cve/published/2021/CVE-2021-47225.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47225: mac80211: fix deadlock in AP/VLAN handling

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mac80211: fix deadlock in AP/VLAN handling

 Syzbot reports that when you have AP_VLAN interfaces that are up
 and close the AP interface they belong to, we get a deadlock. No
 surprise - since we dev_close() them with the wiphy mutex held,
 which goes back into the netdev notifier in cfg80211 and tries to
 acquire the wiphy mutex there.

 To fix this, we need to do two things:
  1) prevent changing iftype while AP_VLANs are up, we can't
     easily fix this case since cfg80211 already calls us with
     the wiphy mutex held, but change_interface() is relatively
     rare in drivers anyway, so changing iftype isn't used much
     (and userspace has to fall back to down/change/up anyway)
  2) pull the dev_close() loop over VLANs out of the wiphy mutex
     section in the normal stop case

 The Linux kernel CVE team has assigned CVE-2021-47225 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit a05829a7222e9d10c416dd2dbbf3929fe6646b89 and fixed in 5.12.13 with commit 8043903fcb72f545c52e3ec74d6fd82ef79ce7c5
 	Issue introduced in 5.12 with commit a05829a7222e9d10c416dd2dbbf3929fe6646b89 and fixed in 5.13 with commit d5befb224edbe53056c2c18999d630dafb4a08b9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47225
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mac80211/iface.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8043903fcb72f545c52e3ec74d6fd82ef79ce7c5
 	https://git.kernel.org/stable/c/d5befb224edbe53056c2c18999d630dafb4a08b9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47225: mac80211: fix deadlock in AP/VLAN handling

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mac80211: fix deadlock in AP/VLAN handling

	Syzbot reports that when you have AP_VLAN interfaces that are up
	and close the AP interface they belong to, we get a deadlock. No
	surprise - since we dev_close() them with the wiphy mutex held,
	which goes back into the netdev notifier in cfg80211 and tries to
	acquire the wiphy mutex there.

	To fix this, we need to do two things:
	1) prevent changing iftype while AP_VLANs are up, we can't
	easily fix this case since cfg80211 already calls us with
	the wiphy mutex held, but change_interface() is relatively
	rare in drivers anyway, so changing iftype isn't used much
	(and userspace has to fall back to down/change/up anyway)
	2) pull the dev_close() loop over VLANs out of the wiphy mutex
	section in the normal stop case

	The Linux kernel CVE team has assigned CVE-2021-47225 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit a05829a7222e9d10c416dd2dbbf3929fe6646b89 and fixed in 5.12.13 with commit 8043903fcb72f545c52e3ec74d6fd82ef79ce7c5
	Issue introduced in 5.12 with commit a05829a7222e9d10c416dd2dbbf3929fe6646b89 and fixed in 5.13 with commit d5befb224edbe53056c2c18999d630dafb4a08b9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47225
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mac80211/iface.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8043903fcb72f545c52e3ec74d6fd82ef79ce7c5
	https://git.kernel.org/stable/c/d5befb224edbe53056c2c18999d630dafb4a08b9