cve/published/2021/CVE-2021-47266.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47266: RDMA/ipoib: Fix warning caused by destroying non-initial netns

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/ipoib: Fix warning caused by destroying non-initial netns

 After the commit 5ce2dced8e95 ("RDMA/ipoib: Set rtnl_link_ops for ipoib
 interfaces"), if the IPoIB device is moved to non-initial netns,
 destroying that netns lets the device vanish instead of moving it back to
 the initial netns, This is happening because default_device_exit() skips
 the interfaces due to having rtnl_link_ops set.

 Steps to reporoduce:
   ip netns add foo
   ip link set mlx5_ib0 netns foo
   ip netns delete foo

 WARNING: CPU: 1 PID: 704 at net/core/dev.c:11435 netdev_exit+0x3f/0x50
 Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT
 nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack
 nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink tun d
  fuse
 CPU: 1 PID: 704 Comm: kworker/u64:3 Tainted: G S      W  5.13.0-rc1+ #1
 Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.5 04/11/2016
 Workqueue: netns cleanup_net
 RIP: 0010:netdev_exit+0x3f/0x50
 Code: 48 8b bb 30 01 00 00 e8 ef 81 b1 ff 48 81 fb c0 3a 54 a1 74 13 48
 8b 83 90 00 00 00 48 81 c3 90 00 00 00 48 39 d8 75 02 5b c3 <0f> 0b 5b
 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 1f 44 00
 RSP: 0018:ffffb297079d7e08 EFLAGS: 00010206
 RAX: ffff8eb542c00040 RBX: ffff8eb541333150 RCX: 000000008010000d
 RDX: 000000008010000e RSI: 000000008010000d RDI: ffff8eb440042c00
 RBP: ffffb297079d7e48 R08: 0000000000000001 R09: ffffffff9fdeac00
 R10: ffff8eb5003be000 R11: 0000000000000001 R12: ffffffffa1545620
 R13: ffffffffa1545628 R14: 0000000000000000 R15: ffffffffa1543b20
 FS:  0000000000000000(0000) GS:ffff8ed37fa00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00005601b5f4c2e8 CR3: 0000001fc8c10002 CR4: 00000000003706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  ops_exit_list.isra.9+0x36/0x70
  cleanup_net+0x234/0x390
  process_one_work+0x1cb/0x360
  ? process_one_work+0x360/0x360
  worker_thread+0x30/0x370
  ? process_one_work+0x360/0x360
  kthread+0x116/0x130
  ? kthread_park+0x80/0x80
  ret_from_fork+0x22/0x30

 To avoid the above warning and later on the kernel panic that could happen
 on shutdown due to a NULL pointer dereference, make sure to set the
 netns_refund flag that was introduced by commit 3a5ca857079e ("can: dev:
 Move device back to init netns on owning netns delete") to properly
 restore the IPoIB interfaces to the initial netns.

 The Linux kernel CVE team has assigned CVE-2021-47266 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.73 with commit dc1d4c658b9c123e31054fffcbc0b23566694b1a and fixed in 5.4.126 with commit 64f1fb6acc2ab95982fc4334f351d7576c26f313
 	Issue introduced in 5.10 with commit 5ce2dced8e95e76ff7439863a118a053a7fc6f91 and fixed in 5.10.44 with commit 67cf4e447b5e5e9e94996cb6812ae2828e0e0e27
 	Issue introduced in 5.10 with commit 5ce2dced8e95e76ff7439863a118a053a7fc6f91 and fixed in 5.12.11 with commit 0a672f7d89db2da17ae02733ccc08458be72a6f8
 	Issue introduced in 5.10 with commit 5ce2dced8e95e76ff7439863a118a053a7fc6f91 and fixed in 5.13 with commit a3e74fb9247cd530dca246699d5eb5a691884d32
 	Issue introduced in 5.8.17 with commit 938e97b946ecf5aa3ccc04ff4ad116e92d894270
 	Issue introduced in 5.9.2 with commit 86e76dbea6379bb272bceb36fe4217f34ff6858d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47266
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/ulp/ipoib/ipoib_netlink.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/64f1fb6acc2ab95982fc4334f351d7576c26f313
 	https://git.kernel.org/stable/c/67cf4e447b5e5e9e94996cb6812ae2828e0e0e27
 	https://git.kernel.org/stable/c/0a672f7d89db2da17ae02733ccc08458be72a6f8
 	https://git.kernel.org/stable/c/a3e74fb9247cd530dca246699d5eb5a691884d32
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47266: RDMA/ipoib: Fix warning caused by destroying non-initial netns

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/ipoib: Fix warning caused by destroying non-initial netns

	After the commit 5ce2dced8e95 ("RDMA/ipoib: Set rtnl_link_ops for ipoib
	interfaces"), if the IPoIB device is moved to non-initial netns,
	destroying that netns lets the device vanish instead of moving it back to
	the initial netns, This is happening because default_device_exit() skips
	the interfaces due to having rtnl_link_ops set.

	Steps to reporoduce:
	ip netns add foo
	ip link set mlx5_ib0 netns foo
	ip netns delete foo

	WARNING: CPU: 1 PID: 704 at net/core/dev.c:11435 netdev_exit+0x3f/0x50
	Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT
	nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack
	nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink tun d
	fuse
	CPU: 1 PID: 704 Comm: kworker/u64:3 Tainted: G S W 5.13.0-rc1+ #1
	Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.5 04/11/2016
	Workqueue: netns cleanup_net
	RIP: 0010:netdev_exit+0x3f/0x50
	Code: 48 8b bb 30 01 00 00 e8 ef 81 b1 ff 48 81 fb c0 3a 54 a1 74 13 48
	8b 83 90 00 00 00 48 81 c3 90 00 00 00 48 39 d8 75 02 5b c3 <0f> 0b 5b
	c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 1f 44 00
	RSP: 0018:ffffb297079d7e08 EFLAGS: 00010206
	RAX: ffff8eb542c00040 RBX: ffff8eb541333150 RCX: 000000008010000d
	RDX: 000000008010000e RSI: 000000008010000d RDI: ffff8eb440042c00
	RBP: ffffb297079d7e48 R08: 0000000000000001 R09: ffffffff9fdeac00
	R10: ffff8eb5003be000 R11: 0000000000000001 R12: ffffffffa1545620
	R13: ffffffffa1545628 R14: 0000000000000000 R15: ffffffffa1543b20
	FS: 0000000000000000(0000) GS:ffff8ed37fa00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00005601b5f4c2e8 CR3: 0000001fc8c10002 CR4: 00000000003706e0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	ops_exit_list.isra.9+0x36/0x70
	cleanup_net+0x234/0x390
	process_one_work+0x1cb/0x360
	? process_one_work+0x360/0x360
	worker_thread+0x30/0x370
	? process_one_work+0x360/0x360
	kthread+0x116/0x130
	? kthread_park+0x80/0x80
	ret_from_fork+0x22/0x30

	To avoid the above warning and later on the kernel panic that could happen
	on shutdown due to a NULL pointer dereference, make sure to set the
	netns_refund flag that was introduced by commit 3a5ca857079e ("can: dev:
	Move device back to init netns on owning netns delete") to properly
	restore the IPoIB interfaces to the initial netns.

	The Linux kernel CVE team has assigned CVE-2021-47266 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.73 with commit dc1d4c658b9c123e31054fffcbc0b23566694b1a and fixed in 5.4.126 with commit 64f1fb6acc2ab95982fc4334f351d7576c26f313
	Issue introduced in 5.10 with commit 5ce2dced8e95e76ff7439863a118a053a7fc6f91 and fixed in 5.10.44 with commit 67cf4e447b5e5e9e94996cb6812ae2828e0e0e27
	Issue introduced in 5.10 with commit 5ce2dced8e95e76ff7439863a118a053a7fc6f91 and fixed in 5.12.11 with commit 0a672f7d89db2da17ae02733ccc08458be72a6f8
	Issue introduced in 5.10 with commit 5ce2dced8e95e76ff7439863a118a053a7fc6f91 and fixed in 5.13 with commit a3e74fb9247cd530dca246699d5eb5a691884d32
	Issue introduced in 5.8.17 with commit 938e97b946ecf5aa3ccc04ff4ad116e92d894270
	Issue introduced in 5.9.2 with commit 86e76dbea6379bb272bceb36fe4217f34ff6858d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47266
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/ulp/ipoib/ipoib_netlink.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/64f1fb6acc2ab95982fc4334f351d7576c26f313
	https://git.kernel.org/stable/c/67cf4e447b5e5e9e94996cb6812ae2828e0e0e27
	https://git.kernel.org/stable/c/0a672f7d89db2da17ae02733ccc08458be72a6f8
	https://git.kernel.org/stable/c/a3e74fb9247cd530dca246699d5eb5a691884d32