From: Lee Jones <lee@kernel.org>
To: Michal Hocko <mhocko@suse.com>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Felix Kuehling <felix.kuehling@amd.com>
Subject: Re: CVE-2024-26628: drm/amdkfd: Fix lock dependency warning
Date: Wed, 20 Mar 2024 16:51:27 +0000 [thread overview]
Message-ID: <20240320165127.GV1522089@google.com> (raw)
In-Reply-To: <20240320154734.GU1522089@google.com>
On Wed, 20 Mar 2024, Lee Jones wrote:
> On Wed, 20 Mar 2024, Michal Hocko wrote:
>
> > On Thu 14-03-24 11:09:38, Lee Jones wrote:
> > > On Fri, 08 Mar 2024, Michal Hocko wrote:
> > >
> > > > On Wed 06-03-24 06:46:11, Greg KH wrote:
> > > > [...]
> > > > > Possible unsafe locking scenario:
> > > > >
> > > > > CPU0 CPU1
> > > > > ---- ----
> > > > > lock(&svms->lock);
> > > > > lock(&mm->mmap_lock);
> > > > > lock(&svms->lock);
> > > > > lock((work_completion)(&svm_bo->eviction_work));
> > > > >
> > > > > I believe this cannot really lead to a deadlock in practice, because
> > > > > svm_range_evict_svm_bo_worker only takes the mmap_read_lock if the BO
> > > > > refcount is non-0. That means it's impossible that svm_range_bo_release
> > > > > is running concurrently. However, there is no good way to annotate this.
> > > >
> > > > OK, so is this even a bug (not to mention a security/weakness)?
> > >
> > > Looks like the patch fixes a warning which can crash some kernels. So
> > > the CVE appears to be fixing that, rather than the impossible deadlock.
> >
> > Are you talking about lockdep warning or anything else?
>
> Anything that triggers a BUG() or a WARN() (as per the splat in the
> commit message). Many in-field kernels are configured to panic on
> BUG()s and WARN()s, thus triggering them are presently considered local
> DoS and attract CVE status.
We have discussed this internally and agree with your thinking.
The splat in the circular lockdep detection code appears to be generated
using some stacked pr_warn() calls, rather than a WARN().
Thus, CVE-2024-26628 has now been rejected.
https://lore.kernel.org/all/20240320164818.3778843-2-lee@kernel.org/
Thank you for your input Michal.
--
Lee Jones [李琼斯]
next prev parent reply other threads:[~2024-03-20 16:51 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024030649-CVE-2024-26628-f6ce@gregkh>
2024-03-08 9:59 ` CVE-2024-26628: drm/amdkfd: Fix lock dependency warning Michal Hocko
2024-03-14 11:09 ` Lee Jones
2024-03-20 15:32 ` Michal Hocko
2024-03-20 15:47 ` Lee Jones
2024-03-20 16:51 ` Lee Jones [this message]
2024-03-20 17:11 ` Michal Hocko
2024-06-13 9:32 ` Pavel Machek
2024-06-13 10:16 ` Greg Kroah-Hartman
2024-06-13 10:40 ` Pavel Machek
2024-06-13 10:46 ` Greg Kroah-Hartman
2024-06-13 11:44 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240320165127.GV1522089@google.com \
--to=lee@kernel.org \
--cc=cve@kernel.org \
--cc=felix.kuehling@amd.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox