CVE-2023-52587 (GCVE-0-2023-52587)

Vulnerability from cvelistv5 – Published: 2024-03-06 06:45 – Updated: 2026-05-11 19:29
VLAI
Title
IB/ipoib: Fix mcast list locking
Summary
In the Linux kernel, the following vulnerability has been resolved: IB/ipoib: Fix mcast list locking Releasing the `priv->lock` while iterating the `priv->multicast_list` in `ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to remove the items while in the middle of iteration. If the mcast is removed while the lock was dropped, the for loop spins forever resulting in a hard lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel): Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below) -----------------------------------+----------------------------------- ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work) spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...) list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev) &priv->multicast_list, list) | ipoib_mcast_join(dev, mcast) | spin_unlock_irq(&priv->lock) | | spin_lock_irqsave(&priv->lock, flags) | list_for_each_entry_safe(mcast, tmcast, | &priv->multicast_list, list) | list_del(&mcast->list); | list_add_tail(&mcast->list, &remove_list) | spin_unlock_irqrestore(&priv->lock, flags) spin_lock_irq(&priv->lock) | | ipoib_mcast_remove_list(&remove_list) (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast, `priv->multicast_list` and we keep | remove_list, list) spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done) the other thread which is blocked | and the list is still valid on | it's stack.) Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent eventual sleeps. Unfortunately we could not reproduce the lockup and confirm this fix but based on the code review I think this fix should address such lockups. crash> bc 31 PID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: "kworker/u72:2" -- [exception RIP: ipoib_mcast_join_task+0x1b1] RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002 RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000 work (&priv->mcast_task{,.work}) RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000 &mcast->list RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000 R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00 mcast R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8 dev priv (&priv->lock) &priv->multicast_list (aka head) ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 --- <NMI exception stack> --- #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib] #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967 crash> rx ff646f199a8c7e68 ff646f199a8c7e68: ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work crash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000 (empty) crash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000 mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>, mcast_mutex.owner.counter = 0xff1c69998efec000 crash> b 8 PID: 8 TASK: ff1c69998efec000 CPU: 33 COMMAND: "kworker/u72:0" -- #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646 #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib] #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib] #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib] #7 [ff ---truncated---
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d2fe937ce6ce23daf5fb214e45432dbb631581b7 , < 4c8922ae8eb8dcc1e4b7d1059d97a8334288d825 (git)
Affected: d2fe937ce6ce23daf5fb214e45432dbb631581b7 , < 615e3adc2042b7be4ad122a043fc9135e6342c90 (git)
Affected: d2fe937ce6ce23daf5fb214e45432dbb631581b7 , < ac2630fd3c90ffec34a0bfc4d413668538b0e8f2 (git)
Affected: d2fe937ce6ce23daf5fb214e45432dbb631581b7 , < ed790bd0903ed3352ebf7f650d910f49b7319b34 (git)
Affected: d2fe937ce6ce23daf5fb214e45432dbb631581b7 , < 5108a2dc2db5630fb6cd58b8be80a0c134bc310a (git)
Affected: d2fe937ce6ce23daf5fb214e45432dbb631581b7 , < 342258fb46d66c1b4c7e2c3717ac01e10c03cf18 (git)
Affected: d2fe937ce6ce23daf5fb214e45432dbb631581b7 , < 7c7bd4d561e9dc6f5b7df9e184974915f6701a89 (git)
Affected: d2fe937ce6ce23daf5fb214e45432dbb631581b7 , < 4f973e211b3b1c6d36f7c6a19239d258856749f9 (git)
Create a notification for this product.
Linux Linux Affected: 4.1
Unaffected: 0 , < 4.1 (semver)
Unaffected: 4.19.307 , ≤ 4.19.* (semver)
Unaffected: 5.4.269 , ≤ 5.4.* (semver)
Unaffected: 5.10.210 , ≤ 5.10.* (semver)
Unaffected: 5.15.149 , ≤ 5.15.* (semver)
Unaffected: 6.1.77 , ≤ 6.1.* (semver)
Unaffected: 6.6.16 , ≤ 6.6.* (semver)
Unaffected: 6.7.4 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52587",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-08T18:50:41.278526Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:13.749Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:21.201Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/ulp/ipoib/ipoib_multicast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4c8922ae8eb8dcc1e4b7d1059d97a8334288d825",
              "status": "affected",
              "version": "d2fe937ce6ce23daf5fb214e45432dbb631581b7",
              "versionType": "git"
            },
            {
              "lessThan": "615e3adc2042b7be4ad122a043fc9135e6342c90",
              "status": "affected",
              "version": "d2fe937ce6ce23daf5fb214e45432dbb631581b7",
              "versionType": "git"
            },
            {
              "lessThan": "ac2630fd3c90ffec34a0bfc4d413668538b0e8f2",
              "status": "affected",
              "version": "d2fe937ce6ce23daf5fb214e45432dbb631581b7",
              "versionType": "git"
            },
            {
              "lessThan": "ed790bd0903ed3352ebf7f650d910f49b7319b34",
              "status": "affected",
              "version": "d2fe937ce6ce23daf5fb214e45432dbb631581b7",
              "versionType": "git"
            },
            {
              "lessThan": "5108a2dc2db5630fb6cd58b8be80a0c134bc310a",
              "status": "affected",
              "version": "d2fe937ce6ce23daf5fb214e45432dbb631581b7",
              "versionType": "git"
            },
            {
              "lessThan": "342258fb46d66c1b4c7e2c3717ac01e10c03cf18",
              "status": "affected",
              "version": "d2fe937ce6ce23daf5fb214e45432dbb631581b7",
              "versionType": "git"
            },
            {
              "lessThan": "7c7bd4d561e9dc6f5b7df9e184974915f6701a89",
              "status": "affected",
              "version": "d2fe937ce6ce23daf5fb214e45432dbb631581b7",
              "versionType": "git"
            },
            {
              "lessThan": "4f973e211b3b1c6d36f7c6a19239d258856749f9",
              "status": "affected",
              "version": "d2fe937ce6ce23daf5fb214e45432dbb631581b7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/ulp/ipoib/ipoib_multicast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.1"
            },
            {
              "lessThan": "4.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.307",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.269",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.307",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.269",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.210",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.149",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.77",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.16",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.4",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/ipoib: Fix mcast list locking\n\nReleasing the `priv-\u003elock` while iterating the `priv-\u003emulticast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\n\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\n    -----------------------------------+-----------------------------------\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\n      spin_lock_irq(\u0026priv-\u003elock)       | __ipoib_ib_dev_flush(priv, ...)\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv-\u003edev)\n          \u0026priv-\u003emulticast_list, list) |\n        ipoib_mcast_join(dev, mcast)   |\n          spin_unlock_irq(\u0026priv-\u003elock) |\n                                       |   spin_lock_irqsave(\u0026priv-\u003elock, flags)\n                                       |   list_for_each_entry_safe(mcast, tmcast,\n                                       |                  \u0026priv-\u003emulticast_list, list)\n                                       |     list_del(\u0026mcast-\u003elist);\n                                       |     list_add_tail(\u0026mcast-\u003elist, \u0026remove_list)\n                                       |   spin_unlock_irqrestore(\u0026priv-\u003elock, flags)\n          spin_lock_irq(\u0026priv-\u003elock)   |\n                                       |   ipoib_mcast_remove_list(\u0026remove_list)\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\n    `priv-\u003emulticast_list` and we keep |                            remove_list, list)\n    spinning on the `remove_list` of   |  \u003e\u003e\u003e  wait_for_completion(\u0026mcast-\u003edone)\n    the other thread which is blocked  |\n    and the list is still valid on     |\n    it\u0027s stack.)\n\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\n\ncrash\u003e bc 31\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \"kworker/u72:2\"\n--\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\n                                  work (\u0026priv-\u003emcast_task{,.work})\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\n           \u0026mcast-\u003elist\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\n                                                         mcast\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\n           dev                    priv (\u0026priv-\u003elock)     \u0026priv-\u003emulticast_list (aka head)\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n--- \u003cNMI exception stack\u003e ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\n\ncrash\u003e rx ff646f199a8c7e68\nff646f199a8c7e68:  ff1c6a1a04dc82f8 \u003c\u003c\u003c work = \u0026priv-\u003emcast_task.work\n\ncrash\u003e list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\n\ncrash\u003e ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n  mcast_task.work.func = 0xffffffffc0944910 \u003cipoib_mcast_join_task\u003e,\n  mcast_mutex.owner.counter = 0xff1c69998efec000\n\ncrash\u003e b 8\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:29:51.510Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825"
        },
        {
          "url": "https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34"
        },
        {
          "url": "https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a"
        },
        {
          "url": "https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9"
        }
      ],
      "title": "IB/ipoib: Fix mcast list locking",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52587",
    "datePublished": "2024-03-06T06:45:21.418Z",
    "dateReserved": "2024-03-02T21:55:42.570Z",
    "dateUpdated": "2026-05-11T19:29:51.510Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-52587",
      "date": "2026-05-30",
      "epss": "7e-05",
      "percentile": "0.00571"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52587\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-06T07:15:07.633\",\"lastModified\":\"2025-02-14T16:39:59.647\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/ipoib: Fix mcast list locking\\n\\nReleasing the `priv-\u003elock` while iterating the `priv-\u003emulticast_list` in\\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\\nremove the items while in the middle of iteration. If the mcast is removed\\nwhile the lock was dropped, the for loop spins forever resulting in a hard\\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\\n\\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\\n    -----------------------------------+-----------------------------------\\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\\n      spin_lock_irq(\u0026priv-\u003elock)       | __ipoib_ib_dev_flush(priv, ...)\\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv-\u003edev)\\n          \u0026priv-\u003emulticast_list, list) |\\n        ipoib_mcast_join(dev, mcast)   |\\n          spin_unlock_irq(\u0026priv-\u003elock) |\\n                                       |   spin_lock_irqsave(\u0026priv-\u003elock, flags)\\n                                       |   list_for_each_entry_safe(mcast, tmcast,\\n                                       |                  \u0026priv-\u003emulticast_list, list)\\n                                       |     list_del(\u0026mcast-\u003elist);\\n                                       |     list_add_tail(\u0026mcast-\u003elist, \u0026remove_list)\\n                                       |   spin_unlock_irqrestore(\u0026priv-\u003elock, flags)\\n          spin_lock_irq(\u0026priv-\u003elock)   |\\n                                       |   ipoib_mcast_remove_list(\u0026remove_list)\\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\\n    `priv-\u003emulticast_list` and we keep |                            remove_list, list)\\n    spinning on the `remove_list` of   |  \u003e\u003e\u003e  wait_for_completion(\u0026mcast-\u003edone)\\n    the other thread which is blocked  |\\n    and the list is still valid on     |\\n    it\u0027s stack.)\\n\\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\\neventual sleeps.\\nUnfortunately we could not reproduce the lockup and confirm this fix but\\nbased on the code review I think this fix should address such lockups.\\n\\ncrash\u003e bc 31\\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \\\"kworker/u72:2\\\"\\n--\\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\\n                                  work (\u0026priv-\u003emcast_task{,.work})\\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\\n           \u0026mcast-\u003elist\\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\\n                                                         mcast\\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\\n           dev                    priv (\u0026priv-\u003elock)     \u0026priv-\u003emulticast_list (aka head)\\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\\n--- \u003cNMI exception stack\u003e ---\\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\\n\\ncrash\u003e rx ff646f199a8c7e68\\nff646f199a8c7e68:  ff1c6a1a04dc82f8 \u003c\u003c\u003c work = \u0026priv-\u003emcast_task.work\\n\\ncrash\u003e list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\\n(empty)\\n\\ncrash\u003e ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\\n  mcast_task.work.func = 0xffffffffc0944910 \u003cipoib_mcast_join_task\u003e,\\n  mcast_mutex.owner.counter = 0xff1c69998efec000\\n\\ncrash\u003e b 8\\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \\\"kworker/u72:0\\\"\\n--\\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\\n #7 [ff\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/ipoib: corrige el bloqueo de la lista mcast Al liberar `priv-\u0026gt;lock` mientras se itera `priv-\u0026gt;multicast_list` en `ipoib_mcast_join_task()`, se abre una ventana para `ipoib_mcast_dev_flush( )` para eliminar los elementos mientras se encuentra en medio de la iteraci\u00f3n. Si se elimina mcast mientras se elimina el bloqueo, el bucle for gira para siempre, lo que resulta en un bloqueo total (como se inform\u00f3 en el kernel RHEL 4.18.0-372.75.1.el8_6): Tarea A (kworker/u72:2 a continuaci\u00f3n) | Tarea B (kworker/u72:0 a continuaci\u00f3n) -----------------------------------+---- ------------------------------- ipoib_mcast_join_task(trabajo) | ipoib_ib_dev_flush_light(trabajo) spin_lock_irq(\u0026amp;priv-\u0026gt;lock) | __ipoib_ib_dev_flush(priv, ...) list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv-\u0026gt;dev) \u0026amp;priv-\u0026gt;multicast_list, lista) | ipoib_mcast_join(dev, mcast) | spin_unlock_irq(\u0026amp;priv-\u0026gt;bloquear) | | spin_lock_irqsave(\u0026amp;priv-\u0026gt;bloqueo, banderas) | list_for_each_entry_safe(mcast, tmcast, | \u0026amp;priv-\u0026gt;multicast_list, lista) | list_del(\u0026amp;mcast-\u0026gt;lista); | list_add_tail(\u0026amp;mcast-\u0026gt;lista, \u0026amp;remove_list) | spin_unlock_irqrestore(\u0026amp;priv-\u0026gt;bloquear, banderas) spin_lock_irq(\u0026amp;priv-\u0026gt;bloquear) | | ipoib_mcast_remove_list(\u0026amp;remove_list) (Aqu\u00ed, `mcast` ya no est\u00e1 en | list_for_each_entry_safe(mcast, tmcast, `priv-\u0026gt;multicast_list` y seguimos | remove_list, list) girando en `remove_list` de | \u0026gt;\u0026gt;\u0026gt; wait_for_completion(\u0026amp;mcast -\u0026gt;hecho) el otro hilo que est\u00e1 bloqueado | y la lista sigue siendo v\u00e1lida | en su pila.) Solucione este problema manteniendo el bloqueo mantenido y cambiando a GFP_ATOMIC para evitar eventuales suspensiones. Desafortunadamente, no pudimos reproducir el bloqueo y confirmar esta soluci\u00f3n, pero seg\u00fan la revisi\u00f3n del c\u00f3digo, creo que esta soluci\u00f3n deber\u00eda abordar dichos bloqueos. crash\u0026gt; bc 31 PID: 747 TAREA: ff1c6a1a007e8000 CPU: 31 COMANDO: \\\"kworker/u72:2\\\" -- [excepci\u00f3n RIP: ipoib_mcast_join_task+0x1b1] RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 000000 02 RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 00000000000000000 trabajo (\u0026amp;priv-\u0026gt;mcast_task{,.work}) RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000 \u0026amp;mcast-\u0026gt;list RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff 1c6a1920c9a000 R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00 mcast R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8 dev priv (\u0026amp;priv-\u0026gt;lock) \u0026amp;priv-\u0026gt;multicast_list (tambi\u00e9n conocido como head) ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 ---  --- #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 en ffffff ffc0944ac1 [ ib_ipoib] #6 [ff646f199a8c7e98] Process_one_work+0x1a7 en ffffffff9bf10967 crash\u0026gt; rx ff646f199a8c7e68 ff646f199a8c7e68: ff1c6a1a04dc82f8 \u0026lt;\u0026lt;\u0026lt; work = \u0026amp;priv-\u0026gt;mcast_task.work crash\u0026gt; lista -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000 (vac\u00edo) falla\u0026gt; ipoib_dev_priv.mcast_task.work. func,mcast_mutex.owner.counter ff1c6a1a04dc8000 mcast_task.work.func = 0xffffffffc0944910 , mcast_mutex.owner.counter = 0xff1c69998efec000 crash\u0026gt; b 8 PID: 8 TAREA: ff1c69998efec000 CPU: 33 COMANDO: \\\"kworker/u72:0\\\" -- #3 [ff646f1980153d50] wait_for_completion+0x96 en ffffffff9c7d7646 #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 en ffffffffc0944dc6 [ib_ipoib] #5 [ff646f1980153de8] ipoib_ mcast_dev_flush+0x1a7 en ffffffffc09455a7 [ib_ipoib] #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 en ffffffffc09431a4 [ib_ipoib] # 7 [ff ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-667\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.19.307\",\"matchCriteriaId\":\"4B4E1A83-9957-4265-94C0-516374C8CCFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.269\",\"matchCriteriaId\":\"319545F3-D56C-4751-BEBF-0505478BBAE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.210\",\"matchCriteriaId\":\"F5CB4CA6-A9A0-4AFD-9102-8CF94D708170\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.149\",\"matchCriteriaId\":\"0D0465BB-4053-4E15-9137-6696EBAE90FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.77\",\"matchCriteriaId\":\"0FA28946-970D-4F4D-B759-4E77B28809B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.16\",\"matchCriteriaId\":\"A5007D6A-4B58-423A-8A3A-A1A656A263C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.4\",\"matchCriteriaId\":\"848BC44C-9D25-4557-A50A-4B8BF310FA78\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T23:03:21.201Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-52587\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-08T18:50:41.278526Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:16.609Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"IB/ipoib: Fix mcast list locking\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"d2fe937ce6ce23daf5fb214e45432dbb631581b7\", \"lessThan\": \"4c8922ae8eb8dcc1e4b7d1059d97a8334288d825\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d2fe937ce6ce23daf5fb214e45432dbb631581b7\", \"lessThan\": \"615e3adc2042b7be4ad122a043fc9135e6342c90\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d2fe937ce6ce23daf5fb214e45432dbb631581b7\", \"lessThan\": \"ac2630fd3c90ffec34a0bfc4d413668538b0e8f2\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d2fe937ce6ce23daf5fb214e45432dbb631581b7\", \"lessThan\": \"ed790bd0903ed3352ebf7f650d910f49b7319b34\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d2fe937ce6ce23daf5fb214e45432dbb631581b7\", \"lessThan\": \"5108a2dc2db5630fb6cd58b8be80a0c134bc310a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d2fe937ce6ce23daf5fb214e45432dbb631581b7\", \"lessThan\": \"342258fb46d66c1b4c7e2c3717ac01e10c03cf18\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d2fe937ce6ce23daf5fb214e45432dbb631581b7\", \"lessThan\": \"7c7bd4d561e9dc6f5b7df9e184974915f6701a89\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d2fe937ce6ce23daf5fb214e45432dbb631581b7\", \"lessThan\": \"4f973e211b3b1c6d36f7c6a19239d258856749f9\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/infiniband/ulp/ipoib/ipoib_multicast.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.1\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.1\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.307\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.269\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.210\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.149\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.77\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.16\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.4\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/infiniband/ulp/ipoib/ipoib_multicast.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825\"}, {\"url\": \"https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90\"}, {\"url\": \"https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2\"}, {\"url\": \"https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34\"}, {\"url\": \"https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a\"}, {\"url\": \"https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18\"}, {\"url\": \"https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89\"}, {\"url\": \"https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/ipoib: Fix mcast list locking\\n\\nReleasing the `priv-\u003elock` while iterating the `priv-\u003emulticast_list` in\\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\\nremove the items while in the middle of iteration. If the mcast is removed\\nwhile the lock was dropped, the for loop spins forever resulting in a hard\\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\\n\\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\\n    -----------------------------------+-----------------------------------\\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\\n      spin_lock_irq(\u0026priv-\u003elock)       | __ipoib_ib_dev_flush(priv, ...)\\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv-\u003edev)\\n          \u0026priv-\u003emulticast_list, list) |\\n        ipoib_mcast_join(dev, mcast)   |\\n          spin_unlock_irq(\u0026priv-\u003elock) |\\n                                       |   spin_lock_irqsave(\u0026priv-\u003elock, flags)\\n                                       |   list_for_each_entry_safe(mcast, tmcast,\\n                                       |                  \u0026priv-\u003emulticast_list, list)\\n                                       |     list_del(\u0026mcast-\u003elist);\\n                                       |     list_add_tail(\u0026mcast-\u003elist, \u0026remove_list)\\n                                       |   spin_unlock_irqrestore(\u0026priv-\u003elock, flags)\\n          spin_lock_irq(\u0026priv-\u003elock)   |\\n                                       |   ipoib_mcast_remove_list(\u0026remove_list)\\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\\n    `priv-\u003emulticast_list` and we keep |                            remove_list, list)\\n    spinning on the `remove_list` of   |  \u003e\u003e\u003e  wait_for_completion(\u0026mcast-\u003edone)\\n    the other thread which is blocked  |\\n    and the list is still valid on     |\\n    it\u0027s stack.)\\n\\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\\neventual sleeps.\\nUnfortunately we could not reproduce the lockup and confirm this fix but\\nbased on the code review I think this fix should address such lockups.\\n\\ncrash\u003e bc 31\\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \\\"kworker/u72:2\\\"\\n--\\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\\n                                  work (\u0026priv-\u003emcast_task{,.work})\\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\\n           \u0026mcast-\u003elist\\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\\n                                                         mcast\\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\\n           dev                    priv (\u0026priv-\u003elock)     \u0026priv-\u003emulticast_list (aka head)\\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\\n--- \u003cNMI exception stack\u003e ---\\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\\n\\ncrash\u003e rx ff646f199a8c7e68\\nff646f199a8c7e68:  ff1c6a1a04dc82f8 \u003c\u003c\u003c work = \u0026priv-\u003emcast_task.work\\n\\ncrash\u003e list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\\n(empty)\\n\\ncrash\u003e ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\\n  mcast_task.work.func = 0xffffffffc0944910 \u003cipoib_mcast_join_task\u003e,\\n  mcast_mutex.owner.counter = 0xff1c69998efec000\\n\\ncrash\u003e b 8\\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \\\"kworker/u72:0\\\"\\n--\\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\\n #7 [ff\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.307\", \"versionStartIncluding\": \"4.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.269\", \"versionStartIncluding\": \"4.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.210\", \"versionStartIncluding\": \"4.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.149\", \"versionStartIncluding\": \"4.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.77\", \"versionStartIncluding\": \"4.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.16\", \"versionStartIncluding\": \"4.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.4\", \"versionStartIncluding\": \"4.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"4.1\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-01-05T10:16:23.578Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-52587\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-05T10:16:23.578Z\", \"dateReserved\": \"2024-03-02T21:55:42.570Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-03-06T06:45:21.418Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.