CVE-2024-35991

2024-05-2010:15:13

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux kernel

vulnerability

cve-2024-35991

dmaengine

idxd

spinlock

mutex

workqueue

synchronization

code robustness

potential call trace

task rescheduling

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Convert spinlock to mutex to lock evl workqueue

drain_workqueue() cannot be called safely in a spinlocked context due to
possible task rescheduling. In the multi-task scenario, calling
queue_work() while drain_workqueue() will lead to a Call Trace as
pushing a work on a draining workqueue is not permitted in spinlocked
context.
Call Trace:
<TASK>
? __warn+0x7d/0x140
? __queue_work+0x2b2/0x440
? report_bug+0x1f8/0x200
? handle_bug+0x3c/0x70
? exc_invalid_op+0x18/0x70
? asm_exc_invalid_op+0x1a/0x20
? __queue_work+0x2b2/0x440
queue_work_on+0x28/0x30
idxd_misc_thread+0x303/0x5a0 [idxd]
? __schedule+0x369/0xb40
? __pfx_irq_thread_fn+0x10/0x10
? irq_thread+0xbc/0x1b0
irq_thread_fn+0x21/0x70
irq_thread+0x102/0x1b0
? preempt_count_add+0x74/0xa0
? __pfx_irq_thread_dtor+0x10/0x10
? __pfx_irq_thread+0x10/0x10
kthread+0x103/0x140
? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>

The current implementation uses a spinlock to protect event log workqueue
and will lead to the Call Trace due to potential task rescheduling.

To address the locking issue, convert the spinlock to mutex, allowing
the drain_workqueue() to be called in a safe mutex-locked context.

This change ensures proper synchronization when accessing the event log
workqueue, preventing potential Call Trace and improving the overall
robustness of the code.

Affected configurations

Vulners

Node

linuxlinux_kernelRange6.4–6.6.30

linuxlinux_kernelRange6.7.0–6.8.9

linuxlinux_kernelRange6.9.0≥

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/dma/idxd/cdev.c",
      "drivers/dma/idxd/debugfs.c",
      "drivers/dma/idxd/device.c",
      "drivers/dma/idxd/idxd.h",
      "drivers/dma/idxd/init.c",
      "drivers/dma/idxd/irq.c"
    ],
    "versions": [
      {
        "version": "c40bd7d9737b",
        "lessThan": "758071a35d9f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c40bd7d9737b",
        "lessThan": "c9b732a9f73e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c40bd7d9737b",
        "lessThan": "d5638de827cf",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/dma/idxd/cdev.c",
      "drivers/dma/idxd/debugfs.c",
      "drivers/dma/idxd/device.c",
      "drivers/dma/idxd/idxd.h",
      "drivers/dma/idxd/init.c",
      "drivers/dma/idxd/irq.c"
    ],
    "versions": [
      {
        "version": "6.4",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.4",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.30",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.9",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]