cve-2024-53090
Vulnerability from cvelistv5
Published
2024-11-21 18:17
Modified
2024-12-19 09:38
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
afs: Fix lock recursion
afs_wake_up_async_call() can incur lock recursion. The problem is that it
is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to
take a ref on the afs_call struct in order to pass it to a work queue - but
if the afs_call is already queued, we then have an extraneous ref that must
be put... calling afs_put_call() may call back down into AF_RXRPC through
rxrpc_kernel_shutdown_call(), however, which might try taking the
->notify_lock again.
This case isn't very common, however, so defer it to a workqueue. The oops
looks something like:
BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646
lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0
CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
Call Trace:
<TASK>
dump_stack_lvl+0x47/0x70
do_raw_spin_lock+0x3c/0x90
rxrpc_kernel_shutdown_call+0x83/0xb0
afs_put_call+0xd7/0x180
rxrpc_notify_socket+0xa0/0x190
rxrpc_input_split_jumbo+0x198/0x1d0
rxrpc_input_data+0x14b/0x1e0
? rxrpc_input_call_packet+0xc2/0x1f0
rxrpc_input_call_event+0xad/0x6b0
rxrpc_input_packet_on_conn+0x1e1/0x210
rxrpc_input_packet+0x3f2/0x4d0
rxrpc_io_thread+0x243/0x410
? __pfx_rxrpc_io_thread+0x10/0x10
kthread+0xcf/0xe0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x24/0x40
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/afs/internal.h", "fs/afs/rxrpc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d7cbf81df996b1eae2dee8deb6df08e2eba78661", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "610a79ffea02102899a1373fe226d949944a7ed6", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/afs/internal.h", "fs/afs/rxrpc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix lock recursion\n\nafs_wake_up_async_call() can incur lock recursion. The problem is that it\nis called from AF_RXRPC whilst holding the -\u003enotify_lock, but it tries to\ntake a ref on the afs_call struct in order to pass it to a work queue - but\nif the afs_call is already queued, we then have an extraneous ref that must\nbe put... calling afs_put_call() may call back down into AF_RXRPC through\nrxrpc_kernel_shutdown_call(), however, which might try taking the\n-\u003enotify_lock again.\n\nThis case isn\u0027t very common, however, so defer it to a workqueue. The oops\nlooks something like:\n\n BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646\n lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0\n CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351\n Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x47/0x70\n do_raw_spin_lock+0x3c/0x90\n rxrpc_kernel_shutdown_call+0x83/0xb0\n afs_put_call+0xd7/0x180\n rxrpc_notify_socket+0xa0/0x190\n rxrpc_input_split_jumbo+0x198/0x1d0\n rxrpc_input_data+0x14b/0x1e0\n ? rxrpc_input_call_packet+0xc2/0x1f0\n rxrpc_input_call_event+0xad/0x6b0\n rxrpc_input_packet_on_conn+0x1e1/0x210\n rxrpc_input_packet+0x3f2/0x4d0\n rxrpc_io_thread+0x243/0x410\n ? __pfx_rxrpc_io_thread+0x10/0x10\n kthread+0xcf/0xe0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x24/0x40\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:38:56.303Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d7cbf81df996b1eae2dee8deb6df08e2eba78661" }, { "url": "https://git.kernel.org/stable/c/610a79ffea02102899a1373fe226d949944a7ed6" } ], "title": "afs: Fix lock recursion", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53090", "datePublished": "2024-11-21T18:17:07.366Z", "dateReserved": "2024-11-19T17:17:24.981Z", "dateUpdated": "2024-12-19T09:38:56.303Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-53090\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-21T19:15:12.010\",\"lastModified\":\"2024-11-21T19:15:12.010\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nafs: Fix lock recursion\\n\\nafs_wake_up_async_call() can incur lock recursion. The problem is that it\\nis called from AF_RXRPC whilst holding the -\u003enotify_lock, but it tries to\\ntake a ref on the afs_call struct in order to pass it to a work queue - but\\nif the afs_call is already queued, we then have an extraneous ref that must\\nbe put... calling afs_put_call() may call back down into AF_RXRPC through\\nrxrpc_kernel_shutdown_call(), however, which might try taking the\\n-\u003enotify_lock again.\\n\\nThis case isn\u0027t very common, however, so defer it to a workqueue. The oops\\nlooks something like:\\n\\n BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646\\n lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0\\n CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351\\n Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014\\n Call Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x47/0x70\\n do_raw_spin_lock+0x3c/0x90\\n rxrpc_kernel_shutdown_call+0x83/0xb0\\n afs_put_call+0xd7/0x180\\n rxrpc_notify_socket+0xa0/0x190\\n rxrpc_input_split_jumbo+0x198/0x1d0\\n rxrpc_input_data+0x14b/0x1e0\\n ? rxrpc_input_call_packet+0xc2/0x1f0\\n rxrpc_input_call_event+0xad/0x6b0\\n rxrpc_input_packet_on_conn+0x1e1/0x210\\n rxrpc_input_packet+0x3f2/0x4d0\\n rxrpc_io_thread+0x243/0x410\\n ? __pfx_rxrpc_io_thread+0x10/0x10\\n kthread+0xcf/0xe0\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x24/0x40\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\\n \u003c/TASK\u003e\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: afs: Fix lock recursion afs_wake_up_async_call() puede generar recursi\u00f3n de bloqueo. El problema es que se llama desde AF_RXRPC mientras se mantiene el -\u0026gt;notify_lock, pero intenta tomar una referencia en la estructura afs_call para pasarla a una cola de trabajo; pero si afs_call ya est\u00e1 en cola, entonces tenemos una referencia extra\u00f1a que se debe poner... sin embargo, llamar a afs_put_call() puede volver a llamar a AF_RXRPC a trav\u00e9s de rxrpc_kernel_shutdown_call(), que podr\u00eda intentar tomar el -\u0026gt;notify_lock nuevamente. Sin embargo, este caso no es muy com\u00fan, por lo que se debe diferir a una cola de trabajo. El error se parece a algo como esto: ERROR: recursi\u00f3n de spinlock en CPU#0, krxrpcio/7001/1646 bloqueo: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0 CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 No contaminado 6.12.0-rc2-build3+ #4351 Nombre del hardware: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Seguimiento de llamadas: dump_stack_lvl+0x47/0x70 do_raw_spin_lock+0x3c/0x90 rxrpc_input_call_event+0xad/0x6b0 rxrpc_input_packet_on_conn+0x1e1/0x210 rxrpc_input_packet+0x3f2/0x4d0 rxrpc_io_thread+0x243/0x410 ? __pfx_rxrpc_io_thread+0x10/0x10 kthread+0xcf/0xe0 ? __pfx_kthread+0x10/0x10 ret_de_la_bifurcaci\u00f3n+0x24/0x40 ? __pfx_kthread+0x10/0x10 ret_de_la_bifurcaci\u00f3n_asm+0x1a/0x30 \"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/610a79ffea02102899a1373fe226d949944a7ed6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d7cbf81df996b1eae2dee8deb6df08e2eba78661\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.