cve/published/2021/CVE-2021-46921.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46921: locking/qrwlock: Fix ordering in queued_write_lock_slowpath()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 locking/qrwlock: Fix ordering in queued_write_lock_slowpath()

 While this code is executed with the wait_lock held, a reader can
 acquire the lock without holding wait_lock.  The writer side loops
 checking the value with the atomic_cond_read_acquire(), but only truly
 acquires the lock when the compare-and-exchange is completed
 successfully which isn’t ordered. This exposes the window between the
 acquire and the cmpxchg to an A-B-A problem which allows reads
 following the lock acquisition to observe values speculatively before
 the write lock is truly acquired.

 We've seen a problem in epoll where the reader does a xchg while
 holding the read lock, but the writer can see a value change out from
 under it.

   Writer                                | Reader
   --------------------------------------------------------------------------------
   ep_scan_ready_list()                  |
   |- write_lock_irq()                   |
       |- queued_write_lock_slowpath()   |
 	|- atomic_cond_read_acquire()   |
 				        | read_lock_irqsave(&ep->lock, flags);
      --> (observes value before unlock) |  chain_epi_lockless()
      |                                  |    epi->next = xchg(&ep->ovflist, epi);
      |                                  | read_unlock_irqrestore(&ep->lock, flags);
      |                                  |
      |     atomic_cmpxchg_relaxed()     |
      |-- READ_ONCE(ep->ovflist);        |

 A core can order the read of the ovflist ahead of the
 atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire
 semantics addresses this issue at which point the atomic_cond_read can
 be switched to use relaxed semantics.

 [peterz: use try_cmpxchg()]

 The Linux kernel CVE team has assigned CVE-2021-46921 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 4.19.189 with commit 5902f9453a313be8fe78cbd7e7ca9dba9319fc6e
 	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 5.4.115 with commit 82808cc026811fbc3ecf0c0b267a12a339eead56
 	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 5.10.33 with commit 82fa9ced35d88581cffa4a1c856fc41fca96d80a
 	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 5.11.17 with commit d558fcdb17139728347bccc60a16af3e639649d2
 	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 5.12 with commit 84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46921
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/locking/qrwlock.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e
 	https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56
 	https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a
 	https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2
 	https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46921: locking/qrwlock: Fix ordering in queued_write_lock_slowpath()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	locking/qrwlock: Fix ordering in queued_write_lock_slowpath()

	While this code is executed with the wait_lock held, a reader can
	acquire the lock without holding wait_lock. The writer side loops
	checking the value with the atomic_cond_read_acquire(), but only truly
	acquires the lock when the compare-and-exchange is completed
	successfully which isn’t ordered. This exposes the window between the
	acquire and the cmpxchg to an A-B-A problem which allows reads
	following the lock acquisition to observe values speculatively before
	the write lock is truly acquired.

	We've seen a problem in epoll where the reader does a xchg while
	holding the read lock, but the writer can see a value change out from
	under it.

	Writer \| Reader
	--------------------------------------------------------------------------------
	ep_scan_ready_list() \|
	\|- write_lock_irq() \|
	\|- queued_write_lock_slowpath() \|
	\|- atomic_cond_read_acquire() \|
	\| read_lock_irqsave(&ep->lock, flags);
	--> (observes value before unlock) \| chain_epi_lockless()
	\| \| epi->next = xchg(&ep->ovflist, epi);
	\| \| read_unlock_irqrestore(&ep->lock, flags);
	\| \|
	\| atomic_cmpxchg_relaxed() \|
	\|-- READ_ONCE(ep->ovflist); \|

	A core can order the read of the ovflist ahead of the
	atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire
	semantics addresses this issue at which point the atomic_cond_read can
	be switched to use relaxed semantics.

	[peterz: use try_cmpxchg()]

	The Linux kernel CVE team has assigned CVE-2021-46921 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 4.19.189 with commit 5902f9453a313be8fe78cbd7e7ca9dba9319fc6e
	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 5.4.115 with commit 82808cc026811fbc3ecf0c0b267a12a339eead56
	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 5.10.33 with commit 82fa9ced35d88581cffa4a1c856fc41fca96d80a
	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 5.11.17 with commit d558fcdb17139728347bccc60a16af3e639649d2
	Issue introduced in 4.15 with commit b519b56e378ee82caf9b079b04f5db87dedc3251 and fixed in 5.12 with commit 84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46921
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/locking/qrwlock.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e
	https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56
	https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a
	https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2
	https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896