ghsa-f95q-fwq6-mx8w
Vulnerability from github
Published
2024-08-21 00:30
Modified
2024-09-03 15:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Fix a deadlock in dma buf fence polling

Introduce a version of the fence ops that on release doesn't remove the fence from the pending list, and thus doesn't require a lock to fix poll->fence wait->fence unref deadlocks.

vmwgfx overwrites the wait callback to iterate over the list of all fences and update their status, to do that it holds a lock to prevent the list modifcations from other threads. The fence destroy callback both deletes the fence and removes it from the list of pending fences, for which it holds a lock.

dma buf polling cb unrefs a fence after it's been signaled: so the poll calls the wait, which signals the fences, which are being destroyed. The destruction tries to acquire the lock on the pending fences list which it can never get because it's held by the wait from which it was called.

Old bug, but not a lot of userspace apps were using dma-buf polling interfaces. Fix those, in particular this fixes KDE stalls/deadlock.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-43863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-21T00:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a deadlock in dma buf fence polling\n\nIntroduce a version of the fence ops that on release doesn\u0027t remove\nthe fence from the pending list, and thus doesn\u0027t require a lock to\nfix poll-\u003efence wait-\u003efence unref deadlocks.\n\nvmwgfx overwrites the wait callback to iterate over the list of all\nfences and update their status, to do that it holds a lock to prevent\nthe list modifcations from other threads. The fence destroy callback\nboth deletes the fence and removes it from the list of pending\nfences, for which it holds a lock.\n\ndma buf polling cb unrefs a fence after it\u0027s been signaled: so the poll\ncalls the wait, which signals the fences, which are being destroyed.\nThe destruction tries to acquire the lock on the pending fences list\nwhich it can never get because it\u0027s held by the wait from which it\nwas called.\n\nOld bug, but not a lot of userspace apps were using dma-buf polling\ninterfaces. Fix those, in particular this fixes KDE stalls/deadlock.",
  "id": "GHSA-f95q-fwq6-mx8w",
  "modified": "2024-09-03T15:30:39Z",
  "published": "2024-08-21T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43863"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b933b16c996af8adb6bc1b5748a63dfb41a82bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e20d028d8d1deb1e7fed18f22ffc01669cf3237"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8943969f9ead2fd3044fc826140a21622ef830e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c98ab18b9f315ff977c2c65d7c71298ef98be8e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e58337100721f3cc0c7424a18730e4f39844934f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.