cve/published/2021/CVE-2021-47555.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47555: net: vlan: fix underflow for the real_dev refcnt

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: vlan: fix underflow for the real_dev refcnt

 Inject error before dev_hold(real_dev) in register_vlan_dev(),
 and execute the following testcase:

 ip link add dev dummy1 type dummy
 ip link add name dummy1.100 link dummy1 type vlan id 100
 ip link del dev dummy1

 When the dummy netdevice is removed, we will get a WARNING as following:

 =======================================================================
 refcount_t: decrement hit 0; leaking memory.
 WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0

 and an endless loop of:

 =======================================================================
 unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824

 That is because dev_put(real_dev) in vlan_dev_free() be called without
 dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev
 underflow.

 Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of
 ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev
 symmetrical.

 The Linux kernel CVE team has assigned CVE-2021-47555 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.160 with commit 700602b662d7eaa816b1a3cb0abe7a85de358fd4 and fixed in 5.4.163 with commit 5e44178864b38dd70b877985abd7d86fdb95f27d
 	Issue introduced in 5.10.80 with commit e04a7a84bb77f9cdf4475340fe931389bc72331c and fixed in 5.10.83 with commit 6e800ee43218a56acc93676bbb3d93b74779e555
 	Issue introduced in 5.15.3 with commit 21032425c36ff85f16e72ca92193a8c401e4acd5 and fixed in 5.15.6 with commit f7fc72a508cf115c273a7a29350069def1041890
 	Issue introduced in 5.14.19 with commit fca96b3f852a1b369b7b2844ce357cd689879934

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47555
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/8021q/vlan.c
 	net/8021q/vlan_dev.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5e44178864b38dd70b877985abd7d86fdb95f27d
 	https://git.kernel.org/stable/c/6e800ee43218a56acc93676bbb3d93b74779e555
 	https://git.kernel.org/stable/c/f7fc72a508cf115c273a7a29350069def1041890
 	https://git.kernel.org/stable/c/01d9cc2dea3fde3bad6d27f464eff463496e2b00
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47555: net: vlan: fix underflow for the real_dev refcnt

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: vlan: fix underflow for the real_dev refcnt

	Inject error before dev_hold(real_dev) in register_vlan_dev(),
	and execute the following testcase:

	ip link add dev dummy1 type dummy
	ip link add name dummy1.100 link dummy1 type vlan id 100
	ip link del dev dummy1

	When the dummy netdevice is removed, we will get a WARNING as following:

	=======================================================================
	refcount_t: decrement hit 0; leaking memory.
	WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0

	and an endless loop of:

	=======================================================================
	unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824

	That is because dev_put(real_dev) in vlan_dev_free() be called without
	dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev
	underflow.

	Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of
	ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev
	symmetrical.

	The Linux kernel CVE team has assigned CVE-2021-47555 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.160 with commit 700602b662d7eaa816b1a3cb0abe7a85de358fd4 and fixed in 5.4.163 with commit 5e44178864b38dd70b877985abd7d86fdb95f27d
	Issue introduced in 5.10.80 with commit e04a7a84bb77f9cdf4475340fe931389bc72331c and fixed in 5.10.83 with commit 6e800ee43218a56acc93676bbb3d93b74779e555
	Issue introduced in 5.15.3 with commit 21032425c36ff85f16e72ca92193a8c401e4acd5 and fixed in 5.15.6 with commit f7fc72a508cf115c273a7a29350069def1041890
	Issue introduced in 5.14.19 with commit fca96b3f852a1b369b7b2844ce357cd689879934

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47555
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/8021q/vlan.c
	net/8021q/vlan_dev.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5e44178864b38dd70b877985abd7d86fdb95f27d
	https://git.kernel.org/stable/c/6e800ee43218a56acc93676bbb3d93b74779e555
	https://git.kernel.org/stable/c/f7fc72a508cf115c273a7a29350069def1041890
	https://git.kernel.org/stable/c/01d9cc2dea3fde3bad6d27f464eff463496e2b00