cve/published/2022/CVE-2022-48985.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48985: net: mana: Fix race on per-CQ variable napi work_done

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: mana: Fix race on per-CQ variable napi work_done

 After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be
 cleared, and another CPU can start napi thread and access per-CQ variable,
 cq->work_done. If the other thread (for example, from busy_poll) sets
 it to a value >= budget, this thread will continue to run when it should
 stop, and cause memory corruption and panic.

 To fix this issue, save the per-CQ work_done variable in a local variable
 before napi_complete_done(), so it won't be corrupted by a possible
 concurrent thread after napi_complete_done().

 Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done
 variable race is fixed, so the driver is able to reliably support features
 like busy_poll.

 The Linux kernel CVE team has assigned CVE-2022-48985 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit e1b5683ff62e7b328317aec08869495992053e9d and fixed in 5.15.83 with commit fe50a9bbeb1f042e756c5cfa7708112c944368de
 	Issue introduced in 5.15 with commit e1b5683ff62e7b328317aec08869495992053e9d and fixed in 6.0.13 with commit 6740d8572ccd1bca50d8a1ca2bedc333f50ed5f3
 	Issue introduced in 5.15 with commit e1b5683ff62e7b328317aec08869495992053e9d and fixed in 6.1 with commit 18010ff776fa42340efc428b3ea6d19b3e7c7b21

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48985
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/microsoft/mana/gdma.h
 	drivers/net/ethernet/microsoft/mana/mana_en.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fe50a9bbeb1f042e756c5cfa7708112c944368de
 	https://git.kernel.org/stable/c/6740d8572ccd1bca50d8a1ca2bedc333f50ed5f3
 	https://git.kernel.org/stable/c/18010ff776fa42340efc428b3ea6d19b3e7c7b21
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48985: net: mana: Fix race on per-CQ variable napi work_done

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: mana: Fix race on per-CQ variable napi work_done

	After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be
	cleared, and another CPU can start napi thread and access per-CQ variable,
	cq->work_done. If the other thread (for example, from busy_poll) sets
	it to a value >= budget, this thread will continue to run when it should
	stop, and cause memory corruption and panic.

	To fix this issue, save the per-CQ work_done variable in a local variable
	before napi_complete_done(), so it won't be corrupted by a possible
	concurrent thread after napi_complete_done().

	Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done
	variable race is fixed, so the driver is able to reliably support features
	like busy_poll.

	The Linux kernel CVE team has assigned CVE-2022-48985 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit e1b5683ff62e7b328317aec08869495992053e9d and fixed in 5.15.83 with commit fe50a9bbeb1f042e756c5cfa7708112c944368de
	Issue introduced in 5.15 with commit e1b5683ff62e7b328317aec08869495992053e9d and fixed in 6.0.13 with commit 6740d8572ccd1bca50d8a1ca2bedc333f50ed5f3
	Issue introduced in 5.15 with commit e1b5683ff62e7b328317aec08869495992053e9d and fixed in 6.1 with commit 18010ff776fa42340efc428b3ea6d19b3e7c7b21

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48985
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/microsoft/mana/gdma.h
	drivers/net/ethernet/microsoft/mana/mana_en.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fe50a9bbeb1f042e756c5cfa7708112c944368de
	https://git.kernel.org/stable/c/6740d8572ccd1bca50d8a1ca2bedc333f50ed5f3
	https://git.kernel.org/stable/c/18010ff776fa42340efc428b3ea6d19b3e7c7b21