CVE-2024-36950

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firewire: ohci: mask bus reset interrupts between ISR and bottom half<br /> <br /> In the FireWire OHCI interrupt handler, if a bus reset interrupt has<br /> occurred, mask bus reset interrupts until bus_reset_work has serviced and<br /> cleared the interrupt.<br /> <br /> Normally, we always leave bus reset interrupts masked. We infer the bus<br /> reset from the self-ID interrupt that happens shortly thereafter. A<br /> scenario where we unmask bus reset interrupts was introduced in 2008 in<br /> a007bb857e0b26f5d8b73c2ff90782d9c0972620: If<br /> OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we<br /> will unmask bus reset interrupts so we can log them.<br /> <br /> irq_handler logs the bus reset interrupt. However, we can&amp;#39;t clear the bus<br /> reset event flag in irq_handler, because we won&amp;#39;t service the event until<br /> later. irq_handler exits with the event flag still set. If the<br /> corresponding interrupt is still unmasked, the first bus reset will<br /> usually freeze the system due to irq_handler being called again each<br /> time it exits. This freeze can be reproduced by loading firewire_ohci<br /> with "modprobe firewire_ohci debug=-1" (to enable all debugging output).<br /> Apparently there are also some cases where bus_reset_work will get called<br /> soon enough to clear the event, and operation will continue normally.<br /> <br /> This freeze was first reported a few months after a007bb85 was committed,<br /> but until now it was never fixed. The debug level could safely be set<br /> to -1 through sysfs after the module was loaded, but this would be<br /> ineffectual in logging bus reset interrupts since they were only<br /> unmasked during initialization.<br /> <br /> irq_handler will now leave the event flag set but mask bus reset<br /> interrupts, so irq_handler won&amp;#39;t be called again and there will be no<br /> freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will<br /> unmask the interrupt after servicing the event, so future interrupts<br /> will be caught as desired.<br /> <br /> As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be<br /> enabled through sysfs in addition to during initial module loading.<br /> However, when enabled through sysfs, logging of bus reset interrupts will<br /> be effective only starting with the second bus reset, after<br /> bus_reset_work has executed.