gsd-2024-26725
Vulnerability from gsd
Modified
2024-02-20 06:02
Details
In the Linux kernel, the following vulnerability has been resolved: dpll: fix possible deadlock during netlink dump operation Recently, I've been hitting following deadlock warning during dpll pin dump: [52804.637962] ====================================================== [52804.638536] WARNING: possible circular locking dependency detected [52804.639111] 6.8.0-rc2jiri+ #1 Not tainted [52804.639529] ------------------------------------------------------ [52804.640104] python3/2984 is trying to acquire lock: [52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}, at: netlink_dump+0xb3/0x780 [52804.641417] but task is already holding lock: [52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, at: dpll_lock_dumpit+0x13/0x20 [52804.642747] which lock already depends on the new lock. [52804.643551] the existing dependency chain (in reverse order) is: [52804.644259] -> #1 (dpll_lock){+.+.}-{3:3}: [52804.644836] lock_acquire+0x174/0x3e0 [52804.645271] __mutex_lock+0x119/0x1150 [52804.645723] dpll_lock_dumpit+0x13/0x20 [52804.646169] genl_start+0x266/0x320 [52804.646578] __netlink_dump_start+0x321/0x450 [52804.647056] genl_family_rcv_msg_dumpit+0x155/0x1e0 [52804.647575] genl_rcv_msg+0x1ed/0x3b0 [52804.648001] netlink_rcv_skb+0xdc/0x210 [52804.648440] genl_rcv+0x24/0x40 [52804.648831] netlink_unicast+0x2f1/0x490 [52804.649290] netlink_sendmsg+0x36d/0x660 [52804.649742] __sock_sendmsg+0x73/0xc0 [52804.650165] __sys_sendto+0x184/0x210 [52804.650597] __x64_sys_sendto+0x72/0x80 [52804.651045] do_syscall_64+0x6f/0x140 [52804.651474] entry_SYSCALL_64_after_hwframe+0x46/0x4e [52804.652001] -> #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}: [52804.652650] check_prev_add+0x1ae/0x1280 [52804.653107] __lock_acquire+0x1ed3/0x29a0 [52804.653559] lock_acquire+0x174/0x3e0 [52804.653984] __mutex_lock+0x119/0x1150 [52804.654423] netlink_dump+0xb3/0x780 [52804.654845] __netlink_dump_start+0x389/0x450 [52804.655321] genl_family_rcv_msg_dumpit+0x155/0x1e0 [52804.655842] genl_rcv_msg+0x1ed/0x3b0 [52804.656272] netlink_rcv_skb+0xdc/0x210 [52804.656721] genl_rcv+0x24/0x40 [52804.657119] netlink_unicast+0x2f1/0x490 [52804.657570] netlink_sendmsg+0x36d/0x660 [52804.658022] __sock_sendmsg+0x73/0xc0 [52804.658450] __sys_sendto+0x184/0x210 [52804.658877] __x64_sys_sendto+0x72/0x80 [52804.659322] do_syscall_64+0x6f/0x140 [52804.659752] entry_SYSCALL_64_after_hwframe+0x46/0x4e [52804.660281] other info that might help us debug this: [52804.661077] Possible unsafe locking scenario: [52804.661671] CPU0 CPU1 [52804.662129] ---- ---- [52804.662577] lock(dpll_lock); [52804.662924] lock(nlk_cb_mutex-GENERIC); [52804.663538] lock(dpll_lock); [52804.664073] lock(nlk_cb_mutex-GENERIC); [52804.664490] The issue as follows: __netlink_dump_start() calls control->start(cb) with nlk->cb_mutex held. In control->start(cb) the dpll_lock is taken. Then nlk->cb_mutex is released and taken again in netlink_dump(), while dpll_lock still being held. That leads to ABBA deadlock when another CPU races with the same operation. Fix this by moving dpll_lock taking into dumpit() callback which ensures correct lock taking order.
Aliases


To clipboard 

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-26725"
      ],
      "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix possible deadlock during netlink dump operation\n\nRecently, I\u0027ve been hitting following deadlock warning during dpll pin\ndump:\n\n[52804.637962] ======================================================\n[52804.638536] WARNING: possible circular locking dependency detected\n[52804.639111] 6.8.0-rc2jiri+ #1 Not tainted\n[52804.639529] ------------------------------------------------------\n[52804.640104] python3/2984 is trying to acquire lock:\n[52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}, at: netlink_dump+0xb3/0x780\n[52804.641417]\n               but task is already holding lock:\n[52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, at: dpll_lock_dumpit+0x13/0x20\n[52804.642747]\n               which lock already depends on the new lock.\n\n[52804.643551]\n               the existing dependency chain (in reverse order) is:\n[52804.644259]\n               -\u003e #1 (dpll_lock){+.+.}-{3:3}:\n[52804.644836]        lock_acquire+0x174/0x3e0\n[52804.645271]        __mutex_lock+0x119/0x1150\n[52804.645723]        dpll_lock_dumpit+0x13/0x20\n[52804.646169]        genl_start+0x266/0x320\n[52804.646578]        __netlink_dump_start+0x321/0x450\n[52804.647056]        genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.647575]        genl_rcv_msg+0x1ed/0x3b0\n[52804.648001]        netlink_rcv_skb+0xdc/0x210\n[52804.648440]        genl_rcv+0x24/0x40\n[52804.648831]        netlink_unicast+0x2f1/0x490\n[52804.649290]        netlink_sendmsg+0x36d/0x660\n[52804.649742]        __sock_sendmsg+0x73/0xc0\n[52804.650165]        __sys_sendto+0x184/0x210\n[52804.650597]        __x64_sys_sendto+0x72/0x80\n[52804.651045]        do_syscall_64+0x6f/0x140\n[52804.651474]        entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.652001]\n               -\u003e #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}:\n[52804.652650]        check_prev_add+0x1ae/0x1280\n[52804.653107]        __lock_acquire+0x1ed3/0x29a0\n[52804.653559]        lock_acquire+0x174/0x3e0\n[52804.653984]        __mutex_lock+0x119/0x1150\n[52804.654423]        netlink_dump+0xb3/0x780\n[52804.654845]        __netlink_dump_start+0x389/0x450\n[52804.655321]        genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.655842]        genl_rcv_msg+0x1ed/0x3b0\n[52804.656272]        netlink_rcv_skb+0xdc/0x210\n[52804.656721]        genl_rcv+0x24/0x40\n[52804.657119]        netlink_unicast+0x2f1/0x490\n[52804.657570]        netlink_sendmsg+0x36d/0x660\n[52804.658022]        __sock_sendmsg+0x73/0xc0\n[52804.658450]        __sys_sendto+0x184/0x210\n[52804.658877]        __x64_sys_sendto+0x72/0x80\n[52804.659322]        do_syscall_64+0x6f/0x140\n[52804.659752]        entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.660281]\n               other info that might help us debug this:\n\n[52804.661077]  Possible unsafe locking scenario:\n\n[52804.661671]        CPU0                    CPU1\n[52804.662129]        ----                    ----\n[52804.662577]   lock(dpll_lock);\n[52804.662924]                                lock(nlk_cb_mutex-GENERIC);\n[52804.663538]                                lock(dpll_lock);\n[52804.664073]   lock(nlk_cb_mutex-GENERIC);\n[52804.664490]\n\nThe issue as follows: __netlink_dump_start() calls control-\u003estart(cb)\nwith nlk-\u003ecb_mutex held. In control-\u003estart(cb) the dpll_lock is taken.\nThen nlk-\u003ecb_mutex is released and taken again in netlink_dump(), while\ndpll_lock still being held. That leads to ABBA deadlock when another\nCPU races with the same operation.\n\nFix this by moving dpll_lock taking into dumpit() callback which ensures\ncorrect lock taking order.",
      "id": "GSD-2024-26725",
      "modified": "2024-02-20T06:02:29.161842Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@kernel.org",
        "ID": "CVE-2024-26725",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Linux",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "9d71b54b65b1",
                          "version_value": "087739cbd0d0"
                        },
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "affected",
                            "versions": [
                              {
                                "status": "affected",
                                "version": "6.7"
                              },
                              {
                                "lessThan": "6.7",
                                "status": "unaffected",
                                "version": "0",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.7.*",
                                "status": "unaffected",
                                "version": "6.7.6",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "*",
                                "status": "unaffected",
                                "version": "6.8",
                                "versionType": "original_commit_for_fix"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Linux"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix possible deadlock during netlink dump operation\n\nRecently, I\u0027ve been hitting following deadlock warning during dpll pin\ndump:\n\n[52804.637962] ======================================================\n[52804.638536] WARNING: possible circular locking dependency detected\n[52804.639111] 6.8.0-rc2jiri+ #1 Not tainted\n[52804.639529] ------------------------------------------------------\n[52804.640104] python3/2984 is trying to acquire lock:\n[52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}, at: netlink_dump+0xb3/0x780\n[52804.641417]\n               but task is already holding lock:\n[52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, at: dpll_lock_dumpit+0x13/0x20\n[52804.642747]\n               which lock already depends on the new lock.\n\n[52804.643551]\n               the existing dependency chain (in reverse order) is:\n[52804.644259]\n               -\u003e #1 (dpll_lock){+.+.}-{3:3}:\n[52804.644836]        lock_acquire+0x174/0x3e0\n[52804.645271]        __mutex_lock+0x119/0x1150\n[52804.645723]        dpll_lock_dumpit+0x13/0x20\n[52804.646169]        genl_start+0x266/0x320\n[52804.646578]        __netlink_dump_start+0x321/0x450\n[52804.647056]        genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.647575]        genl_rcv_msg+0x1ed/0x3b0\n[52804.648001]        netlink_rcv_skb+0xdc/0x210\n[52804.648440]        genl_rcv+0x24/0x40\n[52804.648831]        netlink_unicast+0x2f1/0x490\n[52804.649290]        netlink_sendmsg+0x36d/0x660\n[52804.649742]        __sock_sendmsg+0x73/0xc0\n[52804.650165]        __sys_sendto+0x184/0x210\n[52804.650597]        __x64_sys_sendto+0x72/0x80\n[52804.651045]        do_syscall_64+0x6f/0x140\n[52804.651474]        entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.652001]\n               -\u003e #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}:\n[52804.652650]        check_prev_add+0x1ae/0x1280\n[52804.653107]        __lock_acquire+0x1ed3/0x29a0\n[52804.653559]        lock_acquire+0x174/0x3e0\n[52804.653984]        __mutex_lock+0x119/0x1150\n[52804.654423]        netlink_dump+0xb3/0x780\n[52804.654845]        __netlink_dump_start+0x389/0x450\n[52804.655321]        genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.655842]        genl_rcv_msg+0x1ed/0x3b0\n[52804.656272]        netlink_rcv_skb+0xdc/0x210\n[52804.656721]        genl_rcv+0x24/0x40\n[52804.657119]        netlink_unicast+0x2f1/0x490\n[52804.657570]        netlink_sendmsg+0x36d/0x660\n[52804.658022]        __sock_sendmsg+0x73/0xc0\n[52804.658450]        __sys_sendto+0x184/0x210\n[52804.658877]        __x64_sys_sendto+0x72/0x80\n[52804.659322]        do_syscall_64+0x6f/0x140\n[52804.659752]        entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.660281]\n               other info that might help us debug this:\n\n[52804.661077]  Possible unsafe locking scenario:\n\n[52804.661671]        CPU0                    CPU1\n[52804.662129]        ----                    ----\n[52804.662577]   lock(dpll_lock);\n[52804.662924]                                lock(nlk_cb_mutex-GENERIC);\n[52804.663538]                                lock(dpll_lock);\n[52804.664073]   lock(nlk_cb_mutex-GENERIC);\n[52804.664490]\n\nThe issue as follows: __netlink_dump_start() calls control-\u003estart(cb)\nwith nlk-\u003ecb_mutex held. In control-\u003estart(cb) the dpll_lock is taken.\nThen nlk-\u003ecb_mutex is released and taken again in netlink_dump(), while\ndpll_lock still being held. That leads to ABBA deadlock when another\nCPU races with the same operation.\n\nFix this by moving dpll_lock taking into dumpit() callback which ensures\ncorrect lock taking order."
          }
        ]
      },
      "generator": {
        "engine": "bippy-d3b290d2becc"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://git.kernel.org/stable/c/087739cbd0d0b87b6cec2c0799436ac66e24acc8",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/087739cbd0d0b87b6cec2c0799436ac66e24acc8"
          },
          {
            "name": "https://git.kernel.org/stable/c/53c0441dd2c44ee93fddb5473885fd41e4bc2361",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/53c0441dd2c44ee93fddb5473885fd41e4bc2361"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix possible deadlock during netlink dump operation\n\nRecently, I\u0027ve been hitting following deadlock warning during dpll pin\ndump:\n\n[52804.637962] ======================================================\n[52804.638536] WARNING: possible circular locking dependency detected\n[52804.639111] 6.8.0-rc2jiri+ #1 Not tainted\n[52804.639529] ------------------------------------------------------\n[52804.640104] python3/2984 is trying to acquire lock:\n[52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}, at: netlink_dump+0xb3/0x780\n[52804.641417]\n               but task is already holding lock:\n[52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, at: dpll_lock_dumpit+0x13/0x20\n[52804.642747]\n               which lock already depends on the new lock.\n\n[52804.643551]\n               the existing dependency chain (in reverse order) is:\n[52804.644259]\n               -\u003e #1 (dpll_lock){+.+.}-{3:3}:\n[52804.644836]        lock_acquire+0x174/0x3e0\n[52804.645271]        __mutex_lock+0x119/0x1150\n[52804.645723]        dpll_lock_dumpit+0x13/0x20\n[52804.646169]        genl_start+0x266/0x320\n[52804.646578]        __netlink_dump_start+0x321/0x450\n[52804.647056]        genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.647575]        genl_rcv_msg+0x1ed/0x3b0\n[52804.648001]        netlink_rcv_skb+0xdc/0x210\n[52804.648440]        genl_rcv+0x24/0x40\n[52804.648831]        netlink_unicast+0x2f1/0x490\n[52804.649290]        netlink_sendmsg+0x36d/0x660\n[52804.649742]        __sock_sendmsg+0x73/0xc0\n[52804.650165]        __sys_sendto+0x184/0x210\n[52804.650597]        __x64_sys_sendto+0x72/0x80\n[52804.651045]        do_syscall_64+0x6f/0x140\n[52804.651474]        entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.652001]\n               -\u003e #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}:\n[52804.652650]        check_prev_add+0x1ae/0x1280\n[52804.653107]        __lock_acquire+0x1ed3/0x29a0\n[52804.653559]        lock_acquire+0x174/0x3e0\n[52804.653984]        __mutex_lock+0x119/0x1150\n[52804.654423]        netlink_dump+0xb3/0x780\n[52804.654845]        __netlink_dump_start+0x389/0x450\n[52804.655321]        genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.655842]        genl_rcv_msg+0x1ed/0x3b0\n[52804.656272]        netlink_rcv_skb+0xdc/0x210\n[52804.656721]        genl_rcv+0x24/0x40\n[52804.657119]        netlink_unicast+0x2f1/0x490\n[52804.657570]        netlink_sendmsg+0x36d/0x660\n[52804.658022]        __sock_sendmsg+0x73/0xc0\n[52804.658450]        __sys_sendto+0x184/0x210\n[52804.658877]        __x64_sys_sendto+0x72/0x80\n[52804.659322]        do_syscall_64+0x6f/0x140\n[52804.659752]        entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.660281]\n               other info that might help us debug this:\n\n[52804.661077]  Possible unsafe locking scenario:\n\n[52804.661671]        CPU0                    CPU1\n[52804.662129]        ----                    ----\n[52804.662577]   lock(dpll_lock);\n[52804.662924]                                lock(nlk_cb_mutex-GENERIC);\n[52804.663538]                                lock(dpll_lock);\n[52804.664073]   lock(nlk_cb_mutex-GENERIC);\n[52804.664490]\n\nThe issue as follows: __netlink_dump_start() calls control-\u003estart(cb)\nwith nlk-\u003ecb_mutex held. In control-\u003estart(cb) the dpll_lock is taken.\nThen nlk-\u003ecb_mutex is released and taken again in netlink_dump(), while\ndpll_lock still being held. That leads to ABBA deadlock when another\nCPU races with the same operation.\n\nFix this by moving dpll_lock taking into dumpit() callback which ensures\ncorrect lock taking order."
          }
        ],
        "id": "CVE-2024-26725",
        "lastModified": "2024-04-03T17:24:18.150",
        "metrics": {},
        "published": "2024-04-03T15:15:54.257",
        "references": [
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/087739cbd0d0b87b6cec2c0799436ac66e24acc8"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/53c0441dd2c44ee93fddb5473885fd41e4bc2361"
          }
        ],
        "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "vulnStatus": "Awaiting Analysis"
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.