cve/published/2021/CVE-2021-47424.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47424: i40e: Fix freeing of uninitialized misc IRQ vector

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 i40e: Fix freeing of uninitialized misc IRQ vector

 When VSI set up failed in i40e_probe() as part of PF switch set up
 driver was trying to free misc IRQ vectors in
 i40e_clear_interrupt_scheme and produced a kernel Oops:

    Trying to free already-free IRQ 266
    WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300
    Workqueue: events work_for_cpu_fn
    RIP: 0010:__free_irq+0x9a/0x300
    Call Trace:
    ? synchronize_irq+0x3a/0xa0
    free_irq+0x2e/0x60
    i40e_clear_interrupt_scheme+0x53/0x190 [i40e]
    i40e_probe.part.108+0x134b/0x1a40 [i40e]
    ? kmem_cache_alloc+0x158/0x1c0
    ? acpi_ut_update_ref_count.part.1+0x8e/0x345
    ? acpi_ut_update_object_reference+0x15e/0x1e2
    ? strstr+0x21/0x70
    ? irq_get_irq_data+0xa/0x20
    ? mp_check_pin_attr+0x13/0xc0
    ? irq_get_irq_data+0xa/0x20
    ? mp_map_pin_to_irq+0xd3/0x2f0
    ? acpi_register_gsi_ioapic+0x93/0x170
    ? pci_conf1_read+0xa4/0x100
    ? pci_bus_read_config_word+0x49/0x70
    ? do_pci_enable_device+0xcc/0x100
    local_pci_probe+0x41/0x90
    work_for_cpu_fn+0x16/0x20
    process_one_work+0x1a7/0x360
    worker_thread+0x1cf/0x390
    ? create_worker+0x1a0/0x1a0
    kthread+0x112/0x130
    ? kthread_flush_work_fn+0x10/0x10
    ret_from_fork+0x1f/0x40

 The problem is that at that point misc IRQ vectors
 were not allocated yet and we get a call trace
 that driver is trying to free already free IRQ vectors.

 Add a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED
 PF state before calling i40e_free_misc_vector. This state is set only if
 misc IRQ vectors were properly initialized.

 The Linux kernel CVE team has assigned CVE-2021-47424 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 4.19.211 with commit 60ad4cde0ad28921f9ea25b0201c774b95ffa4b4
 	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 5.4.153 with commit 17063cac4088b8e2fc0f633abddca5426ed58312
 	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 5.10.73 with commit 97aeed72af4f83ae51534f0a2473ff52f8d66236
 	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 5.14.12 with commit 75099439209d3cda439a1d9b00d19a50f0066fef
 	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 5.15 with commit 2e5a20573a926302b233b0c2e1077f5debc7ab2e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47424
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/i40e/i40e_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/60ad4cde0ad28921f9ea25b0201c774b95ffa4b4
 	https://git.kernel.org/stable/c/17063cac4088b8e2fc0f633abddca5426ed58312
 	https://git.kernel.org/stable/c/97aeed72af4f83ae51534f0a2473ff52f8d66236
 	https://git.kernel.org/stable/c/75099439209d3cda439a1d9b00d19a50f0066fef
 	https://git.kernel.org/stable/c/2e5a20573a926302b233b0c2e1077f5debc7ab2e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47424: i40e: Fix freeing of uninitialized misc IRQ vector

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	i40e: Fix freeing of uninitialized misc IRQ vector

	When VSI set up failed in i40e_probe() as part of PF switch set up
	driver was trying to free misc IRQ vectors in
	i40e_clear_interrupt_scheme and produced a kernel Oops:

	Trying to free already-free IRQ 266
	WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300
	Workqueue: events work_for_cpu_fn
	RIP: 0010:__free_irq+0x9a/0x300
	Call Trace:
	? synchronize_irq+0x3a/0xa0
	free_irq+0x2e/0x60
	i40e_clear_interrupt_scheme+0x53/0x190 [i40e]
	i40e_probe.part.108+0x134b/0x1a40 [i40e]
	? kmem_cache_alloc+0x158/0x1c0
	? acpi_ut_update_ref_count.part.1+0x8e/0x345
	? acpi_ut_update_object_reference+0x15e/0x1e2
	? strstr+0x21/0x70
	? irq_get_irq_data+0xa/0x20
	? mp_check_pin_attr+0x13/0xc0
	? irq_get_irq_data+0xa/0x20
	? mp_map_pin_to_irq+0xd3/0x2f0
	? acpi_register_gsi_ioapic+0x93/0x170
	? pci_conf1_read+0xa4/0x100
	? pci_bus_read_config_word+0x49/0x70
	? do_pci_enable_device+0xcc/0x100
	local_pci_probe+0x41/0x90
	work_for_cpu_fn+0x16/0x20
	process_one_work+0x1a7/0x360
	worker_thread+0x1cf/0x390
	? create_worker+0x1a0/0x1a0
	kthread+0x112/0x130
	? kthread_flush_work_fn+0x10/0x10
	ret_from_fork+0x1f/0x40

	The problem is that at that point misc IRQ vectors
	were not allocated yet and we get a call trace
	that driver is trying to free already free IRQ vectors.

	Add a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED
	PF state before calling i40e_free_misc_vector. This state is set only if
	misc IRQ vectors were properly initialized.

	The Linux kernel CVE team has assigned CVE-2021-47424 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 4.19.211 with commit 60ad4cde0ad28921f9ea25b0201c774b95ffa4b4
	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 5.4.153 with commit 17063cac4088b8e2fc0f633abddca5426ed58312
	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 5.10.73 with commit 97aeed72af4f83ae51534f0a2473ff52f8d66236
	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 5.14.12 with commit 75099439209d3cda439a1d9b00d19a50f0066fef
	Issue introduced in 4.15 with commit c17401a1dd210a5f22ab1ec7c7366037c158a14c and fixed in 5.15 with commit 2e5a20573a926302b233b0c2e1077f5debc7ab2e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47424
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/i40e/i40e_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/60ad4cde0ad28921f9ea25b0201c774b95ffa4b4
	https://git.kernel.org/stable/c/17063cac4088b8e2fc0f633abddca5426ed58312
	https://git.kernel.org/stable/c/97aeed72af4f83ae51534f0a2473ff52f8d66236
	https://git.kernel.org/stable/c/75099439209d3cda439a1d9b00d19a50f0066fef
	https://git.kernel.org/stable/c/2e5a20573a926302b233b0c2e1077f5debc7ab2e