Bug 1224570 (CVE-2024-35968) - VUL-0: CVE-2024-35968: kernel: pds_core: Fix pdsc_check_pci_health function to use work thread
Summary: VUL-0: CVE-2024-35968: kernel: pds_core: Fix pdsc_check_pci_health function t...
Status: RESOLVED FIXED
Alias: CVE-2024-35968
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/406697/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-20 14:39 UTC by SMASH SMASH
Modified: 2024-06-10 12:24 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-20 14:39:43 UTC 
In the Linux kernel, the following vulnerability has been resolved:

pds_core: Fix pdsc_check_pci_health function to use work thread

When the driver notices fw_status == 0xff it tries to perform a PCI
reset on itself via pci_reset_function() in the context of the driver's
health thread. However, pdsc_reset_prepare calls
pdsc_stop_health_thread(), which attempts to stop/flush the health
thread. This results in a deadlock because the stop/flush will never
complete since the driver called pci_reset_function() from the health
thread context. Fix by changing the pdsc_check_pci_health_function()
to queue a newly introduced pdsc_pci_reset_thread() on the pdsc's
work queue.

Unloading the driver in the fw_down/dead state uncovered another issue,
which can be seen in the following trace:

WARNING: CPU: 51 PID: 6914 at kernel/workqueue.c:1450 __queue_work+0x358/0x440
[...]
RIP: 0010:__queue_work+0x358/0x440
[...]
Call Trace:
 <TASK>
 ? __warn+0x85/0x140
 ? __queue_work+0x358/0x440
 ? report_bug+0xfc/0x1e0
 ? handle_bug+0x3f/0x70
 ? exc_invalid_op+0x17/0x70
 ? asm_exc_invalid_op+0x1a/0x20
 ? __queue_work+0x358/0x440
 queue_work_on+0x28/0x30
 pdsc_devcmd_locked+0x96/0xe0 [pds_core]
 pdsc_devcmd_reset+0x71/0xb0 [pds_core]
 pdsc_teardown+0x51/0xe0 [pds_core]
 pdsc_remove+0x106/0x200 [pds_core]
 pci_device_remove+0x37/0xc0
 device_release_driver_internal+0xae/0x140
 driver_detach+0x48/0x90
 bus_remove_driver+0x6d/0xf0
 pci_unregister_driver+0x2e/0xa0
 pdsc_cleanup_module+0x10/0x780 [pds_core]
 __x64_sys_delete_module+0x142/0x2b0
 ? syscall_trace_enter.isra.18+0x126/0x1a0
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fbd9d03a14b
[...]

Fix this by preventing the devcmd reset if the FW is not running.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35968
https://www.cve.org/CVERecord?id=CVE-2024-35968
https://git.kernel.org/stable/c/38407914d48273d7f8ab765b9243658afe1c3ab6
https://git.kernel.org/stable/c/81665adf25d28a00a986533f1d3a5df76b79cad9
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-35968.mbox
Comment 1 Joey Lee 2024-05-23 08:03:51 UTC 
joeyli@linux-691t:/mnt/working/source_code-git/kernel-source> ./scripts/check-kernel-fix -s 0 CVE-2024-35968
81665adf25d2 ("pds_core: Fix pdsc_check_pci_health function to use work thread") merged v6.9-rc4~27^2~12
Fixes: d9407ff11809 ("pds_core: Prevent health thread from running during reset/remove") merged v6.8-rc3~26^2~13^2~5
Security fix for CVE-2024-35968 bsc#1224570 with CVSS 0
Experts candidates: tbogendoerfer@suse.de denis.kirjanov@suse.com 
..............................
NO ACTION NEEDED: All relevant branches contain the fix!

Does not affect any branch. reset assignee
Comment 2 Gabriele Sonnu 2024-06-10 12:24:41 UTC 
All done, closing.