cve/published/2021/CVE-2021-47435.mbox

From bippy-1.2.0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@kernel.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2021-47435: dm: fix mempool NULL pointer race when completing IO

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

dm: fix mempool NULL pointer race when completing IO

dm_io_dec_pending() calls end_io_acct() first and will then dec md
in-flight pending count. But if a task is swapping DM table at same
time this can result in a crash due to mempool->elements being NULL:

task1                             task2
do_resume
 ->do_suspend
  ->dm_wait_for_completion
                                  bio_endio
				   ->clone_endio
				    ->dm_io_dec_pending
				     ->end_io_acct
				      ->wakeup task1
 ->dm_swap_table
  ->__bind
   ->__bind_mempools
    ->bioset_exit
     ->mempool_exit
                                     ->free_io

[ 67.330330] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
......
[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)
[ 67.330510] pc : mempool_free+0x70/0xa0
[ 67.330515] lr : mempool_free+0x4c/0xa0
[ 67.330520] sp : ffffff8008013b20
[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004
[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8
[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800
[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800
[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80
[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c
[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd
[ 67.330563] x15: 000000000093b41e x14: 0000000000000010
[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555
[ 67.330574] x11: 0000000000000001 x10: 0000000000000001
[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000
[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a
[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001
[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8
[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970
[ 67.330609] Call trace:
[ 67.330616] mempool_free+0x70/0xa0
[ 67.330627] bio_put+0xf8/0x110
[ 67.330638] dec_pending+0x13c/0x230
[ 67.330644] clone_endio+0x90/0x180
[ 67.330649] bio_endio+0x198/0x1b8
[ 67.330655] dec_pending+0x190/0x230
[ 67.330660] clone_endio+0x90/0x180
[ 67.330665] bio_endio+0x198/0x1b8
[ 67.330673] blk_update_request+0x214/0x428
[ 67.330683] scsi_end_request+0x2c/0x300
[ 67.330688] scsi_io_completion+0xa0/0x710
[ 67.330695] scsi_finish_command+0xd8/0x110
[ 67.330700] scsi_softirq_done+0x114/0x148
[ 67.330708] blk_done_softirq+0x74/0xd0
[ 67.330716] __do_softirq+0x18c/0x374
[ 67.330724] irq_exit+0xb4/0xb8
[ 67.330732] __handle_domain_irq+0x84/0xc0
[ 67.330737] gic_handle_irq+0x148/0x1b0
[ 67.330744] el1_irq+0xe8/0x190
[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538
[ 67.330759] cpuidle_enter_state+0x1fc/0x398
[ 67.330764] cpuidle_enter+0x18/0x20
[ 67.330772] do_idle+0x1b4/0x290
[ 67.330778] cpu_startup_entry+0x20/0x28
[ 67.330786] secondary_start_kernel+0x160/0x170

Fix this by:
1) Establishing pointers to 'struct dm_io' members in
dm_io_dec_pending() so that they may be passed into end_io_acct()
_after_ free_io() is called.
2) Moving end_io_acct() after free_io().

The Linux kernel CVE team has assigned CVE-2021-47435 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.37 with commit 6a8736d10cb413be95ea443ba40f25c93f4ef9b2 and fixed in 4.9.313 with commit 9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed
	Issue introduced in 2.6.37 with commit 6a8736d10cb413be95ea443ba40f25c93f4ef9b2 and fixed in 4.14.278 with commit d35aef9c60d310eff3eaddacce301efe877e2b7c
	Issue introduced in 2.6.37 with commit 6a8736d10cb413be95ea443ba40f25c93f4ef9b2 and fixed in 4.19.242 with commit 9e07272cca2ed76f7f6073f4444b1143828c8d87
	Issue introduced in 2.6.37 with commit 6a8736d10cb413be95ea443ba40f25c93f4ef9b2 and fixed in 5.4.193 with commit ad1393b92e5059218d055bfec8f4946d85ad04c4
	Issue introduced in 2.6.37 with commit 6a8736d10cb413be95ea443ba40f25c93f4ef9b2 and fixed in 5.10.113 with commit d29c78d3f9c5d2604548c1065bf1ec212728ea61
	Issue introduced in 2.6.37 with commit 6a8736d10cb413be95ea443ba40f25c93f4ef9b2 and fixed in 5.14.14 with commit 6e506f07c5b561d673dd0b0d8f7f420cc48024fb
	Issue introduced in 2.6.37 with commit 6a8736d10cb413be95ea443ba40f25c93f4ef9b2 and fixed in 5.15 with commit d208b89401e073de986dc891037c5a668f5d5d95

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47435
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/md/dm.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed
	https://git.kernel.org/stable/c/d35aef9c60d310eff3eaddacce301efe877e2b7c
	https://git.kernel.org/stable/c/9e07272cca2ed76f7f6073f4444b1143828c8d87
	https://git.kernel.org/stable/c/ad1393b92e5059218d055bfec8f4946d85ad04c4
	https://git.kernel.org/stable/c/d29c78d3f9c5d2604548c1065bf1ec212728ea61
	https://git.kernel.org/stable/c/6e506f07c5b561d673dd0b0d8f7f420cc48024fb
	https://git.kernel.org/stable/c/d208b89401e073de986dc891037c5a668f5d5d95