CVE-2024-35795

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35795
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35795.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35795
Related
Published
2024-05-17T14:15:11Z
Modified
2024-09-11T05:03:59.022543Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix deadlock while reading mqd from debugfs

An errant disk backup on my desktop got into debugfs and triggered the following deadlock scenario in the amdgpu debugfs files. The machine also hard-resets immediately after those lines are printed (although I wasn't able to reproduce that part when reading by hand):

[ 1318.016074][ T1082] ====================================================== [ 1318.016607][ T1082] WARNING: possible circular locking dependency detected [ 1318.017107][ T1082] 6.8.0-rc7-00015-ge0c8221b72c0 #17 Not tainted [ 1318.017598][ T1082] ------------------------------------------------------ [ 1318.018096][ T1082] tar/1082 is trying to acquire lock: [ 1318.018585][ T1082] ffff98c44175d6a0 (&mm->mmaplock){++++}-{3:3}, at: _mightfault+0x40/0x80 [ 1318.019084][ T1082] [ 1318.019084][ T1082] but task is already holding lock: [ 1318.020052][ T1082] ffff98c4c13f55f8 (reservationwwclassmutex){+.+.}-{3:3}, at: amdgpudebugfsmqdread+0x6a/0x250 [amdgpu] [ 1318.020607][ T1082] [ 1318.020607][ T1082] which lock already depends on the new lock. [ 1318.020607][ T1082] [ 1318.022081][ T1082] [ 1318.022081][ T1082] the existing dependency chain (in reverse order) is: [ 1318.023083][ T1082] [ 1318.023083][ T1082] -> #2 (reservationwwclassmutex){+.+.}-{3:3}: [ 1318.024114][ T1082] _wwmutexlock.constprop.0+0xe0/0x12f0 [ 1318.024639][ T1082] wwmutexlock+0x32/0x90 [ 1318.025161][ T1082] dmaresvlockdep+0x18a/0x330 [ 1318.025683][ T1082] dooneinitcall+0x6a/0x350 [ 1318.026210][ T1082] kernelinitfreeable+0x1a3/0x310 [ 1318.026728][ T1082] kernelinit+0x15/0x1a0 [ 1318.027242][ T1082] retfromfork+0x2c/0x40 [ 1318.027759][ T1082] retfromforkasm+0x11/0x20 [ 1318.028281][ T1082] [ 1318.028281][ T1082] -> #1 (reservationwwclassacquire){+.+.}-{0:0}: [ 1318.029297][ T1082] dmaresvlockdep+0x16c/0x330 [ 1318.029790][ T1082] dooneinitcall+0x6a/0x350 [ 1318.030263][ T1082] kernelinitfreeable+0x1a3/0x310 [ 1318.030722][ T1082] kernelinit+0x15/0x1a0 [ 1318.031168][ T1082] retfromfork+0x2c/0x40 [ 1318.031598][ T1082] retfromforkasm+0x11/0x20 [ 1318.032011][ T1082] [ 1318.032011][ T1082] -> #0 (&mm->mmaplock){++++}-{3:3}: [ 1318.032778][ T1082] _lockacquire+0x14bf/0x2680 [ 1318.033141][ T1082] lockacquire+0xcd/0x2c0 [ 1318.033487][ T1082] _mightfault+0x58/0x80 [ 1318.033814][ T1082] amdgpudebugfsmqdread+0x103/0x250 [amdgpu] [ 1318.034181][ T1082] fullproxyread+0x55/0x80 [ 1318.034487][ T1082] vfsread+0xa7/0x360 [ 1318.034788][ T1082] ksysread+0x70/0xf0 [ 1318.035085][ T1082] dosyscall64+0x94/0x180 [ 1318.035375][ T1082] entrySYSCALL64afterhwframe+0x46/0x4e [ 1318.035664][ T1082] [ 1318.035664][ T1082] other info that might help us debug this: [ 1318.035664][ T1082] [ 1318.036487][ T1082] Chain exists of: [ 1318.036487][ T1082] &mm->mmaplock --> reservationwwclassacquire --> reservationwwclassmutex [ 1318.036487][ T1082] [ 1318.037310][ T1082] Possible unsafe locking scenario: [ 1318.037310][ T1082] [ 1318.037838][ T1082] CPU0 CPU1 [ 1318.038101][ T1082] ---- ---- [ 1318.038350][ T1082] lock(reservationwwclassmutex); [ 1318.038590][ T1082] lock(reservationwwclassacquire); [ 1318.038839][ T1082] lock(reservationwwclassmutex); [ 1318.039083][ T1082] rlock(&mm->mmaplock); [ 1318.039328][ T1082] [ 1318.039328][ T1082] * DEADLOCK * [ 1318.039328][ T1082] [ 1318.040029][ T1082] 1 lock held by tar/1082: [ 1318.040259][ T1082] #0: ffff98c4c13f55f8 (reservationwwclassmutex){+.+.}-{3:3}, at: amdgpudebugfsmqdread+0x6a/0x250 [amdgpu] [ 1318.040560][ T1082] [ 1318.040560][ T1082] stack backtrace: [ ---truncated---

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.12-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}