cve/published/2023/CVE-2023-53060.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-53060: igb: revert rtnl_lock() that causes deadlock

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 igb: revert rtnl_lock() that causes deadlock

 The commit 6faee3d4ee8b ("igb: Add lock to avoid data race") adds
 rtnl_lock to eliminate a false data race shown below

  (FREE from device detaching)      |   (USE from netdev core)
 igb_remove                         |  igb_ndo_get_vf_config
  igb_disable_sriov                 |  vf >= adapter->vfs_allocated_count?
   kfree(adapter->vf_data)          |
   adapter->vfs_allocated_count = 0 |
                                    |    memcpy(... adapter->vf_data[vf]

 The above race will never happen and the extra rtnl_lock causes deadlock
 below

 [  141.420169]  <TASK>
 [  141.420672]  __schedule+0x2dd/0x840
 [  141.421427]  schedule+0x50/0xc0
 [  141.422041]  schedule_preempt_disabled+0x11/0x20
 [  141.422678]  __mutex_lock.isra.13+0x431/0x6b0
 [  141.423324]  unregister_netdev+0xe/0x20
 [  141.423578]  igbvf_remove+0x45/0xe0 [igbvf]
 [  141.423791]  pci_device_remove+0x36/0xb0
 [  141.423990]  device_release_driver_internal+0xc1/0x160
 [  141.424270]  pci_stop_bus_device+0x6d/0x90
 [  141.424507]  pci_stop_and_remove_bus_device+0xe/0x20
 [  141.424789]  pci_iov_remove_virtfn+0xba/0x120
 [  141.425452]  sriov_disable+0x2f/0xf0
 [  141.425679]  igb_disable_sriov+0x4e/0x100 [igb]
 [  141.426353]  igb_remove+0xa0/0x130 [igb]
 [  141.426599]  pci_device_remove+0x36/0xb0
 [  141.426796]  device_release_driver_internal+0xc1/0x160
 [  141.427060]  driver_detach+0x44/0x90
 [  141.427253]  bus_remove_driver+0x55/0xe0
 [  141.427477]  pci_unregister_driver+0x2a/0xa0
 [  141.428296]  __x64_sys_delete_module+0x141/0x2b0
 [  141.429126]  ? mntput_no_expire+0x4a/0x240
 [  141.429363]  ? syscall_trace_enter.isra.19+0x126/0x1a0
 [  141.429653]  do_syscall_64+0x5b/0x80
 [  141.429847]  ? exit_to_user_mode_prepare+0x14d/0x1c0
 [  141.430109]  ? syscall_exit_to_user_mode+0x12/0x30
 [  141.430849]  ? do_syscall_64+0x67/0x80
 [  141.431083]  ? syscall_exit_to_user_mode_prepare+0x183/0x1b0
 [  141.431770]  ? syscall_exit_to_user_mode+0x12/0x30
 [  141.432482]  ? do_syscall_64+0x67/0x80
 [  141.432714]  ? exc_page_fault+0x64/0x140
 [  141.432911]  entry_SYSCALL_64_after_hwframe+0x72/0xdc

 Since the igb_disable_sriov() will call pci_disable_sriov() before
 releasing any resources, the netdev core will synchronize the cleanup to
 avoid any races. This patch removes the useless rtnl_(un)lock to guarantee
 correctness.

 The Linux kernel CVE team has assigned CVE-2023-53060 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.14.291 with commit 5773a1e6e5ba9f62c4573c57878d154fda269bc2 and fixed in 4.14.312 with commit 0dabb72b923e17cb3b4ac99ea1adc9ef35116930
 	Issue introduced in 4.19.256 with commit 2e8a30c1d994d91099fa8762f504b2ac9dce2cf7 and fixed in 4.19.280 with commit 7d845e9a485f287181ff81567c3900a8e7ad1e28
 	Issue introduced in 5.4.211 with commit 55197ba6d64d48f1948e6e1f52482e0e3e38e1bf and fixed in 5.4.240 with commit cd1e320ac0958298c2774605ad050483f33a21f2
 	Issue introduced in 5.10.138 with commit 0f516dcd1456b18b56a7de0c1f67b8a4aa54c2ef and fixed in 5.10.177 with commit 4d2626e10709ff8474ffd1a9db3cf4647569e89c
 	Issue introduced in 5.15.63 with commit 8ee44abe4cae06713db33e0a3b1e87bfb95b13ef and fixed in 5.15.105 with commit 66e5577cabc3d463eea540332727929d0ace41c6
 	Issue introduced in 6.0 with commit 6faee3d4ee8be0f0367d0c3d826afb3571b7a5e0 and fixed in 6.1.22 with commit 62a64645749926f9d75af82a96440941f22b046f
 	Issue introduced in 6.0 with commit 6faee3d4ee8be0f0367d0c3d826afb3571b7a5e0 and fixed in 6.2.9 with commit de91528d8ba274c614a2265077d695c61e31fd43
 	Issue introduced in 6.0 with commit 6faee3d4ee8be0f0367d0c3d826afb3571b7a5e0 and fixed in 6.3 with commit 65f69851e44d71248b952a687e44759a7abb5016
 	Issue introduced in 5.19.4 with commit 64c0c233a88591bb23569ae12eed7f74e5bd39ce

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-53060
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/igb/igb_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0dabb72b923e17cb3b4ac99ea1adc9ef35116930
 	https://git.kernel.org/stable/c/7d845e9a485f287181ff81567c3900a8e7ad1e28
 	https://git.kernel.org/stable/c/cd1e320ac0958298c2774605ad050483f33a21f2
 	https://git.kernel.org/stable/c/4d2626e10709ff8474ffd1a9db3cf4647569e89c
 	https://git.kernel.org/stable/c/66e5577cabc3d463eea540332727929d0ace41c6
 	https://git.kernel.org/stable/c/62a64645749926f9d75af82a96440941f22b046f
 	https://git.kernel.org/stable/c/de91528d8ba274c614a2265077d695c61e31fd43
 	https://git.kernel.org/stable/c/65f69851e44d71248b952a687e44759a7abb5016
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-53060: igb: revert rtnl_lock() that causes deadlock

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	igb: revert rtnl_lock() that causes deadlock

	The commit 6faee3d4ee8b ("igb: Add lock to avoid data race") adds
	rtnl_lock to eliminate a false data race shown below

	(FREE from device detaching) \| (USE from netdev core)
	igb_remove \| igb_ndo_get_vf_config
	igb_disable_sriov \| vf >= adapter->vfs_allocated_count?
	kfree(adapter->vf_data) \|
	adapter->vfs_allocated_count = 0 \|
	\| memcpy(... adapter->vf_data[vf]

	The above race will never happen and the extra rtnl_lock causes deadlock
	below

	[ 141.420169] <TASK>
	[ 141.420672] __schedule+0x2dd/0x840
	[ 141.421427] schedule+0x50/0xc0
	[ 141.422041] schedule_preempt_disabled+0x11/0x20
	[ 141.422678] __mutex_lock.isra.13+0x431/0x6b0
	[ 141.423324] unregister_netdev+0xe/0x20
	[ 141.423578] igbvf_remove+0x45/0xe0 [igbvf]
	[ 141.423791] pci_device_remove+0x36/0xb0
	[ 141.423990] device_release_driver_internal+0xc1/0x160
	[ 141.424270] pci_stop_bus_device+0x6d/0x90
	[ 141.424507] pci_stop_and_remove_bus_device+0xe/0x20
	[ 141.424789] pci_iov_remove_virtfn+0xba/0x120
	[ 141.425452] sriov_disable+0x2f/0xf0
	[ 141.425679] igb_disable_sriov+0x4e/0x100 [igb]
	[ 141.426353] igb_remove+0xa0/0x130 [igb]
	[ 141.426599] pci_device_remove+0x36/0xb0
	[ 141.426796] device_release_driver_internal+0xc1/0x160
	[ 141.427060] driver_detach+0x44/0x90
	[ 141.427253] bus_remove_driver+0x55/0xe0
	[ 141.427477] pci_unregister_driver+0x2a/0xa0
	[ 141.428296] __x64_sys_delete_module+0x141/0x2b0
	[ 141.429126] ? mntput_no_expire+0x4a/0x240
	[ 141.429363] ? syscall_trace_enter.isra.19+0x126/0x1a0
	[ 141.429653] do_syscall_64+0x5b/0x80
	[ 141.429847] ? exit_to_user_mode_prepare+0x14d/0x1c0
	[ 141.430109] ? syscall_exit_to_user_mode+0x12/0x30
	[ 141.430849] ? do_syscall_64+0x67/0x80
	[ 141.431083] ? syscall_exit_to_user_mode_prepare+0x183/0x1b0
	[ 141.431770] ? syscall_exit_to_user_mode+0x12/0x30
	[ 141.432482] ? do_syscall_64+0x67/0x80
	[ 141.432714] ? exc_page_fault+0x64/0x140
	[ 141.432911] entry_SYSCALL_64_after_hwframe+0x72/0xdc

	Since the igb_disable_sriov() will call pci_disable_sriov() before
	releasing any resources, the netdev core will synchronize the cleanup to
	avoid any races. This patch removes the useless rtnl_(un)lock to guarantee
	correctness.

	The Linux kernel CVE team has assigned CVE-2023-53060 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.14.291 with commit 5773a1e6e5ba9f62c4573c57878d154fda269bc2 and fixed in 4.14.312 with commit 0dabb72b923e17cb3b4ac99ea1adc9ef35116930
	Issue introduced in 4.19.256 with commit 2e8a30c1d994d91099fa8762f504b2ac9dce2cf7 and fixed in 4.19.280 with commit 7d845e9a485f287181ff81567c3900a8e7ad1e28
	Issue introduced in 5.4.211 with commit 55197ba6d64d48f1948e6e1f52482e0e3e38e1bf and fixed in 5.4.240 with commit cd1e320ac0958298c2774605ad050483f33a21f2
	Issue introduced in 5.10.138 with commit 0f516dcd1456b18b56a7de0c1f67b8a4aa54c2ef and fixed in 5.10.177 with commit 4d2626e10709ff8474ffd1a9db3cf4647569e89c
	Issue introduced in 5.15.63 with commit 8ee44abe4cae06713db33e0a3b1e87bfb95b13ef and fixed in 5.15.105 with commit 66e5577cabc3d463eea540332727929d0ace41c6
	Issue introduced in 6.0 with commit 6faee3d4ee8be0f0367d0c3d826afb3571b7a5e0 and fixed in 6.1.22 with commit 62a64645749926f9d75af82a96440941f22b046f
	Issue introduced in 6.0 with commit 6faee3d4ee8be0f0367d0c3d826afb3571b7a5e0 and fixed in 6.2.9 with commit de91528d8ba274c614a2265077d695c61e31fd43
	Issue introduced in 6.0 with commit 6faee3d4ee8be0f0367d0c3d826afb3571b7a5e0 and fixed in 6.3 with commit 65f69851e44d71248b952a687e44759a7abb5016
	Issue introduced in 5.19.4 with commit 64c0c233a88591bb23569ae12eed7f74e5bd39ce

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53060
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/igb/igb_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0dabb72b923e17cb3b4ac99ea1adc9ef35116930
	https://git.kernel.org/stable/c/7d845e9a485f287181ff81567c3900a8e7ad1e28
	https://git.kernel.org/stable/c/cd1e320ac0958298c2774605ad050483f33a21f2
	https://git.kernel.org/stable/c/4d2626e10709ff8474ffd1a9db3cf4647569e89c
	https://git.kernel.org/stable/c/66e5577cabc3d463eea540332727929d0ace41c6
	https://git.kernel.org/stable/c/62a64645749926f9d75af82a96440941f22b046f
	https://git.kernel.org/stable/c/de91528d8ba274c614a2265077d695c61e31fd43
	https://git.kernel.org/stable/c/65f69851e44d71248b952a687e44759a7abb5016