cve-2023-52587
Vulnerability from cvelistv5
Published
2024-03-06 06:45
Modified
2024-12-19 08:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: IB/ipoib: Fix mcast list locking Releasing the `priv->lock` while iterating the `priv->multicast_list` in `ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to remove the items while in the middle of iteration. If the mcast is removed while the lock was dropped, the for loop spins forever resulting in a hard lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel): Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below) -----------------------------------+----------------------------------- ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work) spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...) list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev) &priv->multicast_list, list) | ipoib_mcast_join(dev, mcast) | spin_unlock_irq(&priv->lock) | | spin_lock_irqsave(&priv->lock, flags) | list_for_each_entry_safe(mcast, tmcast, | &priv->multicast_list, list) | list_del(&mcast->list); | list_add_tail(&mcast->list, &remove_list) | spin_unlock_irqrestore(&priv->lock, flags) spin_lock_irq(&priv->lock) | | ipoib_mcast_remove_list(&remove_list) (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast, `priv->multicast_list` and we keep | remove_list, list) spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done) the other thread which is blocked | and the list is still valid on | it's stack.) Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent eventual sleeps. Unfortunately we could not reproduce the lockup and confirm this fix but based on the code review I think this fix should address such lockups. crash> bc 31 PID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: "kworker/u72:2" -- [exception RIP: ipoib_mcast_join_task+0x1b1] RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002 RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000 work (&priv->mcast_task{,.work}) RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000 &mcast->list RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000 R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00 mcast R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8 dev priv (&priv->lock) &priv->multicast_list (aka head) ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 --- <NMI exception stack> --- #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib] #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967 crash> rx ff646f199a8c7e68 ff646f199a8c7e68: ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work crash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000 (empty) crash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000 mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>, mcast_mutex.owner.counter = 0xff1c69998efec000 crash> b 8 PID: 8 TASK: ff1c69998efec000 CPU: 33 COMMAND: "kworker/u72:0" -- #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646 #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib] #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib] #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib] #7 [ff ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52587",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-08T18:50:41.278526Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:13.749Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:21.201Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/ulp/ipoib/ipoib_multicast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4c8922ae8eb8dcc1e4b7d1059d97a8334288d825",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "615e3adc2042b7be4ad122a043fc9135e6342c90",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ac2630fd3c90ffec34a0bfc4d413668538b0e8f2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ed790bd0903ed3352ebf7f650d910f49b7319b34",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5108a2dc2db5630fb6cd58b8be80a0c134bc310a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "342258fb46d66c1b4c7e2c3717ac01e10c03cf18",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7c7bd4d561e9dc6f5b7df9e184974915f6701a89",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4f973e211b3b1c6d36f7c6a19239d258856749f9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/ulp/ipoib/ipoib_multicast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.307",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.269",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/ipoib: Fix mcast list locking\n\nReleasing the `priv-\u003elock` while iterating the `priv-\u003emulticast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\n\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\n    -----------------------------------+-----------------------------------\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\n      spin_lock_irq(\u0026priv-\u003elock)       | __ipoib_ib_dev_flush(priv, ...)\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv-\u003edev)\n          \u0026priv-\u003emulticast_list, list) |\n        ipoib_mcast_join(dev, mcast)   |\n          spin_unlock_irq(\u0026priv-\u003elock) |\n                                       |   spin_lock_irqsave(\u0026priv-\u003elock, flags)\n                                       |   list_for_each_entry_safe(mcast, tmcast,\n                                       |                  \u0026priv-\u003emulticast_list, list)\n                                       |     list_del(\u0026mcast-\u003elist);\n                                       |     list_add_tail(\u0026mcast-\u003elist, \u0026remove_list)\n                                       |   spin_unlock_irqrestore(\u0026priv-\u003elock, flags)\n          spin_lock_irq(\u0026priv-\u003elock)   |\n                                       |   ipoib_mcast_remove_list(\u0026remove_list)\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\n    `priv-\u003emulticast_list` and we keep |                            remove_list, list)\n    spinning on the `remove_list` of   |  \u003e\u003e\u003e  wait_for_completion(\u0026mcast-\u003edone)\n    the other thread which is blocked  |\n    and the list is still valid on     |\n    it\u0027s stack.)\n\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\n\ncrash\u003e bc 31\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \"kworker/u72:2\"\n--\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\n                                  work (\u0026priv-\u003emcast_task{,.work})\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\n           \u0026mcast-\u003elist\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\n                                                         mcast\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\n           dev                    priv (\u0026priv-\u003elock)     \u0026priv-\u003emulticast_list (aka head)\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n--- \u003cNMI exception stack\u003e ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\n\ncrash\u003e rx ff646f199a8c7e68\nff646f199a8c7e68:  ff1c6a1a04dc82f8 \u003c\u003c\u003c work = \u0026priv-\u003emcast_task.work\n\ncrash\u003e list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\n\ncrash\u003e ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n  mcast_task.work.func = 0xffffffffc0944910 \u003cipoib_mcast_join_task\u003e,\n  mcast_mutex.owner.counter = 0xff1c69998efec000\n\ncrash\u003e b 8\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:22:08.876Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825"
        },
        {
          "url": "https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34"
        },
        {
          "url": "https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a"
        },
        {
          "url": "https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9"
        }
      ],
      "title": "IB/ipoib: Fix mcast list locking",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52587",
    "datePublished": "2024-03-06T06:45:21.418Z",
    "dateReserved": "2024-03-02T21:55:42.570Z",
    "dateUpdated": "2024-12-19T08:22:08.876Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52587\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-06T07:15:07.633\",\"lastModified\":\"2024-11-21T08:40:07.910\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/ipoib: Fix mcast list locking\\n\\nReleasing the `priv-\u003elock` while iterating the `priv-\u003emulticast_list` in\\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\\nremove the items while in the middle of iteration. If the mcast is removed\\nwhile the lock was dropped, the for loop spins forever resulting in a hard\\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\\n\\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\\n    -----------------------------------+-----------------------------------\\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\\n      spin_lock_irq(\u0026priv-\u003elock)       | __ipoib_ib_dev_flush(priv, ...)\\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv-\u003edev)\\n          \u0026priv-\u003emulticast_list, list) |\\n        ipoib_mcast_join(dev, mcast)   |\\n          spin_unlock_irq(\u0026priv-\u003elock) |\\n                                       |   spin_lock_irqsave(\u0026priv-\u003elock, flags)\\n                                       |   list_for_each_entry_safe(mcast, tmcast,\\n                                       |                  \u0026priv-\u003emulticast_list, list)\\n                                       |     list_del(\u0026mcast-\u003elist);\\n                                       |     list_add_tail(\u0026mcast-\u003elist, \u0026remove_list)\\n                                       |   spin_unlock_irqrestore(\u0026priv-\u003elock, flags)\\n          spin_lock_irq(\u0026priv-\u003elock)   |\\n                                       |   ipoib_mcast_remove_list(\u0026remove_list)\\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\\n    `priv-\u003emulticast_list` and we keep |                            remove_list, list)\\n    spinning on the `remove_list` of   |  \u003e\u003e\u003e  wait_for_completion(\u0026mcast-\u003edone)\\n    the other thread which is blocked  |\\n    and the list is still valid on     |\\n    it\u0027s stack.)\\n\\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\\neventual sleeps.\\nUnfortunately we could not reproduce the lockup and confirm this fix but\\nbased on the code review I think this fix should address such lockups.\\n\\ncrash\u003e bc 31\\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \\\"kworker/u72:2\\\"\\n--\\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\\n                                  work (\u0026priv-\u003emcast_task{,.work})\\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\\n           \u0026mcast-\u003elist\\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\\n                                                         mcast\\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\\n           dev                    priv (\u0026priv-\u003elock)     \u0026priv-\u003emulticast_list (aka head)\\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\\n--- \u003cNMI exception stack\u003e ---\\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\\n\\ncrash\u003e rx ff646f199a8c7e68\\nff646f199a8c7e68:  ff1c6a1a04dc82f8 \u003c\u003c\u003c work = \u0026priv-\u003emcast_task.work\\n\\ncrash\u003e list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\\n(empty)\\n\\ncrash\u003e ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\\n  mcast_task.work.func = 0xffffffffc0944910 \u003cipoib_mcast_join_task\u003e,\\n  mcast_mutex.owner.counter = 0xff1c69998efec000\\n\\ncrash\u003e b 8\\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \\\"kworker/u72:0\\\"\\n--\\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\\n #7 [ff\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/ipoib: corrige el bloqueo de la lista mcast Al liberar `priv-\u0026gt;lock` mientras se itera `priv-\u0026gt;multicast_list` en `ipoib_mcast_join_task()`, se abre una ventana para `ipoib_mcast_dev_flush( )` para eliminar los elementos mientras se encuentra en medio de la iteraci\u00f3n. Si se elimina mcast mientras se elimina el bloqueo, el bucle for gira para siempre, lo que resulta en un bloqueo total (como se inform\u00f3 en el kernel RHEL 4.18.0-372.75.1.el8_6): Tarea A (kworker/u72:2 a continuaci\u00f3n) | Tarea B (kworker/u72:0 a continuaci\u00f3n) -----------------------------------+---- ------------------------------- ipoib_mcast_join_task(trabajo) | ipoib_ib_dev_flush_light(trabajo) spin_lock_irq(\u0026amp;priv-\u0026gt;lock) | __ipoib_ib_dev_flush(priv, ...) list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv-\u0026gt;dev) \u0026amp;priv-\u0026gt;multicast_list, lista) | ipoib_mcast_join(dev, mcast) | spin_unlock_irq(\u0026amp;priv-\u0026gt;bloquear) | | spin_lock_irqsave(\u0026amp;priv-\u0026gt;bloqueo, banderas) | list_for_each_entry_safe(mcast, tmcast, | \u0026amp;priv-\u0026gt;multicast_list, lista) | list_del(\u0026amp;mcast-\u0026gt;lista); | list_add_tail(\u0026amp;mcast-\u0026gt;lista, \u0026amp;remove_list) | spin_unlock_irqrestore(\u0026amp;priv-\u0026gt;bloquear, banderas) spin_lock_irq(\u0026amp;priv-\u0026gt;bloquear) | | ipoib_mcast_remove_list(\u0026amp;remove_list) (Aqu\u00ed, `mcast` ya no est\u00e1 en | list_for_each_entry_safe(mcast, tmcast, `priv-\u0026gt;multicast_list` y seguimos | remove_list, list) girando en `remove_list` de | \u0026gt;\u0026gt;\u0026gt; wait_for_completion(\u0026amp;mcast -\u0026gt;hecho) el otro hilo que est\u00e1 bloqueado | y la lista sigue siendo v\u00e1lida | en su pila.) Solucione este problema manteniendo el bloqueo mantenido y cambiando a GFP_ATOMIC para evitar eventuales suspensiones. Desafortunadamente, no pudimos reproducir el bloqueo y confirmar esta soluci\u00f3n, pero seg\u00fan la revisi\u00f3n del c\u00f3digo, creo que esta soluci\u00f3n deber\u00eda abordar dichos bloqueos. crash\u0026gt; bc 31 PID: 747 TAREA: ff1c6a1a007e8000 CPU: 31 COMANDO: \\\"kworker/u72:2\\\" -- [excepci\u00f3n RIP: ipoib_mcast_join_task+0x1b1] RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 000000 02 RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 00000000000000000 trabajo (\u0026amp;priv-\u0026gt;mcast_task{,.work}) RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000 \u0026amp;mcast-\u0026gt;list RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff 1c6a1920c9a000 R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00 mcast R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8 dev priv (\u0026amp;priv-\u0026gt;lock) \u0026amp;priv-\u0026gt;multicast_list (tambi\u00e9n conocido como head) ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 ---  --- #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 en ffffff ffc0944ac1 [ ib_ipoib] #6 [ff646f199a8c7e98] Process_one_work+0x1a7 en ffffffff9bf10967 crash\u0026gt; rx ff646f199a8c7e68 ff646f199a8c7e68: ff1c6a1a04dc82f8 \u0026lt;\u0026lt;\u0026lt; work = \u0026amp;priv-\u0026gt;mcast_task.work crash\u0026gt; lista -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000 (vac\u00edo) falla\u0026gt; ipoib_dev_priv.mcast_task.work. func,mcast_mutex.owner.counter ff1c6a1a04dc8000 mcast_task.work.func = 0xffffffffc0944910 , mcast_mutex.owner.counter = 0xff1c69998efec000 crash\u0026gt; b 8 PID: 8 TAREA: ff1c69998efec000 CPU: 33 COMANDO: \\\"kworker/u72:0\\\" -- #3 [ff646f1980153d50] wait_for_completion+0x96 en ffffffff9c7d7646 #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 en ffffffffc0944dc6 [ib_ipoib] #5 [ff646f1980153de8] ipoib_ mcast_dev_flush+0x1a7 en ffffffffc09455a7 [ib_ipoib] #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 en ffffffffc09431a4 [ib_ipoib] # 7 [ff ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.