{ "threat_severity" : "Moderate", "public_date" : "2024-05-20T00:00:00Z", "bugzilla" : { "description" : "kernel: ice: fix LAG and VF lock dependency in ice_reset_vf()", "id" : "2281958", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281958" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nice: fix LAG and VF lock dependency in ice_reset_vf()\n9f74a3dfcf83 (\"ice: Fix VF Reset paths when interface in a failed over\naggregate\"), the ice driver has acquired the LAG mutex in ice_reset_vf().\nThe commit placed this lock acquisition just prior to the acquisition of\nthe VF configuration lock.\nIf ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK\nflag, this could deadlock with ice_vc_cfg_qs_msg() because it always\nacquires the locks in the order of the VF configuration lock and then the\nLAG mutex.\nLockdep reports this violation almost immediately on creating and then\nremoving 2 VF:\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-rc6 #54 Tainted: G W O\n------------------------------------------------------\nkworker/60:3/6771 is trying to acquire lock:\nff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice]\nbut task is already holding lock:\nff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\nwhich lock already depends on the new lock.\nthe existing dependency chain (in reverse order) is:\n-> #1 (&pf->lag_mutex){+.+.}-{3:3}:\n__lock_acquire+0x4f8/0xb40\nlock_acquire+0xd4/0x2d0\n__mutex_lock+0x9b/0xbf0\nice_vc_cfg_qs_msg+0x45/0x690 [ice]\nice_vc_process_vf_msg+0x4f5/0x870 [ice]\n__ice_clean_ctrlq+0x2b5/0x600 [ice]\nice_service_task+0x2c9/0x480 [ice]\nprocess_one_work+0x1e9/0x4d0\nworker_thread+0x1e1/0x3d0\nkthread+0x104/0x140\nret_from_fork+0x31/0x50\nret_from_fork_asm+0x1b/0x30\n-> #0 (&vf->cfg_lock){+.+.}-{3:3}:\ncheck_prev_add+0xe2/0xc50\nvalidate_chain+0x558/0x800\n__lock_acquire+0x4f8/0xb40\nlock_acquire+0xd4/0x2d0\n__mutex_lock+0x9b/0xbf0\nice_reset_vf+0x22f/0x4d0 [ice]\nice_process_vflr_event+0x98/0xd0 [ice]\nice_service_task+0x1cc/0x480 [ice]\nprocess_one_work+0x1e9/0x4d0\nworker_thread+0x1e1/0x3d0\nkthread+0x104/0x140\nret_from_fork+0x31/0x50\nret_from_fork_asm+0x1b/0x30\nother info that might help us debug this:\nPossible unsafe locking scenario:\nCPU0 CPU1\n---- ----\nlock(&pf->lag_mutex);\nlock(&vf->cfg_lock);\nlock(&pf->lag_mutex);\nlock(&vf->cfg_lock);\n*** DEADLOCK ***\n4 locks held by kworker/60:3/6771:\n#0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n#1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n#2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice]\n#3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\nstack backtrace:\nCPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54\nHardware name:\nWorkqueue: ice ice_service_task [ice]\nCall Trace:\n\ndump_stack_lvl+0x4a/0x80\ncheck_noncircular+0x12d/0x150\ncheck_prev_add+0xe2/0xc50\n? save_trace+0x59/0x230\n? add_chain_cache+0x109/0x450\nvalidate_chain+0x558/0x800\n__lock_acquire+0x4f8/0xb40\n? lockdep_hardirqs_on+0x7d/0x100\nlock_acquire+0xd4/0x2d0\n? ice_reset_vf+0x22f/0x4d0 [ice]\n? lock_is_held_type+0xc7/0x120\n__mutex_lock+0x9b/0xbf0\n? ice_reset_vf+0x22f/0x4d0 [ice]\n? ice_reset_vf+0x22f/0x4d0 [ice]\n? rcu_is_watching+0x11/0x50\n? ice_reset_vf+0x22f/0x4d0 [ice]\nice_reset_vf+0x22f/0x4d0 [ice]\n? process_one_work+0x176/0x4d0\nice_process_vflr_event+0x98/0xd0 [ice]\nice_service_task+0x1cc/0x480 [ice]\nprocess_one_work+0x1e9/0x4d0\nworker_thread+0x1e1/0x3d0\n? __pfx_worker_thread+0x10/0x10\nkthread+0x104/0x140\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x31/0x50\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1b/0x30\n\nTo avoid deadlock, we must acquire the LAG \n---truncated---", "CVE-2024-36003 pertains to a deadlock vulnerability in the Linux kernel's ICE driver, which manages Intel Ethernet controllers. The issue arises from improper lock acquisition order between the Link Aggregation (LAG) mutex and the Virtual Function (VF) configuration lock within the ice_reset_vf() function. This misordering can lead to a circular dependency, causing the system to hang." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-36003\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36003\nhttps://lore.kernel.org/linux-cve-announce/2024052024-CVE-2024-36003-33b4@gregkh/T" ], "name" : "CVE-2024-36003", "csaw" : false }