CVE-2024-27003

NameCVE-2024-27003
DescriptionIn the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walking tree for clk_summary Similar to the previous commit, we should make sure that all devices are runtime resumed before printing the clk_summary through debugfs. Failure to do so would result in a deadlock if the thread is resuming a device to print clk state and that device is also runtime resuming in another thread, e.g the screen is turning on and the display driver is starting up. We remove the calls to clk_pm_runtime_{get,put}() in this path because they're superfluous now that we know the devices are runtime resumed. This also squashes a bug where the return value of clk_pm_runtime_get() wasn't checked, leading to an RPM count underflow on error paths.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5680-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)jessie, jessie (lts)3.16.84-1vulnerable
stretch (security)4.9.320-2vulnerable
stretch (lts), stretch4.9.320-3vulnerable
buster4.19.249-2fixed
buster (security)4.19.304-1fixed
bullseye5.10.209-2fixed
bullseye (security)5.10.216-1fixed
bookworm6.1.76-1vulnerable
bookworm (security)6.1.90-1fixed
trixie6.7.12-1vulnerable
sid6.8.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcejessie(unfixed)end-of-life
linuxsourcestretch(unfixed)end-of-life
linuxsourcebuster(not affected)
linuxsourcebullseye(not affected)
linuxsourcebookworm6.1.90-1DSA-5680-1
linuxsource(unstable)6.8.9-1

Notes

[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
https://git.kernel.org/linus/9d1e795f754db1ac3344528b7af0b17b8146f321 (6.9-rc5)
Search for package or bug name: Reporting problems