[linux] 02/03: irda: Fix locking in hashbin_delete() (CVE-2017-6348)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Mar 7 20:15:47 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 93f6d43b737bd1c1cee290c0a9d5d9b1a48589b7
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Mar 7 20:12:57 2017 +0000

    irda: Fix locking in hashbin_delete() (CVE-2017-6348)
---
 debian/changelog                                   |  1 +
 ...fix-lockdep-annotations-in-hashbin_delete.patch | 84 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 86 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 540e922..0de7ea5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,7 @@ linux (3.16.39-1+deb8u2) UNRELEASED; urgency=medium
   [ Ben Hutchings ]
   * [x86] kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)
     (CVE-2016-9588)
+  * irda: Fix locking in hashbin_delete() (CVE-2017-6348)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 07 Mar 2017 17:10:30 +0100
 
diff --git a/debian/patches/bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch b/debian/patches/bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
new file mode 100644
index 0000000..eca2e4a
--- /dev/null
+++ b/debian/patches/bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
@@ -0,0 +1,84 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Fri, 17 Feb 2017 16:19:39 -0500
+Subject: irda: Fix lockdep annotations in hashbin_delete().
+Origin: https://git.kernel.org/linus/4c03b862b12f980456f9de92db6d508a4999b788
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6348
+
+A nested lock depth was added to the hasbin_delete() code but it
+doesn't actually work some well and results in tons of lockdep splats.
+
+Fix the code instead to properly drop the lock around the operation
+and just keep peeking the head of the hashbin queue.
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Tested-by: Dmitry Vyukov <dvyukov at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/irda/irqueue.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+--- a/net/irda/irqueue.c
++++ b/net/irda/irqueue.c
+@@ -385,9 +385,6 @@ EXPORT_SYMBOL(hashbin_new);
+  *    for deallocating this structure if it's complex. If not the user can
+  *    just supply kfree, which should take care of the job.
+  */
+-#ifdef CONFIG_LOCKDEP
+-static int hashbin_lock_depth = 0;
+-#endif
+ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+ {
+ 	irda_queue_t* queue;
+@@ -398,22 +395,27 @@ int hashbin_delete( hashbin_t* hashbin,
+ 	IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
+ 
+ 	/* Synchronize */
+-	if ( hashbin->hb_type & HB_LOCK ) {
+-		spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
+-					 hashbin_lock_depth++);
+-	}
++	if (hashbin->hb_type & HB_LOCK)
++		spin_lock_irqsave(&hashbin->hb_spinlock, flags);
+ 
+ 	/*
+ 	 *  Free the entries in the hashbin, TODO: use hashbin_clear when
+ 	 *  it has been shown to work
+ 	 */
+ 	for (i = 0; i < HASHBIN_SIZE; i ++ ) {
+-		queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
+-		while (queue ) {
+-			if (free_func)
+-				(*free_func)(queue);
+-			queue = dequeue_first(
+-				(irda_queue_t**) &hashbin->hb_queue[i]);
++		while (1) {
++			queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
++
++			if (!queue)
++				break;
++
++			if (free_func) {
++				if (hashbin->hb_type & HB_LOCK)
++					spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
++				free_func(queue);
++				if (hashbin->hb_type & HB_LOCK)
++					spin_lock_irqsave(&hashbin->hb_spinlock, flags);
++			}
+ 		}
+ 	}
+ 
+@@ -422,12 +424,8 @@ int hashbin_delete( hashbin_t* hashbin,
+ 	hashbin->magic = ~HB_MAGIC;
+ 
+ 	/* Release lock */
+-	if ( hashbin->hb_type & HB_LOCK) {
++	if (hashbin->hb_type & HB_LOCK)
+ 		spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
+-#ifdef CONFIG_LOCKDEP
+-		hashbin_lock_depth--;
+-#endif
+-	}
+ 
+ 	/*
+ 	 *  Free the hashbin structure
diff --git a/debian/patches/series b/debian/patches/series
index f80c03a..c6f3c2a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -703,6 +703,7 @@ bugfix/all/packet-fix-races-in-fanout_add.patch
 bugfix/all/TTY-n_hdlc-fix-lockdep-false-positive.patch
 bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch
 bugfix/x86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch
+bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list