cve/published/2022/CVE-2022-49412.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49412: bfq: Avoid merging queues with different parents

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bfq: Avoid merging queues with different parents

 It can happen that the parent of a bfqq changes between the moment we
 decide two queues are worth to merge (and set bic->stable_merge_bfqq)
 and the moment bfq_setup_merge() is called. This can happen e.g. because
 the process submitted IO for a different cgroup and thus bfqq got
 reparented. It can even happen that the bfqq we are merging with has
 parent cgroup that is already offline and going to be destroyed in which
 case the merge can lead to use-after-free issues such as:

 BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50
 Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544

 CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G            E     5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
 Call Trace:
  <IRQ>
  dump_stack_lvl+0x46/0x5a
  print_address_description.constprop.0+0x1f/0x140
  ? __bfq_deactivate_entity+0x9cb/0xa50
  kasan_report.cold+0x7f/0x11b
  ? __bfq_deactivate_entity+0x9cb/0xa50
  __bfq_deactivate_entity+0x9cb/0xa50
  ? update_curr+0x32f/0x5d0
  bfq_deactivate_entity+0xa0/0x1d0
  bfq_del_bfqq_busy+0x28a/0x420
  ? resched_curr+0x116/0x1d0
  ? bfq_requeue_bfqq+0x70/0x70
  ? check_preempt_wakeup+0x52b/0xbc0
  __bfq_bfqq_expire+0x1a2/0x270
  bfq_bfqq_expire+0xd16/0x2160
  ? try_to_wake_up+0x4ee/0x1260
  ? bfq_end_wr_async_queues+0xe0/0xe0
  ? _raw_write_unlock_bh+0x60/0x60
  ? _raw_spin_lock_irq+0x81/0xe0
  bfq_idle_slice_timer+0x109/0x280
  ? bfq_dispatch_request+0x4870/0x4870
  __hrtimer_run_queues+0x37d/0x700
  ? enqueue_hrtimer+0x1b0/0x1b0
  ? kvm_clock_get_cycles+0xd/0x10
  ? ktime_get_update_offsets_now+0x6f/0x280
  hrtimer_interrupt+0x2c8/0x740

 Fix the problem by checking that the parent of the two bfqqs we are
 merging in bfq_setup_merge() is the same.

 The Linux kernel CVE team has assigned CVE-2022-49412 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.4.198 with commit 97be7d13fbd4001eeab49b1be6399f23a8c66160
 	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.10.121 with commit 7d172b9dc913e161d8ff88770eea01701ff553de
 	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.15.46 with commit 5ee21edaed09e6b25f2c007b3f326752bc89bacf
 	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.17.14 with commit a16c65cca7d2c7ff965fdd3adc8df2156529caf1
 	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.18.3 with commit 8abc8763b11c35e03cc91d59fd0cd28d39f88ca9
 	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.19 with commit c1cee4ab36acef271be9101590756ed0c0c374d9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49412
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	block/bfq-iosched.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/97be7d13fbd4001eeab49b1be6399f23a8c66160
 	https://git.kernel.org/stable/c/7d172b9dc913e161d8ff88770eea01701ff553de
 	https://git.kernel.org/stable/c/5ee21edaed09e6b25f2c007b3f326752bc89bacf
 	https://git.kernel.org/stable/c/a16c65cca7d2c7ff965fdd3adc8df2156529caf1
 	https://git.kernel.org/stable/c/8abc8763b11c35e03cc91d59fd0cd28d39f88ca9
 	https://git.kernel.org/stable/c/c1cee4ab36acef271be9101590756ed0c0c374d9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49412: bfq: Avoid merging queues with different parents

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bfq: Avoid merging queues with different parents

	It can happen that the parent of a bfqq changes between the moment we
	decide two queues are worth to merge (and set bic->stable_merge_bfqq)
	and the moment bfq_setup_merge() is called. This can happen e.g. because
	the process submitted IO for a different cgroup and thus bfqq got
	reparented. It can even happen that the bfqq we are merging with has
	parent cgroup that is already offline and going to be destroyed in which
	case the merge can lead to use-after-free issues such as:

	BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50
	Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544

	CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
	Call Trace:
	<IRQ>
	dump_stack_lvl+0x46/0x5a
	print_address_description.constprop.0+0x1f/0x140
	? __bfq_deactivate_entity+0x9cb/0xa50
	kasan_report.cold+0x7f/0x11b
	? __bfq_deactivate_entity+0x9cb/0xa50
	__bfq_deactivate_entity+0x9cb/0xa50
	? update_curr+0x32f/0x5d0
	bfq_deactivate_entity+0xa0/0x1d0
	bfq_del_bfqq_busy+0x28a/0x420
	? resched_curr+0x116/0x1d0
	? bfq_requeue_bfqq+0x70/0x70
	? check_preempt_wakeup+0x52b/0xbc0
	__bfq_bfqq_expire+0x1a2/0x270
	bfq_bfqq_expire+0xd16/0x2160
	? try_to_wake_up+0x4ee/0x1260
	? bfq_end_wr_async_queues+0xe0/0xe0
	? _raw_write_unlock_bh+0x60/0x60
	? _raw_spin_lock_irq+0x81/0xe0
	bfq_idle_slice_timer+0x109/0x280
	? bfq_dispatch_request+0x4870/0x4870
	__hrtimer_run_queues+0x37d/0x700
	? enqueue_hrtimer+0x1b0/0x1b0
	? kvm_clock_get_cycles+0xd/0x10
	? ktime_get_update_offsets_now+0x6f/0x280
	hrtimer_interrupt+0x2c8/0x740

	Fix the problem by checking that the parent of the two bfqqs we are
	merging in bfq_setup_merge() is the same.

	The Linux kernel CVE team has assigned CVE-2022-49412 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.4.198 with commit 97be7d13fbd4001eeab49b1be6399f23a8c66160
	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.10.121 with commit 7d172b9dc913e161d8ff88770eea01701ff553de
	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.15.46 with commit 5ee21edaed09e6b25f2c007b3f326752bc89bacf
	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.17.14 with commit a16c65cca7d2c7ff965fdd3adc8df2156529caf1
	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.18.3 with commit 8abc8763b11c35e03cc91d59fd0cd28d39f88ca9
	Issue introduced in 5.13 with commit 430a67f9d6169a7b3e328bceb2ef9542e4153c7c and fixed in 5.19 with commit c1cee4ab36acef271be9101590756ed0c0c374d9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49412
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	block/bfq-iosched.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/97be7d13fbd4001eeab49b1be6399f23a8c66160
	https://git.kernel.org/stable/c/7d172b9dc913e161d8ff88770eea01701ff553de
	https://git.kernel.org/stable/c/5ee21edaed09e6b25f2c007b3f326752bc89bacf
	https://git.kernel.org/stable/c/a16c65cca7d2c7ff965fdd3adc8df2156529caf1
	https://git.kernel.org/stable/c/8abc8763b11c35e03cc91d59fd0cd28d39f88ca9
	https://git.kernel.org/stable/c/c1cee4ab36acef271be9101590756ed0c0c374d9