{ "threat_severity" : "Moderate", "public_date" : "2024-05-01T00:00:00Z", "bugzilla" : { "description" : "kernel: nouveau: fix instmem race condition around ptr stores", "id" : "2278333", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2278333" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnouveau: fix instmem race condition around ptr stores\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n...\n? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\nnvkm_vmm_iter+0x351/0xa20 [nouveau]\n? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n? __lock_acquire+0x3ed/0x2170\n? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\nnvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\nnvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\nv2: use paired smp_rmb/smp_wmb.", "A flaw was found in the nouveau module in the Linux kernel. In some conditions, a race condition can cause a NULL pointer dereference, resulting in a denial of service." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-06T00:00:00Z", "advisory" : "RHSA-2026:6572", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.117.1.rt7.458.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-06T00:00:00Z", "advisory" : "RHSA-2026:6571", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.117.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-12-04T00:00:00Z", "advisory" : "RHSA-2024:10772", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.95.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-12-04T00:00:00Z", "advisory" : "RHSA-2024:10773", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.95.1.rt14.380.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2024-11-13T00:00:00Z", "advisory" : "RHSA-2024:9546", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.44.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26984\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26984\nhttps://lore.kernel.org/linux-cve-announce/2024050142-CVE-2024-26984-3028@gregkh/T" ], "name" : "CVE-2024-26984", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }