cve/published/2021/CVE-2021-47229.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47229: PCI: aardvark: Fix kernel panic during PIO transfer

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 PCI: aardvark: Fix kernel panic during PIO transfer

 Trying to start a new PIO transfer by writing value 0 in PIO_START register
 when previous transfer has not yet completed (which is indicated by value 1
 in PIO_START) causes an External Abort on CPU, which results in kernel
 panic:

     SError Interrupt on CPU0, code 0xbf000002 -- SError
     Kernel panic - not syncing: Asynchronous SError Interrupt

 To prevent kernel panic, it is required to reject a new PIO transfer when
 previous one has not finished yet.

 If previous PIO transfer is not finished yet, the kernel may issue a new
 PIO request only if the previous PIO transfer timed out.

 In the past the root cause of this issue was incorrectly identified (as it
 often happens during link retraining or after link down event) and special
 hack was implemented in Trusted Firmware to catch all SError events in EL3,
 to ignore errors with code 0xbf000002 and not forwarding any other errors
 to kernel and instead throw panic from EL3 Trusted Firmware handler.

 Links to discussion and patches about this issue:
 https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=3c7dcdac5c50
 https://lore.kernel.org/linux-pci/20190316161243.29517-1-repk@triplefau.lt/
 https://lore.kernel.org/linux-pci/971be151d24312cc533989a64bd454b4@www.loen.fr/
 https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1541

 But the real cause was the fact that during link retraining or after link
 down event the PIO transfer may take longer time, up to the 1.44s until it
 times out. This increased probability that a new PIO transfer would be
 issued by kernel while previous one has not finished yet.

 After applying this change into the kernel, it is possible to revert the
 mentioned TF-A hack and SError events do not have to be caught in TF-A EL3.

 The Linux kernel CVE team has assigned CVE-2021-47229 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.14.240 with commit 400e6b1860c8be61388d0b77814c53260f96e17a
 	Fixed in 4.19.198 with commit b00a9aaa4be20ad6e3311fb78a485eae0899e89a
 	Fixed in 5.4.128 with commit 4c90f90a91d75c3c73dd633827c90e8746d9f54d
 	Fixed in 5.10.46 with commit 1a1dbc4473974867fe8c5f195c17b341c8e82867
 	Fixed in 5.12.13 with commit 3d213a4ddf49a860be6e795482c17f87e0c82b2a
 	Fixed in 5.13 with commit f18139966d072dab8e4398c95ce955a9742e04f7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47229
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/pci/controller/pci-aardvark.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/400e6b1860c8be61388d0b77814c53260f96e17a
 	https://git.kernel.org/stable/c/b00a9aaa4be20ad6e3311fb78a485eae0899e89a
 	https://git.kernel.org/stable/c/4c90f90a91d75c3c73dd633827c90e8746d9f54d
 	https://git.kernel.org/stable/c/1a1dbc4473974867fe8c5f195c17b341c8e82867
 	https://git.kernel.org/stable/c/3d213a4ddf49a860be6e795482c17f87e0c82b2a
 	https://git.kernel.org/stable/c/f18139966d072dab8e4398c95ce955a9742e04f7
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47229: PCI: aardvark: Fix kernel panic during PIO transfer

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	PCI: aardvark: Fix kernel panic during PIO transfer

	Trying to start a new PIO transfer by writing value 0 in PIO_START register
	when previous transfer has not yet completed (which is indicated by value 1
	in PIO_START) causes an External Abort on CPU, which results in kernel
	panic:

	SError Interrupt on CPU0, code 0xbf000002 -- SError
	Kernel panic - not syncing: Asynchronous SError Interrupt

	To prevent kernel panic, it is required to reject a new PIO transfer when
	previous one has not finished yet.

	If previous PIO transfer is not finished yet, the kernel may issue a new
	PIO request only if the previous PIO transfer timed out.

	In the past the root cause of this issue was incorrectly identified (as it
	often happens during link retraining or after link down event) and special
	hack was implemented in Trusted Firmware to catch all SError events in EL3,
	to ignore errors with code 0xbf000002 and not forwarding any other errors
	to kernel and instead throw panic from EL3 Trusted Firmware handler.

	Links to discussion and patches about this issue:
	https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=3c7dcdac5c50
	https://lore.kernel.org/linux-pci/20190316161243.29517-1-repk@triplefau.lt/
	https://lore.kernel.org/linux-pci/971be151d24312cc533989a64bd454b4@www.loen.fr/
	https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1541

	But the real cause was the fact that during link retraining or after link
	down event the PIO transfer may take longer time, up to the 1.44s until it
	times out. This increased probability that a new PIO transfer would be
	issued by kernel while previous one has not finished yet.

	After applying this change into the kernel, it is possible to revert the
	mentioned TF-A hack and SError events do not have to be caught in TF-A EL3.

	The Linux kernel CVE team has assigned CVE-2021-47229 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.14.240 with commit 400e6b1860c8be61388d0b77814c53260f96e17a
	Fixed in 4.19.198 with commit b00a9aaa4be20ad6e3311fb78a485eae0899e89a
	Fixed in 5.4.128 with commit 4c90f90a91d75c3c73dd633827c90e8746d9f54d
	Fixed in 5.10.46 with commit 1a1dbc4473974867fe8c5f195c17b341c8e82867
	Fixed in 5.12.13 with commit 3d213a4ddf49a860be6e795482c17f87e0c82b2a
	Fixed in 5.13 with commit f18139966d072dab8e4398c95ce955a9742e04f7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47229
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/pci/controller/pci-aardvark.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/400e6b1860c8be61388d0b77814c53260f96e17a
	https://git.kernel.org/stable/c/b00a9aaa4be20ad6e3311fb78a485eae0899e89a
	https://git.kernel.org/stable/c/4c90f90a91d75c3c73dd633827c90e8746d9f54d
	https://git.kernel.org/stable/c/1a1dbc4473974867fe8c5f195c17b341c8e82867
	https://git.kernel.org/stable/c/3d213a4ddf49a860be6e795482c17f87e0c82b2a
	https://git.kernel.org/stable/c/f18139966d072dab8e4398c95ce955a9742e04f7