| Message ID | 20240712162934.9725-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-39292 | expand |
On Fri, Jul 12, 2024 at 11:29:33AM -0500, Bethany Jamison wrote: > [Impact] > > um: Add winch to winch_handlers before registering winch IRQ > > Registering a winch IRQ is racy, an interrupt may occur before the winch is > added to the winch_handlers list. > > If that happens, register_winch_irq() adds to that list a winch that is > scheduled to be (or has already been) freed, causing a panic later in > winch_cleanup(). > > Avoid the race by adding the winch to the winch_handlers list before > registering the IRQ, and rolling back if um_request_irq() fails. > > [Fix] > > Noble: Clean cherry-pick from linux-6.9.y > Jammy: Noble patch applied cleanly > Focal: pending (5.4.0-192.212) > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use User-Mode Linux, an issue with > this fix would be visible to the user via unpredicted system > behavior. > > Roberto Sassu (1): > um: Add winch to winch_handlers before registering winch IRQ > > arch/um/drivers/line.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
On Fri, Jul 12, 2024 at 12:30 PM Bethany Jamison <bethany.jamison@canonical.com> wrote: > > [Impact] > > um: Add winch to winch_handlers before registering winch IRQ > > Registering a winch IRQ is racy, an interrupt may occur before the winch is > added to the winch_handlers list. > > If that happens, register_winch_irq() adds to that list a winch that is > scheduled to be (or has already been) freed, causing a panic later in > winch_cleanup(). > > Avoid the race by adding the winch to the winch_handlers list before > registering the IRQ, and rolling back if um_request_irq() fails. > > [Fix] > > Noble: Clean cherry-pick from linux-6.9.y > Jammy: Noble patch applied cleanly > Focal: pending (5.4.0-192.212) > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use User-Mode Linux, an issue with > this fix would be visible to the user via unpredicted system > behavior. > > Roberto Sassu (1): > um: Add winch to winch_handlers before registering winch IRQ > > arch/um/drivers/line.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > -- Acked-by: Kevin Becker <kevin.becker@canonical.com>
On 12.07.24 18:29, Bethany Jamison wrote: > [Impact] > > um: Add winch to winch_handlers before registering winch IRQ > > Registering a winch IRQ is racy, an interrupt may occur before the winch is > added to the winch_handlers list. > > If that happens, register_winch_irq() adds to that list a winch that is > scheduled to be (or has already been) freed, causing a panic later in > winch_cleanup(). > > Avoid the race by adding the winch to the winch_handlers list before > registering the IRQ, and rolling back if um_request_irq() fails. > > [Fix] > > Noble: Clean cherry-pick from linux-6.9.y > Jammy: Noble patch applied cleanly > Focal: pending (5.4.0-192.212) > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use User-Mode Linux, an issue with > this fix would be visible to the user via unpredicted system > behavior. > > Roberto Sassu (1): > um: Add winch to winch_handlers before registering winch IRQ > > arch/um/drivers/line.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > Applied to noble,jammy:linux/master-next. Thanks. -Stefan