cve/published/2022/CVE-2022-49265.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49265: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()

 When a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following
 sleep-in-atomic bug will be seen, as genpd_debug_remove() will be called
 with a spinlock being held.

 [    0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460
 [    0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0
 [    0.029219] preempt_count: 1, expected: 0
 [    0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489
 [    0.029245] Hardware name: Thundercomm TurboX CM2290 (DT)
 [    0.029256] Call trace:
 [    0.029265]  dump_backtrace.part.0+0xbc/0xd0
 [    0.029285]  show_stack+0x3c/0xa0
 [    0.029298]  dump_stack_lvl+0x7c/0xa0
 [    0.029311]  dump_stack+0x18/0x34
 [    0.029323]  __might_resched+0x10c/0x13c
 [    0.029338]  __might_sleep+0x4c/0x80
 [    0.029351]  down_read+0x24/0xd0
 [    0.029363]  lookup_one_len_unlocked+0x9c/0xcc
 [    0.029379]  lookup_positive_unlocked+0x10/0x50
 [    0.029392]  debugfs_lookup+0x68/0xac
 [    0.029406]  genpd_remove.part.0+0x12c/0x1b4
 [    0.029419]  of_genpd_remove_last+0xa8/0xd4
 [    0.029434]  psci_cpuidle_domain_probe+0x174/0x53c
 [    0.029449]  platform_probe+0x68/0xe0
 [    0.029462]  really_probe+0x190/0x430
 [    0.029473]  __driver_probe_device+0x90/0x18c
 [    0.029485]  driver_probe_device+0x40/0xe0
 [    0.029497]  __driver_attach+0xf4/0x1d0
 [    0.029508]  bus_for_each_dev+0x70/0xd0
 [    0.029523]  driver_attach+0x24/0x30
 [    0.029534]  bus_add_driver+0x164/0x22c
 [    0.029545]  driver_register+0x78/0x130
 [    0.029556]  __platform_driver_register+0x28/0x34
 [    0.029569]  psci_idle_init_domains+0x1c/0x28
 [    0.029583]  do_one_initcall+0x50/0x1b0
 [    0.029595]  kernel_init_freeable+0x214/0x280
 [    0.029609]  kernel_init+0x2c/0x13c
 [    0.029622]  ret_from_fork+0x10/0x20

 It doesn't seem necessary to call genpd_debug_remove() with the lock, so
 move it out from locking to fix the problem.

 The Linux kernel CVE team has assigned CVE-2022-49265 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.11 with commit 718072ceb211833f3c71724f49d733d636067191 and fixed in 5.15.33 with commit 2039163c30f886cf5638afd6993705ae9bb34a06
 	Issue introduced in 5.11 with commit 718072ceb211833f3c71724f49d733d636067191 and fixed in 5.16.19 with commit d1b6840d8fb9b35193d45d8fe6b4d830bfd20c3c
 	Issue introduced in 5.11 with commit 718072ceb211833f3c71724f49d733d636067191 and fixed in 5.17.2 with commit fee777ea77769cc5392a34805d9d73099a223fae
 	Issue introduced in 5.11 with commit 718072ceb211833f3c71724f49d733d636067191 and fixed in 5.18 with commit f6bfe8b5b2c2a5ac8bd2fc7bca3706e6c3fc26d8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49265
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/base/power/domain.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2039163c30f886cf5638afd6993705ae9bb34a06
 	https://git.kernel.org/stable/c/d1b6840d8fb9b35193d45d8fe6b4d830bfd20c3c
 	https://git.kernel.org/stable/c/fee777ea77769cc5392a34805d9d73099a223fae
 	https://git.kernel.org/stable/c/f6bfe8b5b2c2a5ac8bd2fc7bca3706e6c3fc26d8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49265: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()

	When a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following
	sleep-in-atomic bug will be seen, as genpd_debug_remove() will be called
	with a spinlock being held.

	[ 0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460
	[ 0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0
	[ 0.029219] preempt_count: 1, expected: 0
	[ 0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489
	[ 0.029245] Hardware name: Thundercomm TurboX CM2290 (DT)
	[ 0.029256] Call trace:
	[ 0.029265] dump_backtrace.part.0+0xbc/0xd0
	[ 0.029285] show_stack+0x3c/0xa0
	[ 0.029298] dump_stack_lvl+0x7c/0xa0
	[ 0.029311] dump_stack+0x18/0x34
	[ 0.029323] __might_resched+0x10c/0x13c
	[ 0.029338] __might_sleep+0x4c/0x80
	[ 0.029351] down_read+0x24/0xd0
	[ 0.029363] lookup_one_len_unlocked+0x9c/0xcc
	[ 0.029379] lookup_positive_unlocked+0x10/0x50
	[ 0.029392] debugfs_lookup+0x68/0xac
	[ 0.029406] genpd_remove.part.0+0x12c/0x1b4
	[ 0.029419] of_genpd_remove_last+0xa8/0xd4
	[ 0.029434] psci_cpuidle_domain_probe+0x174/0x53c
	[ 0.029449] platform_probe+0x68/0xe0
	[ 0.029462] really_probe+0x190/0x430
	[ 0.029473] __driver_probe_device+0x90/0x18c
	[ 0.029485] driver_probe_device+0x40/0xe0
	[ 0.029497] __driver_attach+0xf4/0x1d0
	[ 0.029508] bus_for_each_dev+0x70/0xd0
	[ 0.029523] driver_attach+0x24/0x30
	[ 0.029534] bus_add_driver+0x164/0x22c
	[ 0.029545] driver_register+0x78/0x130
	[ 0.029556] __platform_driver_register+0x28/0x34
	[ 0.029569] psci_idle_init_domains+0x1c/0x28
	[ 0.029583] do_one_initcall+0x50/0x1b0
	[ 0.029595] kernel_init_freeable+0x214/0x280
	[ 0.029609] kernel_init+0x2c/0x13c
	[ 0.029622] ret_from_fork+0x10/0x20

	It doesn't seem necessary to call genpd_debug_remove() with the lock, so
	move it out from locking to fix the problem.

	The Linux kernel CVE team has assigned CVE-2022-49265 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.11 with commit 718072ceb211833f3c71724f49d733d636067191 and fixed in 5.15.33 with commit 2039163c30f886cf5638afd6993705ae9bb34a06
	Issue introduced in 5.11 with commit 718072ceb211833f3c71724f49d733d636067191 and fixed in 5.16.19 with commit d1b6840d8fb9b35193d45d8fe6b4d830bfd20c3c
	Issue introduced in 5.11 with commit 718072ceb211833f3c71724f49d733d636067191 and fixed in 5.17.2 with commit fee777ea77769cc5392a34805d9d73099a223fae
	Issue introduced in 5.11 with commit 718072ceb211833f3c71724f49d733d636067191 and fixed in 5.18 with commit f6bfe8b5b2c2a5ac8bd2fc7bca3706e6c3fc26d8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49265
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/base/power/domain.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2039163c30f886cf5638afd6993705ae9bb34a06
	https://git.kernel.org/stable/c/d1b6840d8fb9b35193d45d8fe6b4d830bfd20c3c
	https://git.kernel.org/stable/c/fee777ea77769cc5392a34805d9d73099a223fae
	https://git.kernel.org/stable/c/f6bfe8b5b2c2a5ac8bd2fc7bca3706e6c3fc26d8