cve/published/2022/CVE-2022-49313.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49313: drivers: usb: host: Fix deadlock in oxu_bus_suspend()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drivers: usb: host: Fix deadlock in oxu_bus_suspend()

 There is a deadlock in oxu_bus_suspend(), which is shown below:

    (Thread 1)              |      (Thread 2)
                            | timer_action()
 oxu_bus_suspend()          |  mod_timer()
  spin_lock_irq() //(1)     |  (wait a time)
  ...                       | oxu_watchdog()
  del_timer_sync()          |  spin_lock_irq() //(2)
  (wait timer to stop)      |  ...

 We hold oxu->lock in position (1) of thread 1, and use
 del_timer_sync() to wait timer to stop, but timer handler
 also need oxu->lock in position (2) of thread 2. As a result,
 oxu_bus_suspend() will block forever.

 This patch extracts del_timer_sync() from the protection of
 spin_lock_irq(), which could let timer handler to obtain
 the needed lock.

 The Linux kernel CVE team has assigned CVE-2022-49313 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.318 with commit 9b58d255f27b0ed6a2e43208960864d67579db58
 	Fixed in 4.14.283 with commit a3d380188bde8900c3f604e82b56572896499124
 	Fixed in 4.19.247 with commit f8242044c91cafbba9e320b0fb31abf2429a3221
 	Fixed in 5.4.198 with commit 2dcec0bc142be2096af71a5703d63237127db204
 	Fixed in 5.10.122 with commit ffe9440d698274c6462d2e304562c6ddfc8c84df
 	Fixed in 5.15.47 with commit d888753872190abd18f68a7d77b9c7c367f0a7ab
 	Fixed in 5.17.15 with commit 4187b291a76664a3c03d3f0d9bfadc8322881868
 	Fixed in 5.18.4 with commit b97aae8b43b718314012e8170b7e03dbfd2e7677
 	Fixed in 5.19 with commit 4d378f2ae58138d4c55684e1d274e7dd94aa6524

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49313
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/host/oxu210hp-hcd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9b58d255f27b0ed6a2e43208960864d67579db58
 	https://git.kernel.org/stable/c/a3d380188bde8900c3f604e82b56572896499124
 	https://git.kernel.org/stable/c/f8242044c91cafbba9e320b0fb31abf2429a3221
 	https://git.kernel.org/stable/c/2dcec0bc142be2096af71a5703d63237127db204
 	https://git.kernel.org/stable/c/ffe9440d698274c6462d2e304562c6ddfc8c84df
 	https://git.kernel.org/stable/c/d888753872190abd18f68a7d77b9c7c367f0a7ab
 	https://git.kernel.org/stable/c/4187b291a76664a3c03d3f0d9bfadc8322881868
 	https://git.kernel.org/stable/c/b97aae8b43b718314012e8170b7e03dbfd2e7677
 	https://git.kernel.org/stable/c/4d378f2ae58138d4c55684e1d274e7dd94aa6524
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49313: drivers: usb: host: Fix deadlock in oxu_bus_suspend()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drivers: usb: host: Fix deadlock in oxu_bus_suspend()

	There is a deadlock in oxu_bus_suspend(), which is shown below:

	(Thread 1) \| (Thread 2)
	\| timer_action()
	oxu_bus_suspend() \| mod_timer()
	spin_lock_irq() //(1) \| (wait a time)
	... \| oxu_watchdog()
	del_timer_sync() \| spin_lock_irq() //(2)
	(wait timer to stop) \| ...

	We hold oxu->lock in position (1) of thread 1, and use
	del_timer_sync() to wait timer to stop, but timer handler
	also need oxu->lock in position (2) of thread 2. As a result,
	oxu_bus_suspend() will block forever.

	This patch extracts del_timer_sync() from the protection of
	spin_lock_irq(), which could let timer handler to obtain
	the needed lock.

	The Linux kernel CVE team has assigned CVE-2022-49313 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.318 with commit 9b58d255f27b0ed6a2e43208960864d67579db58
	Fixed in 4.14.283 with commit a3d380188bde8900c3f604e82b56572896499124
	Fixed in 4.19.247 with commit f8242044c91cafbba9e320b0fb31abf2429a3221
	Fixed in 5.4.198 with commit 2dcec0bc142be2096af71a5703d63237127db204
	Fixed in 5.10.122 with commit ffe9440d698274c6462d2e304562c6ddfc8c84df
	Fixed in 5.15.47 with commit d888753872190abd18f68a7d77b9c7c367f0a7ab
	Fixed in 5.17.15 with commit 4187b291a76664a3c03d3f0d9bfadc8322881868
	Fixed in 5.18.4 with commit b97aae8b43b718314012e8170b7e03dbfd2e7677
	Fixed in 5.19 with commit 4d378f2ae58138d4c55684e1d274e7dd94aa6524

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49313
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/host/oxu210hp-hcd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9b58d255f27b0ed6a2e43208960864d67579db58
	https://git.kernel.org/stable/c/a3d380188bde8900c3f604e82b56572896499124
	https://git.kernel.org/stable/c/f8242044c91cafbba9e320b0fb31abf2429a3221
	https://git.kernel.org/stable/c/2dcec0bc142be2096af71a5703d63237127db204
	https://git.kernel.org/stable/c/ffe9440d698274c6462d2e304562c6ddfc8c84df
	https://git.kernel.org/stable/c/d888753872190abd18f68a7d77b9c7c367f0a7ab
	https://git.kernel.org/stable/c/4187b291a76664a3c03d3f0d9bfadc8322881868
	https://git.kernel.org/stable/c/b97aae8b43b718314012e8170b7e03dbfd2e7677
	https://git.kernel.org/stable/c/4d378f2ae58138d4c55684e1d274e7dd94aa6524