diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch new file mode 100644 index 000000000..74c9cac10 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch @@ -0,0 +1,118 @@ +From 1c4ace3e6b8575745c50dca9e76e0021e697d645 Mon Sep 17 00:00:00 2001 +From: Vincent Pelletier <plr.vincent@gmail.com> +Date: Sat, 18 Dec 2021 02:18:40 +0000 +Subject: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. + +commit b1e0887379422975f237d43d8839b751a6bcf154 upstream. + +ffs_data_clear is indirectly called from both ffs_fs_kill_sb and +ffs_ep0_release, so it ends up being called twice when userland closes ep0 +and then unmounts f_fs. +If userland provided an eventfd along with function's USB descriptors, it +ends up calling eventfd_ctx_put as many times, causing a refcount +underflow. +NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls. + +Also, set epfiles to NULL right after de-allocating it, for readability. + +For completeness, ffs_data_clear actually ends up being called thrice, the +last call being before the whole ffs structure gets freed, so when this +specific sequence happens there is a second underflow happening (but not +being reported): + +/sys/kernel/debug/tracing# modprobe usb_f_fs +/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter +/sys/kernel/debug/tracing# echo function > current_tracer +/sys/kernel/debug/tracing# echo 1 > tracing_on +(setup gadget, run and kill function userland process, teardown gadget) +/sys/kernel/debug/tracing# echo 0 > tracing_on +/sys/kernel/debug/tracing# cat trace + smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed + smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed + smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put + +Warning output corresponding to above trace: +[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c +[ 1946.293094] refcount_t: underflow; use-after-free. +[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) +[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1 +[ 1946.417950] Hardware name: BCM2835 +[ 1946.425442] Backtrace: +[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24) +[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c +[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30) +[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154) +[ 1946.482067] r5:c04a948c r4:c0a71dc8 +[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4) +[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 +[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c) +[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 +[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74) +[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) +[ 1946.582664] r5:c3b84c00 r4:c2695b00 +[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) +[ 1946.609608] r5:bf54d014 r4:c2695b00 +[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) +[ 1946.636217] r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000 +[ 1946.646273] [<bf547d74>] (ffs_fs_kill_sb [usb_f_fs]) from [<c0326d50>] (deactivate_locked_super+0x54/0x9c) +[ 1946.664893] r5:bf54d014 r4:c229f000 +[ 1946.672921] [<c0326cfc>] (deactivate_locked_super) from [<c0326df8>] (deactivate_super+0x60/0x64) +[ 1946.690722] r5:c2a09000 r4:c229f000 +[ 1946.698706] [<c0326d98>] (deactivate_super) from [<c0349a28>] (cleanup_mnt+0xe4/0x14c) +[ 1946.715553] r5:c2a09000 r4:00000000 +[ 1946.723528] [<c0349944>] (cleanup_mnt) from [<c0349b08>] (__cleanup_mnt+0x1c/0x20) +[ 1946.739922] r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000 +[ 1946.750088] [<c0349aec>] (__cleanup_mnt) from [<c0143d10>] (task_work_run+0x84/0xb8) +[ 1946.766602] [<c0143c8c>] (task_work_run) from [<c010bdc8>] (do_work_pending+0x470/0x56c) +[ 1946.783540] r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000 +[ 1946.793614] [<c010b958>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20) +[ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8) +[ 1946.820129] bfa0: 00000000 00000000 000000aa b5e21430 +[ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0 +[ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760 +[ 1946.865335] r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001 +[ 1946.881914] r4:bef867a0 +[ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]--- + +Fixes: 5e33f6fdf735 ("usb: gadget: ffs: add eventfd notification about ffs events") +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com> +Link: https://lore.kernel.org/r/f79eeea29f3f98de6782a064ec0f7351ad2f598f.1639793920.git.plr.vincent@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/gadget/function/f_fs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 725e35167837eb..cbb7947f366f93 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1772,11 +1772,15 @@ static void ffs_data_clear(struct ffs_data *ffs) + + BUG_ON(ffs->gadget); + +- if (ffs->epfiles) ++ if (ffs->epfiles) { + ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count); ++ ffs->epfiles = NULL; ++ } + +- if (ffs->ffs_eventfd) ++ if (ffs->ffs_eventfd) { + eventfd_ctx_put(ffs->ffs_eventfd); ++ ffs->ffs_eventfd = NULL; ++ } + + kfree(ffs->raw_descs_data); + kfree(ffs->raw_strings); +@@ -1789,7 +1793,6 @@ static void ffs_data_reset(struct ffs_data *ffs) + + ffs_data_clear(ffs); + +- ffs->epfiles = NULL; + ffs->raw_descs_data = NULL; + ffs->raw_descs = NULL; + ffs->raw_strings = NULL; +-- +cgit 1.2.3-korg + |