CMT: [SRU][F][PATCH 0/4] CVE-2023-52498

[Guoqing Jiang]

Hi,

On 10/10/24 10:02, Ian Whitfield wrote:
> [Impact]
>
> This patchset resolves multiple deadlock conditions in
> drivers/base/power/main.c
>
> The primary CVE fix addresses a deadlock that happened on system resume
> on low-memory hardware configurations. The second deadlock fixed by
> this patchset occurs when a device handling a resume or suspend
> attempts to unlock a particular mutex while the base calling code has
> not yet dropped it.
>
> [Backport]
>
> The top-level fix patch for this CVE had two dependency patches and
> conflicts due to missing two other patches. Dependency patches were
> applied cleanly. Of the two conflict patches, one was not relevant and
> easily resolved with context adjustment. The other conflicting patch
> resolved further deadlock conditions which led me to include it in this
> patchset. This secondary patch had one conflict, but this was resolved
> by adjusting the patch context.
>
> This patchset therefore includes a fix for the original deadlock CVE,
> its two dependency patches, and a second deadlock patch.

I guess "a second deadlock patch " is the first patch, I am not sure if 
it is appropriate to add
CVE-2023-52498 to it. BTW, for 5.10 stable, it was added with this tag.

Stable-dep-of: 7839d0078e0d ("PM: sleep: Fix possible deadlocks in core 
system-wide PM code")

and the below commit might be needed for the first patch.

commit 544e737dea5ad1a457f25dbddf68761ff25e028b
Author: Rafael J. Wysocki <rafael.j.wysocki at intel.com>
Date:   Thu Dec 16 20:30:18 2021 +0100

     PM: sleep: Fix error handling in dpm_prepare()

since it has Fixes: 2aa36604e824 ("PM: sleep: Avoid calling put_device() 
under dpm_list_mtx").

Thanks,
Guoqing

> [Fix]
>
> Noble:  not affected
> Jammy:  fixed via stable updates
> Focal:  backport
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test Case]
>
> Compile and boot tested
>
> [Where problems could occur]
>
> This fix affects the majority of users, because it addresses a bug in
> the base driver code for managing power. An issue with this fix would
> be visible to the user as a system freeze due to deadlock, or possibly
> a logged warning of a circular locking dependency.
>
> Rafael J. Wysocki (4):
>    PM: sleep: Avoid calling put_device() under dpm_list_mtx
>    async: Split async_schedule_node_domain()
>    async: Introduce async_schedule_dev_nocall()
>    PM: sleep: Fix possible deadlocks in core system-wide PM code
>
>   drivers/base/power/main.c | 227 ++++++++++++++++++++------------------
>   include/linux/async.h     |   2 +
>   kernel/async.c            |  85 ++++++++++----
>   3 files changed, 187 insertions(+), 127 deletions(-)
>