Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2021 / CVE-2021-47387.mbox
blob: 3c500c20af6c3c5a4ffb474b2c9654941fcd9d99 [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2021-47387: cpufreq: schedutil: Use kobject release() method to free sugov_tunables
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: schedutil: Use kobject release() method to free sugov_tunables
The struct sugov_tunables is protected by the kobject, so we can't free
it directly. Otherwise we would get a call trace like this:
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30
WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100
Modules linked in:
CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507
Hardware name: Marvell OcteonTX CN96XX board (DT)
pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--)
pc : debug_print_object+0xb8/0x100
lr : debug_print_object+0xb8/0x100
sp : ffff80001ecaf910
x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80
x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000
x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20
x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010
x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365
x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69
x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0
x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001
x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000
x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000
Call trace:
debug_print_object+0xb8/0x100
__debug_check_no_obj_freed+0x1c0/0x230
debug_check_no_obj_freed+0x20/0x88
slab_free_freelist_hook+0x154/0x1c8
kfree+0x114/0x5d0
sugov_exit+0xbc/0xc0
cpufreq_exit_governor+0x44/0x90
cpufreq_set_policy+0x268/0x4a8
store_scaling_governor+0xe0/0x128
store+0xc0/0xf0
sysfs_kf_write+0x54/0x80
kernfs_fop_write_iter+0x128/0x1c0
new_sync_write+0xf0/0x190
vfs_write+0x2d4/0x478
ksys_write+0x74/0x100
__arm64_sys_write+0x24/0x30
invoke_syscall.constprop.0+0x54/0xe0
do_el0_svc+0x64/0x158
el0_svc+0x2c/0xb0
el0t_64_sync_handler+0xb0/0xb8
el0t_64_sync+0x198/0x19c
irq event stamp: 5518
hardirqs last enabled at (5517): [<ffff8000100cbd7c>] console_unlock+0x554/0x6c8
hardirqs last disabled at (5518): [<ffff800010fc0638>] el1_dbg+0x28/0xa0
softirqs last enabled at (5504): [<ffff8000100106e0>] __do_softirq+0x4d0/0x6c0
softirqs last disabled at (5483): [<ffff800010049548>] irq_exit+0x1b0/0x1b8
So split the original sugov_tunables_free() into two functions,
sugov_clear_global_tunables() is just used to clear the global_tunables
and the new sugov_tunables_free() is used as kobj_type::release to
release the sugov_tunables safely.
The Linux kernel CVE team has assigned CVE-2021-47387 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.7 with commit 9bdcb44e391da5c41b98573bf0305a0e0b1c9569 and fixed in 4.9.285 with commit cb4a53ba37532c861a5f3f22803391018a41849a
Issue introduced in 4.7 with commit 9bdcb44e391da5c41b98573bf0305a0e0b1c9569 and fixed in 4.14.249 with commit 463c46705f321201090b69c4ad5da0cd2ce614c9
Issue introduced in 4.7 with commit 9bdcb44e391da5c41b98573bf0305a0e0b1c9569 and fixed in 4.19.209 with commit 30d57cf2c4116ca6d34ecd1cac94ad84f8bc446c
Issue introduced in 4.7 with commit 9bdcb44e391da5c41b98573bf0305a0e0b1c9569 and fixed in 5.4.151 with commit 67c98e023135ff81b8d52998a6fdb8ca0c518d82
Issue introduced in 4.7 with commit 9bdcb44e391da5c41b98573bf0305a0e0b1c9569 and fixed in 5.10.71 with commit a7d4fc84404d45d72f4490417e8cc3efa4af93f1
Issue introduced in 4.7 with commit 9bdcb44e391da5c41b98573bf0305a0e0b1c9569 and fixed in 5.14.10 with commit 8d62aec52a8c5b1d25a2364b243fcc5098a2ede9
Issue introduced in 4.7 with commit 9bdcb44e391da5c41b98573bf0305a0e0b1c9569 and fixed in 5.15 with commit e5c6b312ce3cc97e90ea159446e6bfa06645364d
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-47387
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
kernel/sched/cpufreq_schedutil.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/cb4a53ba37532c861a5f3f22803391018a41849a
https://git.kernel.org/stable/c/463c46705f321201090b69c4ad5da0cd2ce614c9
https://git.kernel.org/stable/c/30d57cf2c4116ca6d34ecd1cac94ad84f8bc446c
https://git.kernel.org/stable/c/67c98e023135ff81b8d52998a6fdb8ca0c518d82
https://git.kernel.org/stable/c/a7d4fc84404d45d72f4490417e8cc3efa4af93f1
https://git.kernel.org/stable/c/8d62aec52a8c5b1d25a2364b243fcc5098a2ede9
https://git.kernel.org/stable/c/e5c6b312ce3cc97e90ea159446e6bfa06645364d