CVE-2024-40980 Information

Jul 13, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

drop_monitor: replace spin_lock by raw_spin_lock

trace_drop_common() is called with preemption disabled and it acquires a spin_lock. This is problematic for RT kernels because spin_locks are sleeping locks in this configuration which causes the following splat:

BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1 irqs_disabled(): 1 non_block: 0 pid: 449 name: rcuc/47 preempt_count: 1 expected: 0 RCU nest depth: 2 expected: 2 5 locks held by rcuc/47/449: 0: ff1100086ec30a60 ((softirq_ctrl.lock))+.+.-2:2 at: __local_bh_disable_ip+0x105/0x210 1: ffffffffb394a280 (rcu_read_lock)….-1:2 at: rt_spin_lock+0xbf/0x130 2: ffffffffb394a280 (rcu_read_lock)….-1:2 at: __local_bh_disable_ip+0x11c/0x210 3: ffffffffb394a160 (rcu_callback)….-0:0 at: rcu_do_batch+0x360/0xc70 4: ff1100086ee07520 (&data->lock)+.+.-2:2 at: trace_drop_common.constprop.0+0xb5/0x290 irq event stamp: 139909 hardirqs last enabled at (139908): [] _raw_spin_unlock_irqrestore+0x63/0x80 hardirqs last disabled at (139909): [] trace_drop_common.constprop.0+0x26d/0x290 softirqs last enabled at (139892): [] __local_bh_enable_ip+0x103/0x170 softirqs last disabled at (139898): [] rcu_cpu_kthread+0x93/0x1f0 Preemption disabled at: [] rt_mutex_slowunlock+0xab/0x2e0 CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ 7 Hardware name: Dell Inc. PowerEdge R650/0Y2G81 BIOS 1.6.5 04/15/2022 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 __might_resched+0x21e/0x2f0 rt_spin_lock+0x5e/0x130 ? trace_drop_common.constprop.0+0xb5/0x290 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_drop_common.constprop.0+0xb5/0x290 ? preempt_count_sub+0x1c/0xd0 ? _raw_spin_unlock_irqrestore+0x4a/0x80 ? __pfx_trace_drop_common.constprop.0+0x10/0x10 ? rt_mutex_slowunlock+0x26a/0x2e0 ? skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_rt_mutex_slowunlock+0x10/0x10 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_kfree_skb_hit+0x15/0x20 trace_kfree_skb+0xe9/0x150 kfree_skb_reason+0x7b/0x110 skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10 ? mark_lock.part.0+0x8a/0x520 …

trace_drop_common() also disables interrupts but this is a minor issue because we could easily replace it with a local_lock.

Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic context.

Reference

https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334 https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5 https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3 https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0 https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195

Share on: