CVE-2024-56588

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: hisi_sas: Create all dump files during debugfs initialization<br /> <br /> For the current debugfs of hisi_sas, after user triggers dump, the<br /> driver allocate memory space to save the register information and create<br /> debugfs files to display the saved information. In this process, the<br /> debugfs files created after each dump.<br /> <br /> Therefore, when the dump is triggered while the driver is unbind, the<br /> following hang occurs:<br /> <br /> [67840.853907] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0<br /> [67840.862947] Mem abort info:<br /> [67840.865855] ESR = 0x0000000096000004<br /> [67840.869713] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [67840.875125] SET = 0, FnV = 0<br /> [67840.878291] EA = 0, S1PTW = 0<br /> [67840.881545] FSC = 0x04: level 0 translation fault<br /> [67840.886528] Data abort info:<br /> [67840.889524] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> [67840.895117] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [67840.900284] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [67840.905709] user pgtable: 4k pages, 48-bit VAs, pgdp=0000002803a1f000<br /> [67840.912263] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000<br /> [67840.919177] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> [67840.996435] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [67841.003628] pc : down_write+0x30/0x98<br /> [67841.007546] lr : start_creating.part.0+0x60/0x198<br /> [67841.012495] sp : ffff8000b979ba20<br /> [67841.016046] x29: ffff8000b979ba20 x28: 0000000000000010 x27: 0000000000024b40<br /> [67841.023412] x26: 0000000000000012 x25: ffff20202b355ae8 x24: ffff20202b35a8c8<br /> [67841.030779] x23: ffffa36877928208 x22: ffffa368b4972240 x21: ffff8000b979bb18<br /> [67841.038147] x20: ffff00281dc1e3c0 x19: fffffffffffffffe x18: 0000000000000020<br /> [67841.045515] x17: 0000000000000000 x16: ffffa368b128a530 x15: ffffffffffffffff<br /> [67841.052888] x14: ffff8000b979bc18 x13: ffffffffffffffff x12: ffff8000b979bb18<br /> [67841.060263] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa368b1289b18<br /> [67841.067640] x8 : 0000000000000012 x7 : 0000000000000000 x6 : 00000000000003a9<br /> [67841.075014] x5 : 0000000000000000 x4 : ffff002818c5cb00 x3 : 0000000000000001<br /> [67841.082388] x2 : 0000000000000000 x1 : ffff002818c5cb00 x0 : 00000000000000a0<br /> [67841.089759] Call trace:<br /> [67841.092456] down_write+0x30/0x98<br /> [67841.096017] start_creating.part.0+0x60/0x198<br /> [67841.100613] debugfs_create_dir+0x48/0x1f8<br /> [67841.104950] debugfs_create_files_v3_hw+0x88/0x348 [hisi_sas_v3_hw]<br /> [67841.111447] debugfs_snapshot_regs_v3_hw+0x708/0x798 [hisi_sas_v3_hw]<br /> [67841.118111] debugfs_trigger_dump_v3_hw_write+0x9c/0x120 [hisi_sas_v3_hw]<br /> [67841.125115] full_proxy_write+0x68/0xc8<br /> [67841.129175] vfs_write+0xd8/0x3f0<br /> [67841.132708] ksys_write+0x70/0x108<br /> [67841.136317] __arm64_sys_write+0x24/0x38<br /> [67841.140440] invoke_syscall+0x50/0x128<br /> [67841.144385] el0_svc_common.constprop.0+0xc8/0xf0<br /> [67841.149273] do_el0_svc+0x24/0x38<br /> [67841.152773] el0_svc+0x38/0xd8<br /> [67841.156009] el0t_64_sync_handler+0xc0/0xc8<br /> [67841.160361] el0t_64_sync+0x1a4/0x1a8<br /> [67841.164189] Code: b9000882 d2800002 d2800023 f9800011 (c85ffc05)<br /> [67841.170443] ---[ end trace 0000000000000000 ]---<br /> <br /> To fix this issue, create all directories and files during debugfs<br /> initialization. In this way, the driver only needs to allocate memory<br /> space to save information each time the user triggers dumping.