From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E2F7160657 for ; Thu, 29 Feb 2024 15:53:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709221994; cv=none; b=V/aNy8XBuAddshatPQpSOxkuYpWKu89iu+JapMbMLsERCNP8h5AWzPVLFPpi+HPvEO/begTOKHFj3GqbJgCMrEonXhmiTD3pL/MKJZDjZhK7J6Qlbc6ZWpK1+2/cPYUzK+JYF/lOGYjPzAZxfb+LKfduzxcLHNNcEVvVqIdu128= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709221994; c=relaxed/simple; bh=Ekaplg3s5nyYPYOp2zoFs3oNb5TGT/hqZAtX3NU7Dh0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=B0/VSOTW99abxvBeP7IWMaFMbGFfZpsY5NxHzBfAX4amUdk4tsXUIsQ5O8B/qwKR3n51VS5KHQUGdXZoI5wcDsnWsqpxZg0p8b4l9YeiuAu0l0WtDUJEN7nVDgYZ1Kp2YRIFzXow9ocJTIaA7tbmi/UXdoGIxeYfXJS1L2b0ndg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=sLkJJihT; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="sLkJJihT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 70FFAC433F1; Thu, 29 Feb 2024 15:53:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1709221994; bh=Ekaplg3s5nyYPYOp2zoFs3oNb5TGT/hqZAtX3NU7Dh0=; h=From:To:Cc:Subject:Date:Reply-to:From; b=sLkJJihTIyXK3uAjoXNcRcwNcwGL83T3KXlFHpi1jYaIWdeMuPPTQr76Av4g1Ktqj 3vz8FvsMBn6cd06wXiwFYjR6Eck9Yg/7wrx/TByAnhJqCGMrS0aOejTGWIa/oS7ew2 8ka0nDktQ+FFGKKa0jP5qLW840ZG5V661GsbzhO/7nIth6VB5mJVhJyugDaRoiE6xV DjqRUJvRM55vMwj9wn+/Abh3xX1cw14UXkGUubyFYhUJAcBBrg+DKdZBw3jc9kDetx V51inFvTtkwO3mlLptjdbymrikh5Mc0TGUtc1sSvEKlqLQJ/QKx7zaoxi/JFf43Z2q Z00Wx5bWFE3BQ== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2023-52486: drm: Don't unref the same fb many times by mistake due to deadlock handling Date: Thu, 29 Feb 2024 15:52:46 +0000 Message-ID: <20240229155245.1571576-27-lee@kernel.org> X-Mailer: git-send-email 2.44.0.rc1.240.g4c46232300-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=3176; i=lee@kernel.org; h=from:subject; bh=Ekaplg3s5nyYPYOp2zoFs3oNb5TGT/hqZAtX3NU7Dh0=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl4KhN/aYVokKz8tj/vwyH882X/nvcwSAwceJzO UHi5ue6mXqJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZeCoTQAKCRBRr4ovh/x3 YXtCD/sEZ0L7/e+Fd1vlGSF+lnugDUB7/HmNbUDA6Hyq+231ACM2Y/tLQ5Iiktyi8cY4lZ/t4/F RsR71O8rJf4uk+6M7B+gQGxcCc2dZRwu9tz03rU1eFc3mp7h7bfeEd/WKqzhCkY8iaechim+U2F hOQe2q52OlpD85DU/JbJxlxjcTjzkBD+R1k9kusV3HwGMhdwA63dKpC87Db2tvD7AuZiLWTLDk2 biQAvM3hgJCT9DizL088355iMLIMCU/xNy5ye/9WgQsXsDwKHJdSwF+fXZTkDkco86S5QnlOyRp 71kilWUnfku1Jg6kEHi5UDv+W0Up1YxiQUsvmVK2hGZ+1eE0SQXU5XCr5PSzYWwlamC19wJkxrg K63452b4MXt/ehUg2I1F0gkfUcCGKxRAqHJmUL8Nf0L6Azjzi/kdDJtg9lcQwbLcSv+Juw7ntZ2 yDG7lJau3zRUnMqS4iiSeEECi+d5rIMZRyOJSsFyl52/aX4YdKOLd3KE+vYsRFDmmJzqB2M7WHU l6l4uqlwZ7IJjsP7Y7+VBb9oUIc8NtuZGkCuwNQlqU7vOMy6lhz5Y2EWr8xhHM4Fs9KNdJcugtK fHoTsXBm75u3xS4sjhbSpuSWmDgtlxRJtx+s6g5EbmgyfKFyYI5E4aJJeSRgU3g0TcvrCWJPknb nFuJ728gzCiYvQg== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: drm: Don't unref the same fb many times by mistake due to deadlock handling If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl() we proceed to unref the fb and then retry the whole thing from the top. But we forget to reset the fb pointer back to NULL, and so if we then get another error during the retry, before the fb lookup, we proceed the unref the same fb again without having gotten another reference. The end result is that the fb will (eventually) end up being freed while it's still in use. Reset fb to NULL once we've unreffed it to avoid doing it again until we've done another fb lookup. This turned out to be pretty easy to hit on a DG2 when doing async flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I saw that drm_closefb() simply got stuck in a busy loop while walking the framebuffer list. Fortunately I was able to convince it to oops instead, and from there it was easier to track down the culprit. The Linux kernel CVE team has assigned CVE-2023-52486 to this issue. Affected and fixed versions =========================== Fixed in 4.19.307 with commit 376e21a9e4c2 Fixed in 5.4.269 with commit 9dd334a82450 Fixed in 5.10.210 with commit f55261469be8 Fixed in 5.15.149 with commit b4af63da9d94 Fixed in 6.1.76 with commit 62f2e79cf9f4 Fixed in 6.6.15 with commit d7afdf360f4a Fixed in 6.7.3 with commit bfd0feb1b109 Fixed in 6.8-rc1 with commit cb4daf271302 Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-52486 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/gpu/drm/drm_plane.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/376e21a9e4c2c63ee5d8d3aa74be5082c3882229 https://git.kernel.org/stable/c/9dd334a8245011ace45e53298175c7b659edb3e7 https://git.kernel.org/stable/c/f55261469be87c55df13db76dc945f6bcd825105 https://git.kernel.org/stable/c/b4af63da9d94986c529d74499fdfe44289acd551 https://git.kernel.org/stable/c/62f2e79cf9f4f47cc9dea9cebdf58d9f7b5695e0 https://git.kernel.org/stable/c/d7afdf360f4ac142832b098b4de974e867cc063c https://git.kernel.org/stable/c/bfd0feb1b109cb63b87fdcd00122603787c75a1a https://git.kernel.org/stable/c/cb4daf271302d71a6b9a7c01bd0b6d76febd8f0c