From e8a615a1c163ae332bdc313cd92d49b13308905e Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 29 Sep 2017 15:05:12 +0200 Subject: linux-cavium: CVE-2017-6348 net: Improper lock dropping in the hashbin_delete function Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6348 Signed-off-by: Sona Sarmadi Signed-off-by: Martin Borg --- .../linux/linux-cavium/CVE-2017-6348.patch | 94 ++++++++++++++++++++++ recipes-kernel/linux/linux-cavium_4.9.inc | 1 + 2 files changed, 95 insertions(+) create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch new file mode 100644 index 0000000..5e355ae --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch @@ -0,0 +1,94 @@ +From c2219da51664451149350e47321aa0fcf72a8b8f Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Fri, 17 Feb 2017 16:19:39 -0500 +Subject: [PATCH] irda: Fix lockdep annotations in hashbin_delete(). + +[ Upstream commit 4c03b862b12f980456f9de92db6d508a4999b788 ] + +A nested lock depth was added to the hasbin_delete() code but it +doesn't actually work some well and results in tons of lockdep splats. + +Fix the code instead to properly drop the lock around the operation +and just keep peeking the head of the hashbin queue. + +CVE: CVE-2017-6348 +Upstream-Status: Backport [from kernel.org longterm 4.9.52] + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + net/irda/irqueue.c | 34 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c +index acbe61c..160dc89 100644 +--- a/net/irda/irqueue.c ++++ b/net/irda/irqueue.c +@@ -383,9 +383,6 @@ hashbin_t *hashbin_new(int type) + * for deallocating this structure if it's complex. If not the user can + * just supply kfree, which should take care of the job. + */ +-#ifdef CONFIG_LOCKDEP +-static int hashbin_lock_depth = 0; +-#endif + int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) + { + irda_queue_t* queue; +@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) + IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;); + + /* Synchronize */ +- if ( hashbin->hb_type & HB_LOCK ) { +- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags, +- hashbin_lock_depth++); +- } ++ if (hashbin->hb_type & HB_LOCK) ++ spin_lock_irqsave(&hashbin->hb_spinlock, flags); + + /* + * Free the entries in the hashbin, TODO: use hashbin_clear when + * it has been shown to work + */ + for (i = 0; i < HASHBIN_SIZE; i ++ ) { +- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); +- while (queue ) { +- if (free_func) +- (*free_func)(queue); +- queue = dequeue_first( +- (irda_queue_t**) &hashbin->hb_queue[i]); ++ while (1) { ++ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); ++ ++ if (!queue) ++ break; ++ ++ if (free_func) { ++ if (hashbin->hb_type & HB_LOCK) ++ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); ++ free_func(queue); ++ if (hashbin->hb_type & HB_LOCK) ++ spin_lock_irqsave(&hashbin->hb_spinlock, flags); ++ } + } + } + +@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) + hashbin->magic = ~HB_MAGIC; + + /* Release lock */ +- if ( hashbin->hb_type & HB_LOCK) { ++ if (hashbin->hb_type & HB_LOCK) + spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); +-#ifdef CONFIG_LOCKDEP +- hashbin_lock_depth--; +-#endif +- } + + /* + * Free the hashbin structure +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index c6959ab..13a4bda 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc @@ -24,6 +24,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi file://CVE-2017-5986.patch \ file://CVE-2017-6214.patch \ file://CVE-2017-6345.patch \ + file://CVE-2017-6348.patch \ file://CVE-2017-7487.patch \ file://CVE-2017-7618.patch \ file://CVE-2017-7645.patch \ -- cgit v1.2.3-54-g00ecf