CVE-2024-55916

In the Linux kernel, the following vulnerability has been resolved:

Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet

If the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is fully initialized, we can hit the panic below:

hvutils: Registering HyperV Utility Driver hvvmbus: registering driver hvutils ... BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 44 UID: 0 PID: 2552 Comm: hvkvpdaemon Tainted: G E 6.11.0-rc3+ #1 RIP: 0010:hvpktiterfirst+0x12/0xd0 Call Trace: ... vmbusrecvpacket hvkvponchannelcallback vmbusonevent taskletactioncommon taskletaction handlesoftirqs irqexitrcu sysvechypervstimer0 </IRQ> <TASK> asmsysvechypervstimer0 ... kvpregisterdone hvtopread vfsread ksysread __x64sysread

This can happen because the KVP/VSS channel callback can be invoked even before the channel is fully opened: 1) as soon as hvkvpinit() -> hvutiltransportinit() creates /dev/vmbus/hvkvp, the kvp daemon can open the device file immediately and register itself to the driver by writing a message KVPOPREGISTER1 to the file (which is handled by kvponmsg() ->kvphandlehandshake()) and reading the file for the driver's response, which is handled by hvtopread(), which calls hvt->onread(), i.e. kvpregisterdone().

2) the problem with kvpregisterdone() is that it can cause the channel callback to be called even before the channel is fully opened, and when the channel callback is starting to run, utilprobe()-> vmbusopen() may have not initialized the ringbuffer yet, so the callback can hit the panic of NULL pointer dereference.

To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in __vmbusopen(), just before the first hvringbufferinit(), and then we unload and reload the driver hvutils, and run the daemon manually within the 10 seconds.

Fix the panic by reordering the steps in utilprobe() so the char dev entry used by the KVP or VSS daemon is not created until after vmbusopen() has completed. This reordering prevents the race condition from happening.