cve/published/2022/CVE-2022-49379.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49379: driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction

 Mounting NFS rootfs was timing out when deferred_probe_timeout was
 non-zero [1].  This was because ip_auto_config() initcall times out
 waiting for the network interfaces to show up when
 deferred_probe_timeout was non-zero. While ip_auto_config() calls
 wait_for_device_probe() to make sure any currently running deferred
 probe work or asynchronous probe finishes, that wasn't sufficient to
 account for devices being deferred until deferred_probe_timeout.

 Commit 35a672363ab3 ("driver core: Ensure wait_for_device_probe() waits
 until the deferred_probe_timeout fires") tried to fix that by making
 sure wait_for_device_probe() waits for deferred_probe_timeout to expire
 before returning.

 However, if wait_for_device_probe() is called from the kernel_init()
 context:

 - Before deferred_probe_initcall() [2], it causes the boot process to
   hang due to a deadlock.

 - After deferred_probe_initcall() [3], it blocks kernel_init() from
   continuing till deferred_probe_timeout expires and beats the point of
   deferred_probe_timeout that's trying to wait for userspace to load
   modules.

 Neither of this is good. So revert the changes to
 wait_for_device_probe().

 [1] - https://lore.kernel.org/lkml/TYAPR01MB45443DF63B9EF29054F7C41FD8C60@TYAPR01MB4544.jpnprd01.prod.outlook.com/
 [2] - https://lore.kernel.org/lkml/YowHNo4sBjr9ijZr@dev-arch.thelio-3990X/
 [3] - https://lore.kernel.org/lkml/Yo3WvGnNk3LvLb7R@linutronix.de/

 The Linux kernel CVE team has assigned CVE-2022-49379 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.10.122 with commit 71cbce75031aed26c72c2dc8a83111d181685f1b
 	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.15.47 with commit 29357883a89193863f3cc6a2c5e0b42ceb022761
 	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.17.15 with commit 528229474e1cbb1b3451cb713d94aecb5f6ee264
 	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.18.4 with commit 4ad6af07efcca85369c21e4897b3020cff2c170b
 	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.19 with commit 5ee76c256e928455212ab759c51d198fedbe7523

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49379
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/base/dd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/71cbce75031aed26c72c2dc8a83111d181685f1b
 	https://git.kernel.org/stable/c/29357883a89193863f3cc6a2c5e0b42ceb022761
 	https://git.kernel.org/stable/c/528229474e1cbb1b3451cb713d94aecb5f6ee264
 	https://git.kernel.org/stable/c/4ad6af07efcca85369c21e4897b3020cff2c170b
 	https://git.kernel.org/stable/c/5ee76c256e928455212ab759c51d198fedbe7523
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49379: driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction

	Mounting NFS rootfs was timing out when deferred_probe_timeout was
	non-zero [1]. This was because ip_auto_config() initcall times out
	waiting for the network interfaces to show up when
	deferred_probe_timeout was non-zero. While ip_auto_config() calls
	wait_for_device_probe() to make sure any currently running deferred
	probe work or asynchronous probe finishes, that wasn't sufficient to
	account for devices being deferred until deferred_probe_timeout.

	Commit 35a672363ab3 ("driver core: Ensure wait_for_device_probe() waits
	until the deferred_probe_timeout fires") tried to fix that by making
	sure wait_for_device_probe() waits for deferred_probe_timeout to expire
	before returning.

	However, if wait_for_device_probe() is called from the kernel_init()
	context:

	- Before deferred_probe_initcall() [2], it causes the boot process to
	hang due to a deadlock.

	- After deferred_probe_initcall() [3], it blocks kernel_init() from
	continuing till deferred_probe_timeout expires and beats the point of
	deferred_probe_timeout that's trying to wait for userspace to load
	modules.

	Neither of this is good. So revert the changes to
	wait_for_device_probe().

	[1] - https://lore.kernel.org/lkml/TYAPR01MB45443DF63B9EF29054F7C41FD8C60@TYAPR01MB4544.jpnprd01.prod.outlook.com/
	[2] - https://lore.kernel.org/lkml/YowHNo4sBjr9ijZr@dev-arch.thelio-3990X/
	[3] - https://lore.kernel.org/lkml/Yo3WvGnNk3LvLb7R@linutronix.de/

	The Linux kernel CVE team has assigned CVE-2022-49379 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.10.122 with commit 71cbce75031aed26c72c2dc8a83111d181685f1b
	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.15.47 with commit 29357883a89193863f3cc6a2c5e0b42ceb022761
	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.17.15 with commit 528229474e1cbb1b3451cb713d94aecb5f6ee264
	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.18.4 with commit 4ad6af07efcca85369c21e4897b3020cff2c170b
	Issue introduced in 5.7 with commit 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe and fixed in 5.19 with commit 5ee76c256e928455212ab759c51d198fedbe7523

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49379
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/base/dd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/71cbce75031aed26c72c2dc8a83111d181685f1b
	https://git.kernel.org/stable/c/29357883a89193863f3cc6a2c5e0b42ceb022761
	https://git.kernel.org/stable/c/528229474e1cbb1b3451cb713d94aecb5f6ee264
	https://git.kernel.org/stable/c/4ad6af07efcca85369c21e4897b3020cff2c170b
	https://git.kernel.org/stable/c/5ee76c256e928455212ab759c51d198fedbe7523