CVE-2024-57885

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/kmemleak: fix sleeping function called from invalid context at print message<br /> <br /> Address a bug in the kernel that triggers a "sleeping function called from<br /> invalid context" warning when /sys/kernel/debug/kmemleak is printed under<br /> specific conditions:<br /> - CONFIG_PREEMPT_RT=y<br /> - Set SELinux as the LSM for the system<br /> - Set kptr_restrict to 1<br /> - kmemleak buffer contains at least one item<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48<br /> in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat<br /> preempt_count: 1, expected: 0<br /> RCU nest depth: 2, expected: 2<br /> 6 locks held by cat/136:<br /> #0: ffff32e64bcbf950 (&amp;p-&gt;lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30<br /> #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128<br /> #3: ffff32e6546b1cd0 (&amp;object-&gt;lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0<br /> #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0<br /> #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0<br /> irq event stamp: 136660<br /> hardirqs last enabled at (136659): [] _raw_spin_unlock_irqrestore+0xa8/0xd8<br /> hardirqs last disabled at (136660): [] _raw_spin_lock_irqsave+0x8c/0xb0<br /> softirqs last enabled at (0): [] copy_process+0x11d8/0x3df8<br /> softirqs last disabled at (0): [] 0x0<br /> Preemption disabled at:<br /> [] kmemleak_seq_show+0x3c/0x1e0<br /> CPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34<br /> Tainted: [E]=UNSIGNED_MODULE<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> dump_backtrace+0xa0/0x128<br /> show_stack+0x1c/0x30<br /> dump_stack_lvl+0xe8/0x198<br /> dump_stack+0x18/0x20<br /> rt_spin_lock+0x8c/0x1a8<br /> avc_perm_nonode+0xa0/0x150<br /> cred_has_capability.isra.0+0x118/0x218<br /> selinux_capable+0x50/0x80<br /> security_capable+0x7c/0xd0<br /> has_ns_capability_noaudit+0x94/0x1b0<br /> has_capability_noaudit+0x20/0x30<br /> restricted_pointer+0x21c/0x4b0<br /> pointer+0x298/0x760<br /> vsnprintf+0x330/0xf70<br /> seq_printf+0x178/0x218<br /> print_unreferenced+0x1a4/0x2d0<br /> kmemleak_seq_show+0xd0/0x1e0<br /> seq_read_iter+0x354/0xe30<br /> seq_read+0x250/0x378<br /> full_proxy_read+0xd8/0x148<br /> vfs_read+0x190/0x918<br /> ksys_read+0xf0/0x1e0<br /> __arm64_sys_read+0x70/0xa8<br /> invoke_syscall.constprop.0+0xd4/0x1d8<br /> el0_svc+0x50/0x158<br /> el0t_64_sync+0x17c/0x180<br /> <br /> %pS and %pK, in the same back trace line, are redundant, and %pS can void<br /> %pK service in certain contexts.<br /> <br /> %pS alone already provides the necessary information, and if it cannot<br /> resolve the symbol, it falls back to printing the raw address voiding<br /> the original intent behind the %pK.<br /> <br /> Additionally, %pK requires a privilege check CAP_SYSLOG enforced through<br /> the LSM, which can trigger a "sleeping function called from invalid<br /> context" warning under RT_PREEMPT kernels when the check occurs in an<br /> atomic context. This issue may also affect other LSMs.<br /> <br /> This change avoids the unnecessary privilege check and resolves the<br /> sleeping function warning without any loss of information.