cve/published/2021/CVE-2021-47536.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47536: net/smc: fix wrong list_del in smc_lgr_cleanup_early

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/smc: fix wrong list_del in smc_lgr_cleanup_early

 smc_lgr_cleanup_early() meant to delete the link
 group from the link group list, but it deleted
 the list head by mistake.

 This may cause memory corruption since we didn't
 remove the real link group from the list and later
 memseted the link group structure.
 We got a list corruption panic when testing:

 [  231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000
 [  231.278222] ------------[ cut here ]------------
 [  231.278726] kernel BUG at lib/list_debug.c:53!
 [  231.279326] invalid opcode: 0000 [#1] SMP NOPTI
 [  231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435
 [  231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014
 [  231.281248] Workqueue: events smc_link_down_work
 [  231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90
 [  231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c
 60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f>
 0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc
 [  231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292
 [  231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000
 [  231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040
 [  231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001
 [  231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001
 [  231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003
 [  231.288337] FS:  0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
 [  231.289160] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [  231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0
 [  231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 [  231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 [  231.291940] Call Trace:
 [  231.292211]  smc_lgr_terminate_sched+0x53/0xa0
 [  231.292677]  smc_switch_conns+0x75/0x6b0
 [  231.293085]  ? update_load_avg+0x1a6/0x590
 [  231.293517]  ? ttwu_do_wakeup+0x17/0x150
 [  231.293907]  ? update_load_avg+0x1a6/0x590
 [  231.294317]  ? newidle_balance+0xca/0x3d0
 [  231.294716]  smcr_link_down+0x50/0x1a0
 [  231.295090]  ? __wake_up_common_lock+0x77/0x90
 [  231.295534]  smc_link_down_work+0x46/0x60
 [  231.295933]  process_one_work+0x18b/0x350

 The Linux kernel CVE team has assigned CVE-2021-47536 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit a0a62ee15a829ebf8aeec55a4f1688230439b3e0 and fixed in 5.10.84 with commit 77731fede297a23d26f2d169b4269466b2c82529
 	Issue introduced in 5.5 with commit a0a62ee15a829ebf8aeec55a4f1688230439b3e0 and fixed in 5.15.7 with commit 95518fe354d712dca6f431cf2a11b8f63bc9a66c
 	Issue introduced in 5.5 with commit a0a62ee15a829ebf8aeec55a4f1688230439b3e0 and fixed in 5.16 with commit 789b6cc2a5f9123b9c549b886fdc47c865cfe0ba

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47536
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/smc/smc_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529
 	https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c
 	https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47536: net/smc: fix wrong list_del in smc_lgr_cleanup_early

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/smc: fix wrong list_del in smc_lgr_cleanup_early

	smc_lgr_cleanup_early() meant to delete the link
	group from the link group list, but it deleted
	the list head by mistake.

	This may cause memory corruption since we didn't
	remove the real link group from the list and later
	memseted the link group structure.
	We got a list corruption panic when testing:

	[ 231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000
	[ 231.278222] ------------[ cut here ]------------
	[ 231.278726] kernel BUG at lib/list_debug.c:53!
	[ 231.279326] invalid opcode: 0000 [#1] SMP NOPTI
	[ 231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435
	[ 231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014
	[ 231.281248] Workqueue: events smc_link_down_work
	[ 231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90
	[ 231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c
	60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f>
	0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc
	[ 231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292
	[ 231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000
	[ 231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040
	[ 231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001
	[ 231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001
	[ 231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003
	[ 231.288337] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
	[ 231.289160] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0
	[ 231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	[ 231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	[ 231.291940] Call Trace:
	[ 231.292211] smc_lgr_terminate_sched+0x53/0xa0
	[ 231.292677] smc_switch_conns+0x75/0x6b0
	[ 231.293085] ? update_load_avg+0x1a6/0x590
	[ 231.293517] ? ttwu_do_wakeup+0x17/0x150
	[ 231.293907] ? update_load_avg+0x1a6/0x590
	[ 231.294317] ? newidle_balance+0xca/0x3d0
	[ 231.294716] smcr_link_down+0x50/0x1a0
	[ 231.295090] ? __wake_up_common_lock+0x77/0x90
	[ 231.295534] smc_link_down_work+0x46/0x60
	[ 231.295933] process_one_work+0x18b/0x350

	The Linux kernel CVE team has assigned CVE-2021-47536 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit a0a62ee15a829ebf8aeec55a4f1688230439b3e0 and fixed in 5.10.84 with commit 77731fede297a23d26f2d169b4269466b2c82529
	Issue introduced in 5.5 with commit a0a62ee15a829ebf8aeec55a4f1688230439b3e0 and fixed in 5.15.7 with commit 95518fe354d712dca6f431cf2a11b8f63bc9a66c
	Issue introduced in 5.5 with commit a0a62ee15a829ebf8aeec55a4f1688230439b3e0 and fixed in 5.16 with commit 789b6cc2a5f9123b9c549b886fdc47c865cfe0ba

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47536
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/smc/smc_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529
	https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c
	https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba