CVE-2024-44952

Published: September 5, 2024Last modified: June 17, 2025

Description

In the Linux kernel, the following vulnerability has been resolved: driver core: Fix uevent_show() vs driver detach race uevent_show() wants to de-reference dev->driver->name. There is no clean way for a device attribute to de-reference dev->driver unless that attribute is defined via (struct device_driver).dev_groups. Instead, the anti-pattern of taking the device_lock() in the attribute handler risks deadlocks with code paths that remove device attributes while holding the lock. This deadlock is typically invisible to lockdep given the device_lock() is marked lockdep_set_novalidate_class(), but some subsystems allocate a local lockdep key for @dev->mutex to reveal reports of the form: ====================================================== WARNING: possible circular locking dependency detected 6.10.0-rc7+ #275 Tainted: G OE N ------------------------------------------------------ modprobe/2374 is trying to acquire lock: ffff8c2270070de0 (kn->active#6){++++}-{0:0}, at: __kernfs_remove+0xde/0x220 but task is already holding lock: ffff8c22016e88f8 (&cxl_root_key){+.+.}-{3:3}, at: device_release_driver_internal+0x39/0x210 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&cxl_root_key){+.+.}-{3:3}: __mutex_lock+0x99/0xc30 uevent_show+0xac/0x130 dev_attr_show+0x18/0x40 sysfs_kf_seq_show+0xac/0xf0 seq_read_iter+0x110/0x450 vfs_read+0x25b/0x340 ksys_read+0x67/0xf0 do_syscall_64+0x75/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #0 (kn->active#6){++++}-{0:0}: __lock_acquire+0x121a/0x1fa0 lock_acquire+0xd6/0x2e0 kernfs_drain+0x1e9/0x200 __kernfs_remove+0xde/0x220 kernfs_remove_by_name_ns+0x5e/0xa0 device_del+0x168/0x410 device_unregister+0x13/0x60 devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1c7/0x210 driver_detach+0x47/0x90 bus_remove_driver+0x6c/0xf0 cxl_acpi_exit+0xc/0x11 [cxl_acpi] __do_sys_delete_module.isra.0+0x181/0x260 do_syscall_64+0x75/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e The observation though is that driver objects are typically much longer lived than device objects. It is reasonable to perform lockless de-reference of a @driver pointer even if it is racing detach from a device. Given the infrequency of driver unregistration, use synchronize_rcu() in module_remove_driver() to close any potential races. It is potentially overkill to suffer synchronize_rcu() just to handle the rare module removal racing uevent_show() event. Thanks to Tetsuo Handa for the debug analysis of the syzbot report [1].

Severity score breakdown

Status

References

• https://git.kernel.org/stable/c/15fffc6a5624b13b428bb1c6e9088e32a55eb82c
• https://git.kernel.org/stable/c/1cfc329304617838dc06f021bbbde3bc79cd655e
• https://git.kernel.org/stable/c/4749d336170dbb629e515a857e58a82e61c37a9c
• https://git.kernel.org/stable/c/49ea4e0d862632d51667da5e7a9c88a560e9c5a1
• https://git.kernel.org/stable/c/4a7c2a8387524942171037e70b80e969c3b5c05b
• https://git.kernel.org/stable/c/4d035c743c3e391728a6f81cbf0f7f9ca700cf62
• https://git.kernel.org/stable/c/92d847a35e1e41bceba13b8ac1f0e1b9dbe30d25
• https://git.kernel.org/stable/c/9c23fc327d6ec67629b4ad323bd64d3834c0417d
• https://git.kernel.org/stable/c/cd490a247ddf325325fd0de8898659400c9237ef
• https://git.kernel.org/stable/c/cfc72b86fa20cbf44d2b6cc27b35eb15080232ab
• https://git.kernel.org/stable/c/d4dba9a076838f3d0333a6a66efec2cdda90b2ee
• https://git.kernel.org/stable/c/dd98c9630b7ee273da87e9a244f94ddf947161e2
• https://git.kernel.org/stable/c/f098e8fc7227166206256c18d56ab622039108b1
• https://git.kernel.org/stable/c/fd28d9589460945985ef5333e9b942c4261f0826
• https://git.kernel.org/stable/c/fe10c8367687c27172a10ba5cc849bd82077bd7d