CVE-2024-50031

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/v3d: Stop the active perfmon before being destroyed<br /> <br /> When running `kmscube` with one or more performance monitors enabled<br /> via `GALLIUM_HUD`, the following kernel panic can occur:<br /> <br /> [ 55.008324] Unable to handle kernel paging request at virtual address 00000000052004a4<br /> [ 55.008368] Mem abort info:<br /> [ 55.008377] ESR = 0x0000000096000005<br /> [ 55.008387] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 55.008402] SET = 0, FnV = 0<br /> [ 55.008412] EA = 0, S1PTW = 0<br /> [ 55.008421] FSC = 0x05: level 1 translation fault<br /> [ 55.008434] Data abort info:<br /> [ 55.008442] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000<br /> [ 55.008455] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 55.008467] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 55.008481] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001046c6000<br /> [ 55.008497] [00000000052004a4] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000<br /> [ 55.008525] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP<br /> [ 55.008542] Modules linked in: rfcomm [...] vc4 v3d snd_soc_hdmi_codec drm_display_helper<br /> gpu_sched drm_shmem_helper cec drm_dma_helper drm_kms_helper i2c_brcmstb<br /> drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight<br /> [ 55.008799] CPU: 2 PID: 166 Comm: v3d_bin Tainted: G C 6.6.47+rpt-rpi-v8 #1 Debian 1:6.6.47-1+rpt1<br /> [ 55.008824] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)<br /> [ 55.008838] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 55.008855] pc : __mutex_lock.constprop.0+0x90/0x608<br /> [ 55.008879] lr : __mutex_lock.constprop.0+0x58/0x608<br /> [ 55.008895] sp : ffffffc080673cf0<br /> [ 55.008904] x29: ffffffc080673cf0 x28: 0000000000000000 x27: ffffff8106188a28<br /> [ 55.008926] x26: ffffff8101e78040 x25: ffffff8101baa6c0 x24: ffffffd9d989f148<br /> [ 55.008947] x23: ffffffda1c2a4008 x22: 0000000000000002 x21: ffffffc080673d38<br /> [ 55.008968] x20: ffffff8101238000 x19: ffffff8104f83188 x18: 0000000000000000<br /> [ 55.008988] x17: 0000000000000000 x16: ffffffda1bd04d18 x15: 00000055bb08bc90<br /> [ 55.009715] x14: 0000000000000000 x13: 0000000000000000 x12: ffffffda1bd4cbb0<br /> [ 55.010433] x11: 00000000fa83b2da x10: 0000000000001a40 x9 : ffffffda1bd04d04<br /> [ 55.011162] x8 : ffffff8102097b80 x7 : 0000000000000000 x6 : 00000000030a5857<br /> [ 55.011880] x5 : 00ffffffffffffff x4 : 0300000005200470 x3 : 0300000005200470<br /> [ 55.012598] x2 : ffffff8101238000 x1 : 0000000000000021 x0 : 0300000005200470<br /> [ 55.013292] Call trace:<br /> [ 55.013959] __mutex_lock.constprop.0+0x90/0x608<br /> [ 55.014646] __mutex_lock_slowpath+0x1c/0x30<br /> [ 55.015317] mutex_lock+0x50/0x68<br /> [ 55.015961] v3d_perfmon_stop+0x40/0xe0 [v3d]<br /> [ 55.016627] v3d_bin_job_run+0x10c/0x2d8 [v3d]<br /> [ 55.017282] drm_sched_main+0x178/0x3f8 [gpu_sched]<br /> [ 55.017921] kthread+0x11c/0x128<br /> [ 55.018554] ret_from_fork+0x10/0x20<br /> [ 55.019168] Code: f9400260 f1001c1f 54001ea9 927df000 (b9403401)<br /> [ 55.019776] ---[ end trace 0000000000000000 ]---<br /> [ 55.020411] note: v3d_bin[166] exited with preempt_count 1<br /> <br /> This issue arises because, upon closing the file descriptor (which happens<br /> when we interrupt `kmscube`), the active performance monitor is not<br /> stopped. Although all perfmons are destroyed in `v3d_perfmon_close_file()`,<br /> the active performance monitor&amp;#39;s pointer (`v3d-&gt;active_perfmon`) is still<br /> retained.<br /> <br /> If `kmscube` is run again, the driver will attempt to stop the active<br /> performance monitor using the stale pointer in `v3d-&gt;active_perfmon`.<br /> However, this pointer is no longer valid because the previous process has<br /> already terminated, and all performance monitors associated with it have<br /> been destroyed and freed.<br /> <br /> To fix this, when the active performance monitor belongs to a given<br /> process, explicitly stop it before destroying and freeing it.