linux-cavium: CVE-2017-6348

net: Improper lock dropping in the hashbin_delete function Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6348 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-29 15:05:12 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-10-02 09:41:22 +0200
commit: e8a615a1c163ae332bdc313cd92d49b13308905e (patch)
tree: 373e5f2ddff2ae055904e7e1ef32fdfb520fed1e
parent: e91902d91a4334b2cfbfd299fcb798c5e68da8af (diff)
download: meta-enea-bsp-arm-e8a615a1c163ae332bdc313cd92d49b13308905e.tar.gz
2 files changed, 95 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch
new file mode 100644
index 0000000..5e355ae
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch
@@ -0,0 +1,94 @@
+From c2219da51664451149350e47321aa0fcf72a8b8f Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Fri, 17 Feb 2017 16:19:39 -0500
+Subject: [PATCH] irda: Fix lockdep annotations in hashbin_delete().
+[ Upstream commit 4c03b862b12f980456f9de92db6d508a4999b788 ]
+A nested lock depth was added to the hasbin_delete() code but it
+doesn't actually work some well and results in tons of lockdep splats.
+Fix the code instead to properly drop the lock around the operation
+and just keep peeking the head of the hashbin queue.
+CVE: CVE-2017-6348
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/irda/irqueue.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
+index acbe61c..160dc89 100644
+--- a/net/irda/irqueue.c
+++ b/net/irda/irqueue.c
+@@ -383,9 +383,6 @@ hashbin_t *hashbin_new(int type)
+  *    for deallocating this structure if it's complex. If not the user can
+  *    just supply kfree, which should take care of the job.
+  */
+-#ifdef CONFIG_LOCKDEP
+-static int hashbin_lock_depth = 0;
+-#endif
+ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+ {
+        irda_queue_t* queue;
+@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+        IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
+ 
+        /* Synchronize */
+-       if ( hashbin->hb_type & HB_LOCK ) {
+-               spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
+-                                        hashbin_lock_depth++);
+-       }
+       if (hashbin->hb_type & HB_LOCK)
+               spin_lock_irqsave(&hashbin->hb_spinlock, flags);
+ 
+        /*
+         *  Free the entries in the hashbin, TODO: use hashbin_clear when
+         *  it has been shown to work
+         */
+        for (i = 0; i < HASHBIN_SIZE; i ++ ) {
+-               queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
+-               while (queue ) {
+-                       if (free_func)
+-                               (*free_func)(queue);
+-                       queue = dequeue_first(
+-                               (irda_queue_t**) &hashbin->hb_queue[i]);
+               while (1) {
+                       queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
+
+                       if (!queue)
+                               break;
+
+                       if (free_func) {
+                               if (hashbin->hb_type & HB_LOCK)
+                                       spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
+                               free_func(queue);
+                               if (hashbin->hb_type & HB_LOCK)
+                                       spin_lock_irqsave(&hashbin->hb_spinlock, flags);
+                       }
+                }
+        }
+ 
+@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+        hashbin->magic = ~HB_MAGIC;
+ 
+        /* Release lock */
+-       if ( hashbin->hb_type & HB_LOCK) {
+       if (hashbin->hb_type & HB_LOCK)
+                spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
+-#ifdef CONFIG_LOCKDEP
+-               hashbin_lock_depth--;
+-#endif
+-       }
+ 
+        /*
+         *  Free the hashbin structure
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index c6959ab..13a4bda 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -24,6 +24,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2017-5986.patch \
           file://CVE-2017-6214.patch \
           file://CVE-2017-6345.patch \
+           file://CVE-2017-6348.patch \
           file://CVE-2017-7487.patch \
           file://CVE-2017-7618.patch \
           file://CVE-2017-7645.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-29 15:05:12 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-10-02 09:41:22 +0200
commit	e8a615a1c163ae332bdc313cd92d49b13308905e (patch)
tree	373e5f2ddff2ae055904e7e1ef32fdfb520fed1e
parent	e91902d91a4334b2cfbfd299fcb798c5e68da8af (diff)
download	meta-enea-bsp-arm-e8a615a1c163ae332bdc313cd92d49b13308905e.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch new file mode 100644 index 0000000..5e355ae --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch
@@ -0,0 +1,94 @@
		1	From c2219da51664451149350e47321aa0fcf72a8b8f Mon Sep 17 00:00:00 2001
		2	From: "David S. Miller" <davem@davemloft.net>
		3	Date: Fri, 17 Feb 2017 16:19:39 -0500
		4	Subject: [PATCH] irda: Fix lockdep annotations in hashbin_delete().
		5
		6	[ Upstream commit 4c03b862b12f980456f9de92db6d508a4999b788 ]
		7
		8	A nested lock depth was added to the hasbin_delete() code but it
		9	doesn't actually work some well and results in tons of lockdep splats.
		10
		11	Fix the code instead to properly drop the lock around the operation
		12	and just keep peeking the head of the hashbin queue.
		13
		14	CVE: CVE-2017-6348
		15	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
		16
		17	Reported-by: Dmitry Vyukov <dvyukov@google.com>
		18	Tested-by: Dmitry Vyukov <dvyukov@google.com>
		19	Signed-off-by: David S. Miller <davem@davemloft.net>
		20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		21	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		22	---
		23	net/irda/irqueue.c \| 34 ++++++++++++++++------------------
		24	1 file changed, 16 insertions(+), 18 deletions(-)
		25
		26	diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
		27	index acbe61c..160dc89 100644
		28	--- a/net/irda/irqueue.c
		29	+++ b/net/irda/irqueue.c
		30	@@ -383,9 +383,6 @@ hashbin_t *hashbin_new(int type)
		31	* for deallocating this structure if it's complex. If not the user can
		32	* just supply kfree, which should take care of the job.
		33	*/
		34	-#ifdef CONFIG_LOCKDEP
		35	-static int hashbin_lock_depth = 0;
		36	-#endif
		37	int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
		38	{
		39	irda_queue_t* queue;
		40	@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
		41	IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
		42
		43	/* Synchronize */
		44	- if ( hashbin->hb_type & HB_LOCK ) {
		45	- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
		46	- hashbin_lock_depth++);
		47	- }
		48	+ if (hashbin->hb_type & HB_LOCK)
		49	+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
		50
		51	/*
		52	* Free the entries in the hashbin, TODO: use hashbin_clear when
		53	* it has been shown to work
		54	*/
		55	for (i = 0; i < HASHBIN_SIZE; i ++ ) {
		56	- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
		57	- while (queue ) {
		58	- if (free_func)
		59	- (*free_func)(queue);
		60	- queue = dequeue_first(
		61	- (irda_queue_t**) &hashbin->hb_queue[i]);
		62	+ while (1) {
		63	+ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
		64	+
		65	+ if (!queue)
		66	+ break;
		67	+
		68	+ if (free_func) {
		69	+ if (hashbin->hb_type & HB_LOCK)
		70	+ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
		71	+ free_func(queue);
		72	+ if (hashbin->hb_type & HB_LOCK)
		73	+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
		74	+ }
		75	}
		76	}
		77
		78	@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
		79	hashbin->magic = ~HB_MAGIC;
		80
		81	/* Release lock */
		82	- if ( hashbin->hb_type & HB_LOCK) {
		83	+ if (hashbin->hb_type & HB_LOCK)
		84	spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
		85	-#ifdef CONFIG_LOCKDEP
		86	- hashbin_lock_depth--;
		87	-#endif
		88	- }
		89
		90	/*
		91	* Free the hashbin structure
		92	--
		93	1.9.1
		94


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index c6959ab..13a4bda 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -24,6 +24,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
24	file://CVE-2017-5986.patch \	24	file://CVE-2017-5986.patch \
25	file://CVE-2017-6214.patch \	25	file://CVE-2017-6214.patch \
26	file://CVE-2017-6345.patch \	26	file://CVE-2017-6345.patch \
		27	file://CVE-2017-6348.patch \
27	file://CVE-2017-7487.patch \	28	file://CVE-2017-7487.patch \
28	file://CVE-2017-7618.patch \	29	file://CVE-2017-7618.patch \
29	file://CVE-2017-7645.patch \	30	file://CVE-2017-7645.patch \