cve/published/2021/CVE-2021-47212.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47212: net/mlx5: Update error handler for UCTX and UMEM

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/mlx5: Update error handler for UCTX and UMEM

 In the fast unload flow, the device state is set to internal error,
 which indicates that the driver started the destroy process.
 In this case, when a destroy command is being executed, it should return
 MLX5_CMD_STAT_OK.
 Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK
 instead of EIO.

 This fixes a call trace in the umem release process -
 [ 2633.536695] Call Trace:
 [ 2633.537518]  ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]
 [ 2633.538596]  remove_client_context+0x8b/0xd0 [ib_core]
 [ 2633.539641]  disable_device+0x8c/0x130 [ib_core]
 [ 2633.540615]  __ib_unregister_device+0x35/0xa0 [ib_core]
 [ 2633.541640]  ib_unregister_device+0x21/0x30 [ib_core]
 [ 2633.542663]  __mlx5_ib_remove+0x38/0x90 [mlx5_ib]
 [ 2633.543640]  auxiliary_bus_remove+0x1e/0x30 [auxiliary]
 [ 2633.544661]  device_release_driver_internal+0x103/0x1f0
 [ 2633.545679]  bus_remove_device+0xf7/0x170
 [ 2633.546640]  device_del+0x181/0x410
 [ 2633.547606]  mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core]
 [ 2633.548777]  mlx5_unregister_device+0x27/0x40 [mlx5_core]
 [ 2633.549841]  mlx5_uninit_one+0x21/0xc0 [mlx5_core]
 [ 2633.550864]  remove_one+0x69/0xe0 [mlx5_core]
 [ 2633.551819]  pci_device_remove+0x3b/0xc0
 [ 2633.552731]  device_release_driver_internal+0x103/0x1f0
 [ 2633.553746]  unbind_store+0xf6/0x130
 [ 2633.554657]  kernfs_fop_write+0x116/0x190
 [ 2633.555567]  vfs_write+0xa5/0x1a0
 [ 2633.556407]  ksys_write+0x4f/0xb0
 [ 2633.557233]  do_syscall_64+0x5b/0x1a0
 [ 2633.558071]  entry_SYSCALL_64_after_hwframe+0x65/0xca
 [ 2633.559018] RIP: 0033:0x7f9977132648
 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55
 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648
 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001
 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740
 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0
 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c
 [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---

 The Linux kernel CVE team has assigned CVE-2021-47212 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.2 with commit 6a6fabbfa3e8c656ff906ae999fb6856410fa4cd and fixed in 5.15.5 with commit a51a6da375d82aed5c8f83abd13e7d060421bd48
 	Issue introduced in 5.2 with commit 6a6fabbfa3e8c656ff906ae999fb6856410fa4cd and fixed in 5.16 with commit ba50cd9451f6c49cf0841c0a4a146ff6a2822699

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47212
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlx5/core/cmd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a51a6da375d82aed5c8f83abd13e7d060421bd48
 	https://git.kernel.org/stable/c/ba50cd9451f6c49cf0841c0a4a146ff6a2822699
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47212: net/mlx5: Update error handler for UCTX and UMEM

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/mlx5: Update error handler for UCTX and UMEM

	In the fast unload flow, the device state is set to internal error,
	which indicates that the driver started the destroy process.
	In this case, when a destroy command is being executed, it should return
	MLX5_CMD_STAT_OK.
	Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK
	instead of EIO.

	This fixes a call trace in the umem release process -
	[ 2633.536695] Call Trace:
	[ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]
	[ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core]
	[ 2633.539641] disable_device+0x8c/0x130 [ib_core]
	[ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core]
	[ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core]
	[ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib]
	[ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary]
	[ 2633.544661] device_release_driver_internal+0x103/0x1f0
	[ 2633.545679] bus_remove_device+0xf7/0x170
	[ 2633.546640] device_del+0x181/0x410
	[ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core]
	[ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core]
	[ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core]
	[ 2633.550864] remove_one+0x69/0xe0 [mlx5_core]
	[ 2633.551819] pci_device_remove+0x3b/0xc0
	[ 2633.552731] device_release_driver_internal+0x103/0x1f0
	[ 2633.553746] unbind_store+0xf6/0x130
	[ 2633.554657] kernfs_fop_write+0x116/0x190
	[ 2633.555567] vfs_write+0xa5/0x1a0
	[ 2633.556407] ksys_write+0x4f/0xb0
	[ 2633.557233] do_syscall_64+0x5b/0x1a0
	[ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca
	[ 2633.559018] RIP: 0033:0x7f9977132648
	[ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55
	[ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
	[ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648
	[ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001
	[ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740
	[ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0
	[ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c
	[ 2633.568725] ---[ end trace 10b4fe52945e544d ]---

	The Linux kernel CVE team has assigned CVE-2021-47212 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.2 with commit 6a6fabbfa3e8c656ff906ae999fb6856410fa4cd and fixed in 5.15.5 with commit a51a6da375d82aed5c8f83abd13e7d060421bd48
	Issue introduced in 5.2 with commit 6a6fabbfa3e8c656ff906ae999fb6856410fa4cd and fixed in 5.16 with commit ba50cd9451f6c49cf0841c0a4a146ff6a2822699

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47212
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlx5/core/cmd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a51a6da375d82aed5c8f83abd13e7d060421bd48
	https://git.kernel.org/stable/c/ba50cd9451f6c49cf0841c0a4a146ff6a2822699