cve/published/2021/CVE-2021-47189.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47189: btrfs: fix memory ordering between normal and ordered work functions

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: fix memory ordering between normal and ordered work functions

 Ordered work functions aren't guaranteed to be handled by the same thread
 which executed the normal work functions. The only way execution between
 normal/ordered functions is synchronized is via the WORK_DONE_BIT,
 unfortunately the used bitops don't guarantee any ordering whatsoever.

 This manifested as seemingly inexplicable crashes on ARM64, where
 async_chunk::inode is seen as non-null in async_cow_submit which causes
 submit_compressed_extents to be called and crash occurs because
 async_chunk::inode suddenly became NULL. The call trace was similar to:

     pc : submit_compressed_extents+0x38/0x3d0
     lr : async_cow_submit+0x50/0xd0
     sp : ffff800015d4bc20

     <registers omitted for brevity>

     Call trace:
      submit_compressed_extents+0x38/0x3d0
      async_cow_submit+0x50/0xd0
      run_ordered_work+0xc8/0x280
      btrfs_work_helper+0x98/0x250
      process_one_work+0x1f0/0x4ac
      worker_thread+0x188/0x504
      kthread+0x110/0x114
      ret_from_fork+0x10/0x18

 Fix this by adding respective barrier calls which ensure that all
 accesses preceding setting of WORK_DONE_BIT are strictly ordered before
 setting the flag. At the same time add a read barrier after reading of
 WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads
 would be strictly ordered after reading the bit. This in turn ensures
 are all accesses before WORK_DONE_BIT are going to be strictly ordered
 before any access that can occur in ordered_func.

 The Linux kernel CVE team has assigned CVE-2021-47189 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 4.4.293 with commit bd660a20fea3ec60a49709ef5360f145ec0fe779
 	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 4.9.291 with commit 637d652d351fd4f263ef302dc52f3971d314e500
 	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 4.14.256 with commit 804a9d239ae9cbe88e861a7cd62319cc6ec7b136
 	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 4.19.218 with commit ed058d735a70f4b063323f1a7bb33cda0f987513
 	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 5.4.162 with commit 670f6b3867c8f0f11e5097f353b164cecfec6179
 	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 5.10.82 with commit 6adbc07ebcaf8bead08b21687d49e0fc94400987
 	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 5.15.5 with commit 47e6f9f69153247109042010f3a77579e9dc61ff
 	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 5.16 with commit 45da9c1767ac31857df572f0a909fbe88fd5a7e9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47189
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/async-thread.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bd660a20fea3ec60a49709ef5360f145ec0fe779
 	https://git.kernel.org/stable/c/637d652d351fd4f263ef302dc52f3971d314e500
 	https://git.kernel.org/stable/c/804a9d239ae9cbe88e861a7cd62319cc6ec7b136
 	https://git.kernel.org/stable/c/ed058d735a70f4b063323f1a7bb33cda0f987513
 	https://git.kernel.org/stable/c/670f6b3867c8f0f11e5097f353b164cecfec6179
 	https://git.kernel.org/stable/c/6adbc07ebcaf8bead08b21687d49e0fc94400987
 	https://git.kernel.org/stable/c/47e6f9f69153247109042010f3a77579e9dc61ff
 	https://git.kernel.org/stable/c/45da9c1767ac31857df572f0a909fbe88fd5a7e9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47189: btrfs: fix memory ordering between normal and ordered work functions

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: fix memory ordering between normal and ordered work functions

	Ordered work functions aren't guaranteed to be handled by the same thread
	which executed the normal work functions. The only way execution between
	normal/ordered functions is synchronized is via the WORK_DONE_BIT,
	unfortunately the used bitops don't guarantee any ordering whatsoever.

	This manifested as seemingly inexplicable crashes on ARM64, where
	async_chunk::inode is seen as non-null in async_cow_submit which causes
	submit_compressed_extents to be called and crash occurs because
	async_chunk::inode suddenly became NULL. The call trace was similar to:

	pc : submit_compressed_extents+0x38/0x3d0
	lr : async_cow_submit+0x50/0xd0
	sp : ffff800015d4bc20

	<registers omitted for brevity>

	Call trace:
	submit_compressed_extents+0x38/0x3d0
	async_cow_submit+0x50/0xd0
	run_ordered_work+0xc8/0x280
	btrfs_work_helper+0x98/0x250
	process_one_work+0x1f0/0x4ac
	worker_thread+0x188/0x504
	kthread+0x110/0x114
	ret_from_fork+0x10/0x18

	Fix this by adding respective barrier calls which ensure that all
	accesses preceding setting of WORK_DONE_BIT are strictly ordered before
	setting the flag. At the same time add a read barrier after reading of
	WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads
	would be strictly ordered after reading the bit. This in turn ensures
	are all accesses before WORK_DONE_BIT are going to be strictly ordered
	before any access that can occur in ordered_func.

	The Linux kernel CVE team has assigned CVE-2021-47189 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 4.4.293 with commit bd660a20fea3ec60a49709ef5360f145ec0fe779
	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 4.9.291 with commit 637d652d351fd4f263ef302dc52f3971d314e500
	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 4.14.256 with commit 804a9d239ae9cbe88e861a7cd62319cc6ec7b136
	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 4.19.218 with commit ed058d735a70f4b063323f1a7bb33cda0f987513
	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 5.4.162 with commit 670f6b3867c8f0f11e5097f353b164cecfec6179
	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 5.10.82 with commit 6adbc07ebcaf8bead08b21687d49e0fc94400987
	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 5.15.5 with commit 47e6f9f69153247109042010f3a77579e9dc61ff
	Issue introduced in 3.15 with commit 08a9ff3264181986d1d692a4e6fce3669700c9f8 and fixed in 5.16 with commit 45da9c1767ac31857df572f0a909fbe88fd5a7e9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47189
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/async-thread.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bd660a20fea3ec60a49709ef5360f145ec0fe779
	https://git.kernel.org/stable/c/637d652d351fd4f263ef302dc52f3971d314e500
	https://git.kernel.org/stable/c/804a9d239ae9cbe88e861a7cd62319cc6ec7b136
	https://git.kernel.org/stable/c/ed058d735a70f4b063323f1a7bb33cda0f987513
	https://git.kernel.org/stable/c/670f6b3867c8f0f11e5097f353b164cecfec6179
	https://git.kernel.org/stable/c/6adbc07ebcaf8bead08b21687d49e0fc94400987
	https://git.kernel.org/stable/c/47e6f9f69153247109042010f3a77579e9dc61ff
	https://git.kernel.org/stable/c/45da9c1767ac31857df572f0a909fbe88fd5a7e9