | 6.9 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42
- https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6
- https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/
References
- https://git.kernel.org/stable/c/fe549d8e976300d0dd75bd904eb216bed8b145e0
- https://git.kernel.org/stable/c/19ec82b3cad1abef2a929262b8c1528f4e0c192d
- https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42
- https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6
- https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.