Skip to content

[lts-9.2] dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 6, 2025
Merged

[lts-9.2] dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list #316

merged 1 commit into from
Jun 6, 2025

Conversation

dvdgomez
Copy link

@dvdgomez dvdgomez commented Jun 5, 2025

jira VULN-8254
cve CVE-2024-40956

commit-author Li RongQing <[email protected]>
commit e3215deca4520773cd2b155bed164c12365149a7

Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list.

Fixes: 16e19e11228b ("dmaengine: idxd: Fix list corruption in description completion")
	Signed-off-by: Li RongQing <[email protected]>
	Reviewed-by: Dave Jiang <[email protected]>
	Reviewed-by: Fenghua Yu <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Vinod Koul <[email protected]>
(cherry picked from commit e3215deca4520773cd2b155bed164c12365149a7)
	Signed-off-by: David Gomez <[email protected]>

Build Log

INSTALL /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  STRIP   /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/usb/usx2y/snd-usb-us122l.ko
  STRIP   /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/usb/snd-usb-audio.ko
  STRIP   /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/usb/usx2y/snd-usb-usx2y.ko
  SIGN    /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/usb/snd-usbmidi-lib.ko
  INSTALL /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/xen/snd_xen_front.ko
  STRIP   /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/usb/usx2y/snd-usb-usx2y.ko
  STRIP   /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/usb/usx2y/snd-usb-us122l.ko
  SIGN    /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/usb/snd-usb-audio.ko
  INSTALL /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/virt/lib/irqbypass.ko
  STRIP   /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  STRIP   /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+
[TIMER]{MODULES}: 15s
Making Install
sh ./arch/x86/boot/install.sh \
	5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 55s
Checking kABI
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+ and Index to 0
The default is /boot/loader/entries/4dff56aa51eb410080f2fadbace916a6-5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+.conf with index 0 and kernel /boot/vmlinuz-5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+
The default is /boot/loader/entries/4dff56aa51eb410080f2fadbace916a6-5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+.conf with index 0 and kernel /boot/vmlinuz-5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+
Generating grub configuration file ...
Adding boot menu entry for UEFI Firmware Settings ...
done
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 20s
[TIMER]{BUILD}: 3262s
[TIMER]{MODULES}: 15s
[TIMER]{INSTALL}: 55s
[TIMER]{TOTAL} 3367s

Testing

5.14.0-284.30.1.el9_2.92ciq_lts.6.1.x86_64.log
5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+.log

$ ls 5.14.0-284.30.1.el9_2.92ciq_lts.6.1.x86_64.log 5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+.log | while read line; do echo $line; grep '^ok' $line | wc -l; done
5.14.0-284.30.1.el9_2.92ciq_lts.6.1.x86_64.log
247
5.14.0-dgomez_ciqlts9_2_VULN-8254-726cc5e81b18+.log
246

Commit that this fixes 16e19e1

@dvdgomez
dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
726cc5e 
jira VULN-8254
cve CVE-2024-40956
commit-author Li RongQing <[email protected]>
commit e3215de

Use list_for_each_entry_safe() to allow iterating through the list and
deleting the entry in the iteration process. The descriptor is freed via
idxd_desc_complete() and there's a slight chance may cause issue for
the list iterator when the descriptor is reused by another thread
without it being deleted from the list.

Fixes: 16e19e1 ("dmaengine: idxd: Fix list corruption in description completion")
	Signed-off-by: Li RongQing <[email protected]>
	Reviewed-by: Dave Jiang <[email protected]>
	Reviewed-by: Fenghua Yu <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Vinod Koul <[email protected]>
(cherry picked from commit e3215de)
	Signed-off-by: David Gomez <[email protected]>
@dvdgomez dvdgomez self-assigned this Jun 5, 2025
bmastbergen
bmastbergen approved these changes Jun 5, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

PlaidCat
PlaidCat approved these changes Jun 6, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

bmastbergen
bmastbergen approved these changes Jun 6, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@dvdgomez dvdgomez merged commit 0fcfced into ciqlts9_2 Jun 6, 2025
3 checks passed
@dvdgomez dvdgomez deleted the dgomez_ciqlts9_2/VULN-8254 branch June 6, 2025 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

Assignees

@dvdgomez dvdgomez

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dvdgomez @PlaidCat @bmastbergen