ACK: [SRU][M][PATCH 0/1] CVE-2024-26802

Stefan Bader stefan.bader at canonical.com
Fri May 10 12:42:25 UTC 2024 

On 02.05.24 19:49, Bethany Jamison wrote:
> [Impact]
> 
> In the Linux kernel, the following vulnerability has been resolved:
> 
> stmmac: Clear variable when destroying workqueue
> 
> Currently when suspending driver and stopping workqueue it is checked whether
> workqueue is not NULL and if so, it is destroyed.
> Function destroy_workqueue() does drain queue and does clear variable, but
> it does not set workqueue variable to NULL. This can cause kernel/module
> panic if code attempts to clear workqueue that was not initialized.
> 
> This scenario is possible when resuming suspended driver in stmmac_resume(),
> because there is no handling for failed stmmac_hw_setup(),
> which can fail and return if DMA engine has failed to initialize,
> and workqueue is initialized after DMA engine.
> Should DMA engine fail to initialize, resume will proceed normally,
> but interface won't work and TX queue will eventually timeout,
> causing 'Reset adapter' error.
> This then does destroy workqueue during reset process.
> And since workqueue is initialized after DMA engine and can be skipped,
> it will cause kernel/module panic.
> 
> To secure against this possible crash, set workqueue variable to NULL when
> destroying workqueue.
> 
> Log/backtrace from crash goes as follows:
> [88.031977]------------[ cut here ]------------
> [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out
> [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398
>             <Skipping backtrace for watchdog timeout>
> [88.032251]---[ end trace e70de432e4d5c2c0 ]---
> [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.
> [88.036359]------------[ cut here ]------------
> [88.036519]Call trace:
> [88.036523] flush_workqueue+0x3e4/0x430
> [88.036528] drain_workqueue+0xc4/0x160
> [88.036533] destroy_workqueue+0x40/0x270
> [88.036537] stmmac_fpe_stop_wq+0x4c/0x70
> [88.036541] stmmac_release+0x278/0x280
> [88.036546] __dev_close_many+0xcc/0x158
> [88.036551] dev_close_many+0xbc/0x190
> [88.036555] dev_close.part.0+0x70/0xc0
> [88.036560] dev_close+0x24/0x30
> [88.036564] stmmac_service_task+0x110/0x140
> [88.036569] process_one_work+0x1d8/0x4a0
> [88.036573] worker_thread+0x54/0x408
> [88.036578] kthread+0x164/0x170
> [88.036583] ret_from_fork+0x10/0x20
> [88.036588]---[ end trace e70de432e4d5c2c1 ]---
> [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
> 
> [Fix]
> 
> Mantic:	Clean cherry-pick from linux-6.6.y
> Jammy:	pending
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the driver for the ST MAC 10/100/1000
> on-chip Ethernet controllers when stopping the workqueue, an issue
> with this fix would be visable to the user via a system crash.
> 
> Jakub Raczynski (1):
>    stmmac: Clear variable when destroying workqueue
> 
>   drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240510/d87a5522/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240510/d87a5522/attachment-0001.sig>

More information about the kernel-team mailing list