diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-29 15:05:12 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2017-10-02 09:41:22 +0200 |
commit | e8a615a1c163ae332bdc313cd92d49b13308905e (patch) | |
tree | 373e5f2ddff2ae055904e7e1ef32fdfb520fed1e | |
parent | e91902d91a4334b2cfbfd299fcb798c5e68da8af (diff) | |
download | meta-enea-bsp-arm-e8a615a1c163ae332bdc313cd92d49b13308905e.tar.gz |
linux-cavium: CVE-2017-6348
net: Improper lock dropping in the hashbin_delete function
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6348
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch | 94 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 95 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch new file mode 100644 index 0000000..5e355ae --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From c2219da51664451149350e47321aa0fcf72a8b8f Mon Sep 17 00:00:00 2001 | ||
2 | From: "David S. Miller" <davem@davemloft.net> | ||
3 | Date: Fri, 17 Feb 2017 16:19:39 -0500 | ||
4 | Subject: [PATCH] irda: Fix lockdep annotations in hashbin_delete(). | ||
5 | |||
6 | [ Upstream commit 4c03b862b12f980456f9de92db6d508a4999b788 ] | ||
7 | |||
8 | A nested lock depth was added to the hasbin_delete() code but it | ||
9 | doesn't actually work some well and results in tons of lockdep splats. | ||
10 | |||
11 | Fix the code instead to properly drop the lock around the operation | ||
12 | and just keep peeking the head of the hashbin queue. | ||
13 | |||
14 | CVE: CVE-2017-6348 | ||
15 | Upstream-Status: Backport [from kernel.org longterm 4.9.52] | ||
16 | |||
17 | Reported-by: Dmitry Vyukov <dvyukov@google.com> | ||
18 | Tested-by: Dmitry Vyukov <dvyukov@google.com> | ||
19 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
20 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | --- | ||
23 | net/irda/irqueue.c | 34 ++++++++++++++++------------------ | ||
24 | 1 file changed, 16 insertions(+), 18 deletions(-) | ||
25 | |||
26 | diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c | ||
27 | index acbe61c..160dc89 100644 | ||
28 | --- a/net/irda/irqueue.c | ||
29 | +++ b/net/irda/irqueue.c | ||
30 | @@ -383,9 +383,6 @@ hashbin_t *hashbin_new(int type) | ||
31 | * for deallocating this structure if it's complex. If not the user can | ||
32 | * just supply kfree, which should take care of the job. | ||
33 | */ | ||
34 | -#ifdef CONFIG_LOCKDEP | ||
35 | -static int hashbin_lock_depth = 0; | ||
36 | -#endif | ||
37 | int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) | ||
38 | { | ||
39 | irda_queue_t* queue; | ||
40 | @@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) | ||
41 | IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;); | ||
42 | |||
43 | /* Synchronize */ | ||
44 | - if ( hashbin->hb_type & HB_LOCK ) { | ||
45 | - spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags, | ||
46 | - hashbin_lock_depth++); | ||
47 | - } | ||
48 | + if (hashbin->hb_type & HB_LOCK) | ||
49 | + spin_lock_irqsave(&hashbin->hb_spinlock, flags); | ||
50 | |||
51 | /* | ||
52 | * Free the entries in the hashbin, TODO: use hashbin_clear when | ||
53 | * it has been shown to work | ||
54 | */ | ||
55 | for (i = 0; i < HASHBIN_SIZE; i ++ ) { | ||
56 | - queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); | ||
57 | - while (queue ) { | ||
58 | - if (free_func) | ||
59 | - (*free_func)(queue); | ||
60 | - queue = dequeue_first( | ||
61 | - (irda_queue_t**) &hashbin->hb_queue[i]); | ||
62 | + while (1) { | ||
63 | + queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); | ||
64 | + | ||
65 | + if (!queue) | ||
66 | + break; | ||
67 | + | ||
68 | + if (free_func) { | ||
69 | + if (hashbin->hb_type & HB_LOCK) | ||
70 | + spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); | ||
71 | + free_func(queue); | ||
72 | + if (hashbin->hb_type & HB_LOCK) | ||
73 | + spin_lock_irqsave(&hashbin->hb_spinlock, flags); | ||
74 | + } | ||
75 | } | ||
76 | } | ||
77 | |||
78 | @@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) | ||
79 | hashbin->magic = ~HB_MAGIC; | ||
80 | |||
81 | /* Release lock */ | ||
82 | - if ( hashbin->hb_type & HB_LOCK) { | ||
83 | + if (hashbin->hb_type & HB_LOCK) | ||
84 | spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); | ||
85 | -#ifdef CONFIG_LOCKDEP | ||
86 | - hashbin_lock_depth--; | ||
87 | -#endif | ||
88 | - } | ||
89 | |||
90 | /* | ||
91 | * Free the hashbin structure | ||
92 | -- | ||
93 | 1.9.1 | ||
94 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index c6959ab..13a4bda 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -24,6 +24,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
24 | file://CVE-2017-5986.patch \ | 24 | file://CVE-2017-5986.patch \ |
25 | file://CVE-2017-6214.patch \ | 25 | file://CVE-2017-6214.patch \ |
26 | file://CVE-2017-6345.patch \ | 26 | file://CVE-2017-6345.patch \ |
27 | file://CVE-2017-6348.patch \ | ||
27 | file://CVE-2017-7487.patch \ | 28 | file://CVE-2017-7487.patch \ |
28 | file://CVE-2017-7618.patch \ | 29 | file://CVE-2017-7618.patch \ |
29 | file://CVE-2017-7645.patch \ | 30 | file://CVE-2017-7645.patch \ |