CVE-2024-42319

Summary

In the Linux kernel, the following vulnerability has been resolved:

mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()

When mtk-cmdq unbinds, a WARN_ON message with condition pm_runtime_get_sync() < 0 occurs.

According to the call tracei below: cmdq_mbox_shutdown mbox_free_channel mbox_controller_unregister __devm_mbox_controller_unregister …

The root cause can be deduced to be calling pm_runtime_get_sync() after calling pm_runtime_disable() as observed below:

  1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe() to bind the cmdq device to the mbox_controller, so devm_mbox_controller_unregister() will automatically unregister the device bound to the mailbox controller when the device-managed resource is removed. That means devm_mbox_controller_unregister() and cmdq_mbox_shoutdown() will be called after cmdq_remove().
  2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after devm_mbox_controller_register(), so that devm_pm_runtime_disable() will be called after cmdq_remove(), but before devm_mbox_controller_unregister().

To fix this problem, cmdq_probe() needs to move devm_mbox_controller_register() after devm_pm_runtime_enable() to make devm_pm_runtime_disable() be called after devm_mbox_controller_unregister().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux623a6143a845bd485b00ba684f0ccef11835edab < 1403991a40b94438a2acc749bf05c117abdb34f9affected
LinuxLinux623a6143a845bd485b00ba684f0ccef11835edab < d00df6700ad10974a7e20646956f4ff22cdbe0ecaffected
LinuxLinux623a6143a845bd485b00ba684f0ccef11835edab < 11fa625b45faf0649118b9deaf2d31c86ac41911affected
LinuxLinux623a6143a845bd485b00ba684f0ccef11835edab < a8bd68e4329f9a0ad1b878733e0f80be6a971649affected
LinuxLinux4.19affected
LinuxLinux0 < 4.19unaffected
LinuxLinux6.1.120 <= 6.1.*unaffected
LinuxLinux6.6.64 <= 6.6.*unaffected
LinuxLinux6.10.3 <= 6.10.*unaffected
LinuxLinux6.11 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References