cve/published/2021/CVE-2021-47371.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Fix memory leaks in nexthop notification chain listeners\n\nsyzkaller discovered memory leaks [1] that can be reduced to the\nfollowing commands:\n\n # ip nexthop add id 1 blackhole\n # devlink dev reload pci/0000:06:00.0\n\nAs part of the reload flow, mlxsw will unregister its netdevs and then\nunregister from the nexthop notification chain. Before unregistering\nfrom the notification chain, mlxsw will receive delete notifications for\nnexthop objects using netdevs registered by mlxsw or their uppers. mlxsw\nwill not receive notifications for nexthops using netdevs that are not\ndismantled as part of the reload flow. For example, the blackhole\nnexthop above that internally uses the loopback netdev as its nexthop\ndevice.\n\nOne way to fix this problem is to have listeners flush their nexthop\ntables after unregistering from the notification chain. This is\nerror-prone as evident by this patch and also not symmetric with the\nregistration path where a listener receives a dump of all the existing\nnexthops.\n\nTherefore, fix this problem by replaying delete notifications for the\nlistener being unregistered. This is symmetric to the registration path\nand also consistent with the netdev notification chain.\n\nThe above means that unregister_nexthop_notifier(), like\nregister_nexthop_notifier(), will have to take RTNL in order to iterate\nover the existing nexthops and that any callers of the function cannot\nhold RTNL. This is true for mlxsw and netdevsim, but not for the VXLAN\ndriver. To avoid a deadlock, change the latter to unregister its nexthop\nlistener without holding RTNL, making it symmetric to the registration\npath.\n\n[1]\nunreferenced object 0xffff88806173d600 (size 512):\n  comm \"syz-executor.0\", pid 1290, jiffies 4295583142 (age 143.507s)\n  hex dump (first 32 bytes):\n    41 9d 1e 60 80 88 ff ff 08 d6 73 61 80 88 ff ff  A..`......sa....\n    08 d6 73 61 80 88 ff ff 01 00 00 00 00 00 00 00  ..sa............\n  backtrace:\n    [<ffffffff81a6b576>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]\n    [<ffffffff81a6b576>] slab_post_alloc_hook+0x96/0x490 mm/slab.h:522\n    [<ffffffff81a716d3>] slab_alloc_node mm/slub.c:3206 [inline]\n    [<ffffffff81a716d3>] slab_alloc mm/slub.c:3214 [inline]\n    [<ffffffff81a716d3>] kmem_cache_alloc_trace+0x163/0x370 mm/slub.c:3231\n    [<ffffffff82e8681a>] kmalloc include/linux/slab.h:591 [inline]\n    [<ffffffff82e8681a>] kzalloc include/linux/slab.h:721 [inline]\n    [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_group_create drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:4918 [inline]\n    [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_new drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5054 [inline]\n    [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_event+0x59a/0x2910 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5239\n    [<ffffffff813ef67d>] notifier_call_chain+0xbd/0x210 kernel/notifier.c:83\n    [<ffffffff813f0662>] blocking_notifier_call_chain kernel/notifier.c:318 [inline]\n    [<ffffffff813f0662>] blocking_notifier_call_chain+0x72/0xa0 kernel/notifier.c:306\n    [<ffffffff8384b9c6>] call_nexthop_notifiers+0x156/0x310 net/ipv4/nexthop.c:244\n    [<ffffffff83852bd8>] insert_nexthop net/ipv4/nexthop.c:2336 [inline]\n    [<ffffffff83852bd8>] nexthop_add net/ipv4/nexthop.c:2644 [inline]\n    [<ffffffff83852bd8>] rtm_new_nexthop+0x14e8/0x4d10 net/ipv4/nexthop.c:2913\n    [<ffffffff833e9a78>] rtnetlink_rcv_msg+0x448/0xbf0 net/core/rtnetlink.c:5572\n    [<ffffffff83608703>] netlink_rcv_skb+0x173/0x480 net/netlink/af_netlink.c:2504\n    [<ffffffff833de032>] rtnetlink_rcv+0x22/0x30 net/core/rtnetlink.c:5590\n    [<ffffffff836069de>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]\n    [<ffffffff836069de>] netlink_unicast+0x5ae/0x7f0 net/netlink/af_netlink.c:1340\n    [<ffffffff83607501>] netlink_sendmsg+0x8e1/0xe30 net/netlink/af_netlink.c:1929\n    [<ffffffff832fde84>] sock_sendmsg_nosec net/socket.c:704 [inline\n---truncated---"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/net/vxlan.c",
                   "net/ipv4/nexthop.c"
                ],
                "versions": [
                   {
                      "version": "2a014b200bbd973cc96e082a5bc445fe20b50f32",
                      "lessThan": "741760fa6252628a3d3afad439b72437d4b123d9",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "2a014b200bbd973cc96e082a5bc445fe20b50f32",
                      "lessThan": "3106a0847525befe3e22fc723909d1b21eb0d520",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/net/vxlan.c",
                   "net/ipv4/nexthop.c"
                ],
                "versions": [
                   {
                      "version": "5.11",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "5.11",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.14.9",
                      "lessThanOrEqual": "5.14.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.11",
                            "versionEndExcluding": "5.14.9"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.11",
                            "versionEndExcluding": "5.15"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/741760fa6252628a3d3afad439b72437d4b123d9"
             },
             {
                "url": "https://git.kernel.org/stable/c/3106a0847525befe3e22fc723909d1b21eb0d520"
             }
          ],
          "title": "nexthop: Fix memory leaks in nexthop notification chain listeners",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2021-47371",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Fix memory leaks in nexthop notification chain listeners\n\nsyzkaller discovered memory leaks [1] that can be reduced to the\nfollowing commands:\n\n # ip nexthop add id 1 blackhole\n # devlink dev reload pci/0000:06:00.0\n\nAs part of the reload flow, mlxsw will unregister its netdevs and then\nunregister from the nexthop notification chain. Before unregistering\nfrom the notification chain, mlxsw will receive delete notifications for\nnexthop objects using netdevs registered by mlxsw or their uppers. mlxsw\nwill not receive notifications for nexthops using netdevs that are not\ndismantled as part of the reload flow. For example, the blackhole\nnexthop above that internally uses the loopback netdev as its nexthop\ndevice.\n\nOne way to fix this problem is to have listeners flush their nexthop\ntables after unregistering from the notification chain. This is\nerror-prone as evident by this patch and also not symmetric with the\nregistration path where a listener receives a dump of all the existing\nnexthops.\n\nTherefore, fix this problem by replaying delete notifications for the\nlistener being unregistered. This is symmetric to the registration path\nand also consistent with the netdev notification chain.\n\nThe above means that unregister_nexthop_notifier(), like\nregister_nexthop_notifier(), will have to take RTNL in order to iterate\nover the existing nexthops and that any callers of the function cannot\nhold RTNL. This is true for mlxsw and netdevsim, but not for the VXLAN\ndriver. To avoid a deadlock, change the latter to unregister its nexthop\nlistener without holding RTNL, making it symmetric to the registration\npath.\n\n[1]\nunreferenced object 0xffff88806173d600 (size 512):\n comm \"syz-executor.0\", pid 1290, jiffies 4295583142 (age 143.507s)\n hex dump (first 32 bytes):\n 41 9d 1e 60 80 88 ff ff 08 d6 73 61 80 88 ff ff A..`......sa....\n 08 d6 73 61 80 88 ff ff 01 00 00 00 00 00 00 00 ..sa............\n backtrace:\n [<ffffffff81a6b576>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]\n [<ffffffff81a6b576>] slab_post_alloc_hook+0x96/0x490 mm/slab.h:522\n [<ffffffff81a716d3>] slab_alloc_node mm/slub.c:3206 [inline]\n [<ffffffff81a716d3>] slab_alloc mm/slub.c:3214 [inline]\n [<ffffffff81a716d3>] kmem_cache_alloc_trace+0x163/0x370 mm/slub.c:3231\n [<ffffffff82e8681a>] kmalloc include/linux/slab.h:591 [inline]\n [<ffffffff82e8681a>] kzalloc include/linux/slab.h:721 [inline]\n [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_group_create drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:4918 [inline]\n [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_new drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5054 [inline]\n [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_event+0x59a/0x2910 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5239\n [<ffffffff813ef67d>] notifier_call_chain+0xbd/0x210 kernel/notifier.c:83\n [<ffffffff813f0662>] blocking_notifier_call_chain kernel/notifier.c:318 [inline]\n [<ffffffff813f0662>] blocking_notifier_call_chain+0x72/0xa0 kernel/notifier.c:306\n [<ffffffff8384b9c6>] call_nexthop_notifiers+0x156/0x310 net/ipv4/nexthop.c:244\n [<ffffffff83852bd8>] insert_nexthop net/ipv4/nexthop.c:2336 [inline]\n [<ffffffff83852bd8>] nexthop_add net/ipv4/nexthop.c:2644 [inline]\n [<ffffffff83852bd8>] rtm_new_nexthop+0x14e8/0x4d10 net/ipv4/nexthop.c:2913\n [<ffffffff833e9a78>] rtnetlink_rcv_msg+0x448/0xbf0 net/core/rtnetlink.c:5572\n [<ffffffff83608703>] netlink_rcv_skb+0x173/0x480 net/netlink/af_netlink.c:2504\n [<ffffffff833de032>] rtnetlink_rcv+0x22/0x30 net/core/rtnetlink.c:5590\n [<ffffffff836069de>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]\n [<ffffffff836069de>] netlink_unicast+0x5ae/0x7f0 net/netlink/af_netlink.c:1340\n [<ffffffff83607501>] netlink_sendmsg+0x8e1/0xe30 net/netlink/af_netlink.c:1929\n [<ffffffff832fde84>] sock_sendmsg_nosec net/socket.c:704 [inline\n---truncated---"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/net/vxlan.c",
	"net/ipv4/nexthop.c"
	],
	"versions": [
	{
	"version": "2a014b200bbd973cc96e082a5bc445fe20b50f32",
	"lessThan": "741760fa6252628a3d3afad439b72437d4b123d9",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "2a014b200bbd973cc96e082a5bc445fe20b50f32",
	"lessThan": "3106a0847525befe3e22fc723909d1b21eb0d520",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/net/vxlan.c",
	"net/ipv4/nexthop.c"
	],
	"versions": [
	{
	"version": "5.11",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "5.11",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.14.9",
	"lessThanOrEqual": "5.14.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.11",
	"versionEndExcluding": "5.14.9"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.11",
	"versionEndExcluding": "5.15"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/741760fa6252628a3d3afad439b72437d4b123d9"
	},
	{
	"url": "https://git.kernel.org/stable/c/3106a0847525befe3e22fc723909d1b21eb0d520"
	}
	],
	"title": "nexthop: Fix memory leaks in nexthop notification chain listeners",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2021-47371",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}