diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-22 22:16:06 +0200 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-22 22:18:46 +0200 |
| commit | 8d4796cda1622c55ee70418819ad8cec1b9062e7 (patch) | |
| tree | c38ee2634dd5952bcc3c44d34621b7c376dfb709 | |
| parent | a13898a3892ca8d0c8f432d1a1b237aa3bd90d9f (diff) | |
| download | kernel_replicant_linux-8d4796cda1622c55ee70418819ad8cec1b9062e7.tar.gz kernel_replicant_linux-8d4796cda1622c55ee70418819ad8cec1b9062e7.tar.bz2 kernel_replicant_linux-8d4796cda1622c55ee70418819ad8cec1b9062e7.zip | |
Update "can: bcm: delay release of struct bcm_op after synchronize_rcu()"
Replace with the patch currently in netdev git repository and to be
merged to mainline.
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch | 56 |
2 files changed, 33 insertions, 25 deletions
diff --git a/debian/changelog b/debian/changelog index e1ccdc385c6a..64c28d282f6d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -496,7 +496,7 @@ linux (5.10.45-1) UNRELEASED; urgency=medium * Bump ABI to 8 * [rt] Refresh "tracing: Merge irqflags + preempt counter" * can: bcm: fix infoleak in struct bcm_msg_head (CVE-2021-34693) - * can: bcm: delay release of struct bcm_op after synchronize_rcu + * can: bcm: delay release of struct bcm_op after synchronize_rcu() (CVE-2021-3609) [ Vagrant Cascadian ] diff --git a/debian/patches/bugfix/all/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch b/debian/patches/bugfix/all/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch index 593a1bd8cecd..26a9d13b4359 100644 --- a/debian/patches/bugfix/all/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch +++ b/debian/patches/bugfix/all/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch @@ -1,34 +1,39 @@ From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Date: Sat, 19 Jun 2021 13:18:13 -0300 -Subject: can: bcm: delay release of struct bcm_op after synchronize_rcu -Origin: https://lore.kernel.org/netdev/20210619161813.2098382-1-cascardo@canonical.com/ +Subject: can: bcm: delay release of struct bcm_op after synchronize_rcu() +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=d5f9023fa61ee8b94f37a93f08e94b136cf1e463 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3609 -can_rx_register callbacks may be called concurrently to the call to -can_rx_unregister. The callbacks and callback data, though, are protected by -RCU and the struct sock reference count. +can_rx_register() callbacks may be called concurrently to the call to +can_rx_unregister(). The callbacks and callback data, though, are +protected by RCU and the struct sock reference count. -So the callback data is really attached to the life of sk, meaning that it -should be released on sk_destruct. However, bcm_remove_op calls tasklet_kill, -and RCU callbacks may be called under RCU softirq, so that cannot be used on -kernels before the introduction of HRTIMER_MODE_SOFT. +So the callback data is really attached to the life of sk, meaning +that it should be released on sk_destruct. However, bcm_remove_op() +calls tasklet_kill(), and RCU callbacks may be called under RCU +softirq, so that cannot be used on kernels before the introduction of +HRTIMER_MODE_SOFT. -However, bcm_rx_handler is called under RCU protection, so after calling -can_rx_unregister, we may call synchronize_rcu in order to wait for any RCU -read-side critical sections to finish. That is, bcm_rx_handler won't be called -anymore for those ops. So, we only free them, after we do that synchronize_rcu. +However, bcm_rx_handler() is called under RCU protection, so after +calling can_rx_unregister(), we may call synchronize_rcu() in order to +wait for any RCU read-side critical sections to finish. That is, +bcm_rx_handler() won't be called anymore for those ops. So, we only +free them, after we do that synchronize_rcu(). +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com +Cc: linux-stable <stable@vger.kernel.org> Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@syzkaller.appspotmail.com Reported-by: Norbert Slusarek <nslusarek@gmx.net> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> -Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> --- - net/can/bcm.c | 6 ++++++ - 1 file changed, 6 insertions(+) + net/can/bcm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/can/bcm.c b/net/can/bcm.c -index f3e4d9528fa3..c67916020e63 100644 +index f3e4d9528fa38..0928a39c4423b 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c @@ -785,6 +785,7 @@ static int bcm_delete_rx_op(struct list_head *ops, struct bcm_msg_head *mh, @@ -39,18 +44,21 @@ index f3e4d9528fa3..c67916020e63 100644 bcm_remove_op(op); return 1; /* done */ } -@@ -1533,6 +1534,11 @@ static int bcm_release(struct socket *sock) +@@ -1533,9 +1534,13 @@ static int bcm_release(struct socket *sock) REGMASK(op->can_id), bcm_rx_handler, op); -+ } -+ -+ synchronize_rcu(); -+ -+ list_for_each_entry_safe(op, next, &bo->rx_ops, list) { - bcm_remove_op(op); +- bcm_remove_op(op); } ++ synchronize_rcu(); ++ ++ list_for_each_entry_safe(op, next, &bo->rx_ops, list) ++ bcm_remove_op(op); ++ + #if IS_ENABLED(CONFIG_PROC_FS) + /* remove procfs entry */ + if (net->can.bcmproc_dir && bo->bcm_proc_read) -- 2.32.0 |