cve/published/2021/CVE-2021-47468.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47468: isdn: mISDN: Fix sleeping function called from invalid context

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 isdn: mISDN: Fix sleeping function called from invalid context

 The driver can call card->isac.release() function from an atomic
 context.

 Fix this by calling this function after releasing the lock.

 The following log reveals it:

 [   44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018
 [   44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe
 [   44.169574 ] INFO: lockdep is turned off.
 [   44.169899 ] irq event stamp: 0
 [   44.170160 ] hardirqs last  enabled at (0): [<0000000000000000>] 0x0
 [   44.170627 ] hardirqs last disabled at (0): [<ffffffff814209ed>] copy_process+0x132d/0x3e00
 [   44.171240 ] softirqs last  enabled at (0): [<ffffffff81420a1a>] copy_process+0x135a/0x3e00
 [   44.171852 ] softirqs last disabled at (0): [<0000000000000000>] 0x0
 [   44.172318 ] Preemption disabled at:
 [   44.172320 ] [<ffffffffa009b0a9>] nj_release+0x69/0x500 [netjet]
 [   44.174441 ] Call Trace:
 [   44.174630 ]  dump_stack_lvl+0xa8/0xd1
 [   44.174912 ]  dump_stack+0x15/0x17
 [   44.175166 ]  ___might_sleep+0x3a2/0x510
 [   44.175459 ]  ? nj_release+0x69/0x500 [netjet]
 [   44.175791 ]  __might_sleep+0x82/0xe0
 [   44.176063 ]  ? start_flush_work+0x20/0x7b0
 [   44.176375 ]  start_flush_work+0x33/0x7b0
 [   44.176672 ]  ? trace_irq_enable_rcuidle+0x85/0x170
 [   44.177034 ]  ? kasan_quarantine_put+0xaa/0x1f0
 [   44.177372 ]  ? kasan_quarantine_put+0xaa/0x1f0
 [   44.177711 ]  __flush_work+0x11a/0x1a0
 [   44.177991 ]  ? flush_work+0x20/0x20
 [   44.178257 ]  ? lock_release+0x13c/0x8f0
 [   44.178550 ]  ? __kasan_check_write+0x14/0x20
 [   44.178872 ]  ? do_raw_spin_lock+0x148/0x360
 [   44.179187 ]  ? read_lock_is_recursive+0x20/0x20
 [   44.179530 ]  ? __kasan_check_read+0x11/0x20
 [   44.179846 ]  ? do_raw_spin_unlock+0x55/0x900
 [   44.180168 ]  ? ____kasan_slab_free+0x116/0x140
 [   44.180505 ]  ? _raw_spin_unlock_irqrestore+0x41/0x60
 [   44.180878 ]  ? skb_queue_purge+0x1a3/0x1c0
 [   44.181189 ]  ? kfree+0x13e/0x290
 [   44.181438 ]  flush_work+0x17/0x20
 [   44.181695 ]  mISDN_freedchannel+0xe8/0x100
 [   44.182006 ]  isac_release+0x210/0x260 [mISDNipac]
 [   44.182366 ]  nj_release+0xf6/0x500 [netjet]
 [   44.182685 ]  nj_remove+0x48/0x70 [netjet]
 [   44.182989 ]  pci_device_remove+0xa9/0x250

 The Linux kernel CVE team has assigned CVE-2021-47468 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.4.290 with commit 6f95c97e0f9d6eb39c3f2cb45e8fa4268d1b372b
 	Fixed in 4.9.288 with commit ef269a8808cb1759245a98a7fe16fceaebad894c
 	Fixed in 4.14.253 with commit 37e4f57b22cc5ebb3f80cf0f74fdeb487f082367
 	Fixed in 4.19.214 with commit a5b34409d3fc52114c828be4adbc30744fa3258b
 	Fixed in 5.4.156 with commit 4054b869dc263228d30a4755800b78f0f2ba0c89
 	Fixed in 5.10.76 with commit 9f591cbdbed3d7822b2bdba89b34a6d7b434317d
 	Fixed in 5.14.15 with commit f5966ba53013149bcf94e1536644a958dd00a026
 	Fixed in 5.15 with commit 6510e80a0b81b5d814e3aea6297ba42f5e76f73c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47468
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/isdn/hardware/mISDN/netjet.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6f95c97e0f9d6eb39c3f2cb45e8fa4268d1b372b
 	https://git.kernel.org/stable/c/ef269a8808cb1759245a98a7fe16fceaebad894c
 	https://git.kernel.org/stable/c/37e4f57b22cc5ebb3f80cf0f74fdeb487f082367
 	https://git.kernel.org/stable/c/a5b34409d3fc52114c828be4adbc30744fa3258b
 	https://git.kernel.org/stable/c/4054b869dc263228d30a4755800b78f0f2ba0c89
 	https://git.kernel.org/stable/c/9f591cbdbed3d7822b2bdba89b34a6d7b434317d
 	https://git.kernel.org/stable/c/f5966ba53013149bcf94e1536644a958dd00a026
 	https://git.kernel.org/stable/c/6510e80a0b81b5d814e3aea6297ba42f5e76f73c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47468: isdn: mISDN: Fix sleeping function called from invalid context

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	isdn: mISDN: Fix sleeping function called from invalid context

	The driver can call card->isac.release() function from an atomic
	context.

	Fix this by calling this function after releasing the lock.

	The following log reveals it:

	[ 44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018
	[ 44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe
	[ 44.169574 ] INFO: lockdep is turned off.
	[ 44.169899 ] irq event stamp: 0
	[ 44.170160 ] hardirqs last enabled at (0): [<0000000000000000>] 0x0
	[ 44.170627 ] hardirqs last disabled at (0): [<ffffffff814209ed>] copy_process+0x132d/0x3e00
	[ 44.171240 ] softirqs last enabled at (0): [<ffffffff81420a1a>] copy_process+0x135a/0x3e00
	[ 44.171852 ] softirqs last disabled at (0): [<0000000000000000>] 0x0
	[ 44.172318 ] Preemption disabled at:
	[ 44.172320 ] [<ffffffffa009b0a9>] nj_release+0x69/0x500 [netjet]
	[ 44.174441 ] Call Trace:
	[ 44.174630 ] dump_stack_lvl+0xa8/0xd1
	[ 44.174912 ] dump_stack+0x15/0x17
	[ 44.175166 ] ___might_sleep+0x3a2/0x510
	[ 44.175459 ] ? nj_release+0x69/0x500 [netjet]
	[ 44.175791 ] __might_sleep+0x82/0xe0
	[ 44.176063 ] ? start_flush_work+0x20/0x7b0
	[ 44.176375 ] start_flush_work+0x33/0x7b0
	[ 44.176672 ] ? trace_irq_enable_rcuidle+0x85/0x170
	[ 44.177034 ] ? kasan_quarantine_put+0xaa/0x1f0
	[ 44.177372 ] ? kasan_quarantine_put+0xaa/0x1f0
	[ 44.177711 ] __flush_work+0x11a/0x1a0
	[ 44.177991 ] ? flush_work+0x20/0x20
	[ 44.178257 ] ? lock_release+0x13c/0x8f0
	[ 44.178550 ] ? __kasan_check_write+0x14/0x20
	[ 44.178872 ] ? do_raw_spin_lock+0x148/0x360
	[ 44.179187 ] ? read_lock_is_recursive+0x20/0x20
	[ 44.179530 ] ? __kasan_check_read+0x11/0x20
	[ 44.179846 ] ? do_raw_spin_unlock+0x55/0x900
	[ 44.180168 ] ? ____kasan_slab_free+0x116/0x140
	[ 44.180505 ] ? _raw_spin_unlock_irqrestore+0x41/0x60
	[ 44.180878 ] ? skb_queue_purge+0x1a3/0x1c0
	[ 44.181189 ] ? kfree+0x13e/0x290
	[ 44.181438 ] flush_work+0x17/0x20
	[ 44.181695 ] mISDN_freedchannel+0xe8/0x100
	[ 44.182006 ] isac_release+0x210/0x260 [mISDNipac]
	[ 44.182366 ] nj_release+0xf6/0x500 [netjet]
	[ 44.182685 ] nj_remove+0x48/0x70 [netjet]
	[ 44.182989 ] pci_device_remove+0xa9/0x250

	The Linux kernel CVE team has assigned CVE-2021-47468 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.4.290 with commit 6f95c97e0f9d6eb39c3f2cb45e8fa4268d1b372b
	Fixed in 4.9.288 with commit ef269a8808cb1759245a98a7fe16fceaebad894c
	Fixed in 4.14.253 with commit 37e4f57b22cc5ebb3f80cf0f74fdeb487f082367
	Fixed in 4.19.214 with commit a5b34409d3fc52114c828be4adbc30744fa3258b
	Fixed in 5.4.156 with commit 4054b869dc263228d30a4755800b78f0f2ba0c89
	Fixed in 5.10.76 with commit 9f591cbdbed3d7822b2bdba89b34a6d7b434317d
	Fixed in 5.14.15 with commit f5966ba53013149bcf94e1536644a958dd00a026
	Fixed in 5.15 with commit 6510e80a0b81b5d814e3aea6297ba42f5e76f73c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47468
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/isdn/hardware/mISDN/netjet.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6f95c97e0f9d6eb39c3f2cb45e8fa4268d1b372b
	https://git.kernel.org/stable/c/ef269a8808cb1759245a98a7fe16fceaebad894c
	https://git.kernel.org/stable/c/37e4f57b22cc5ebb3f80cf0f74fdeb487f082367
	https://git.kernel.org/stable/c/a5b34409d3fc52114c828be4adbc30744fa3258b
	https://git.kernel.org/stable/c/4054b869dc263228d30a4755800b78f0f2ba0c89
	https://git.kernel.org/stable/c/9f591cbdbed3d7822b2bdba89b34a6d7b434317d
	https://git.kernel.org/stable/c/f5966ba53013149bcf94e1536644a958dd00a026
	https://git.kernel.org/stable/c/6510e80a0b81b5d814e3aea6297ba42f5e76f73c