CVE-2024-27062: nouveau: lock the client object tree.
In the Linux kernel, the following vulnerability has been resolved:
nouveau: lock the client object tree.
It appears the client object tree has no locking unless I've missed something else. Fix races around adding/removing client objects, mostly vram bar mappings.
4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI [ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 [ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 [ 4562.099330] RIP: 0010:nvkmobjectsearch+0x1d/0x70 [nouveau] [ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe [ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206 [ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58 [ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400 [ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000 [ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0 [ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007 [ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000 [ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0 [ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4562.099544] Call Trace: [ 4562.099555] [ 4562.099573] ? dieaddr+0x36/0x90 [ 4562.099583] ? excgeneralprotection+0x246/0x4a0 [ 4562.099593] ? asmexcgeneralprotection+0x26/0x30 [ 4562.099600] ? nvkmobjectsearch+0x1d/0x70 [nouveau] [ 4562.099730] nvkmioctl+0xa1/0x250 [nouveau] [ 4562.099861] nvifobjectmaphandle+0xc8/0x180 [nouveau] [ 4562.099986] nouveauttmiomemreserve+0x122/0x270 [nouveau] [ 4562.100156] ? dmaresvtestsignaled+0x26/0xb0 [ 4562.100163] ttmbovmfaultreserved+0x97/0x3c0 [ttm] [ 4562.100182] ? mutexunlockslowpath+0x2a/0x270 [ 4562.100189] nouveauttmfault+0x69/0xb0 [nouveau] [ 4562.100356] dofault+0x32/0x150 [ 4562.100362] dofault+0x7c/0x560 [ 4562.100369] handlemmfault+0x800/0xc10 [ 4562.100382] handlemmfault+0x17c/0x3e0 [ 4562.100388] douseraddrfault+0x208/0x860 [ 4562.100395] excpagefault+0x7f/0x200 [ 4562.100402] asmexcpagefault+0x26/0x30 [ 4562.100412] RIP: 0033:0x9b9870 [ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7 [ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246 [ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000 [ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066 [ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000 [ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff [ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 4562.100446] [ 4562.100448] Modules linked in: nfconntracknetbiosns nfconntrackbroadcast nftfibinet nftfibipv4 nftfibipv6 nftfib nftrejectinet nfrejectipv4 nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragipv6 nfdefragipv4 ipset nftables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intelraplmsr intelraplcommon sndsofpciintelcnl x86pkgtempthermal intelpowerclamp sndsofintelhdacommon mac80211 coretemp sndsocacpiintelmatch kvmintel sndsocacpi sndsochdachda sndsofpci sndsofxtensadsp sndsofintelhdamlink ---truncated---
Other sources
In the Linux kernel, the following vulnerability has been resolved:
nouveau: lock the client object tree.
It appears the client object tree has no locking unless I've missed something else. Fix races around adding/removing client objects, mostly vram bar mappings.
4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI [ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 [ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 [ 4562.099330] RIP: 0010:nvkmobjectsearch+0x1d/0x70 [nouveau] [ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe [ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206 [ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58 [ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400 [ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000 [ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0 [ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007 [ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000 [ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0 [ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4562.099544] Call Trace: [ 4562.099555] <TASK> [ 4562.099573] ? dieaddr+0x36/0x90 [ 4562.099583] ? excgeneralprotection+0x246/0x4a0 [ 4562.099593] ? asmexcgeneralprotection+0x26/0x30 [ 4562.099600] ? nvkmobjectsearch+0x1d/0x70 [nouveau] [ 4562.099730] nvkmioctl+0xa1/0x250 [nouveau] [ 4562.099861] nvifobjectmaphandle+0xc8/0x180 [nouveau] [ 4562.099986] nouveauttmiomemreserve+0x122/0x270 [nouveau] [ 4562.100156] ? dmaresvtestsignaled+0x26/0xb0 [ 4562.100163] ttmbovmfaultreserved+0x97/0x3c0 [ttm] [ 4562.100182] ? mutexunlockslowpath+0x2a/0x270 [ 4562.100189] nouveauttmfault+0x69/0xb0 [nouveau] [ 4562.100356] dofault+0x32/0x150 [ 4562.100362] dofault+0x7c/0x560 [ 4562.100369] handlemmfault+0x800/0xc10 [ 4562.100382] handlemmfault+0x17c/0x3e0 [ 4562.100388] douseraddrfault+0x208/0x860 [ 4562.100395] excpagefault+0x7f/0x200 [ 4562.100402] asmexcpagefault+0x26/0x30 [ 4562.100412] RIP: 0033:0x9b9870 [ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7 [ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246 [ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000 [ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066 [ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000 [ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff [ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 4562.100446] </TASK> [ 4562.100448] Modules linked in: nfconntracknetbiosns nfconntrackbroadcast nftfibinet nftfibipv4 nftfibipv6 nftfib nftrejectinet nfrejectipv4 nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragipv6 nfdefragipv4 ipset nftables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intelraplmsr intelraplcommon sndsofpciintelcnl x86pkgtempthermal intelpowerclamp sndsofintelhdacommon mac80211 coretemp sndsocacpiintelmatch kvmintel sndsocacpi sndsochdachda sndsofpci sndsofxtensadsp sndsofintelhdamlink ---truncated---
— NVD
In the Linux kernel, the following vulnerability has been resolved:
nouveau: lock the client object tree.
The Linux kernel CVE team has assigned CVE-2024-27062 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024050130-CVE-2024-27062-3291@gregkh/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-27062?
CVE-2024-27062 has a medium severity rating which could affect system stability due to locking issues in the client object tree.
How do I fix CVE-2024-27062?
To fix CVE-2024-27062, update to kernel versions 6.6.24, 6.7.12, or 6.8.
What systems are affected by CVE-2024-27062?
CVE-2024-27062 affects Linux kernel versions earlier than 6.6.24 and between 6.7.0 and 6.7.12 as well as 6.8 release candidates.
What components are impacted by CVE-2024-27062?
CVE-2024-27062 impacts the client object tree in the Linux kernel, primarily concerning vram bar mappings.
Is there a workaround for CVE-2024-27062?
Currently, the recommended action for CVE-2024-27062 is to apply the available kernel updates as there are no known workarounds.