Bug 1220755 (CVE-2021-47041)

Summary: VUL-0: CVE-2021-47041: kernel: nvmet-tcp: fix incorrect locking in state_change sk callback
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, lidong.zhong, vasant.karasulli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/395488/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-47041:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-01 10:40:44 UTC 
In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: fix incorrect locking in state_change sk callback

We are not changing anything in the TCP connection state so
we should not take a write_lock but rather a read lock.

This caused a deadlock when running nvmet-tcp and nvme-tcp
on the same system, where state_change callbacks on the
host and on the controller side have causal relationship
and made lockdep report on this with blktests:

================================
WARNING: inconsistent lock state
5.12.0-rc3 #1 Tainted: G          I
--------------------------------
inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage.
nvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp]
{IN-SOFTIRQ-W} state was registered at:
  __lock_acquire+0x79b/0x18d0
  lock_acquire+0x1ca/0x480
  _raw_write_lock_bh+0x39/0x80
  nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp]
  tcp_fin+0x2a8/0x780
  tcp_data_queue+0xf94/0x1f20
  tcp_rcv_established+0x6ba/0x1f00
  tcp_v4_do_rcv+0x502/0x760
  tcp_v4_rcv+0x257e/0x3430
  ip_protocol_deliver_rcu+0x69/0x6a0
  ip_local_deliver_finish+0x1e2/0x2f0
  ip_local_deliver+0x1a2/0x420
  ip_rcv+0x4fb/0x6b0
  __netif_receive_skb_one_core+0x162/0x1b0
  process_backlog+0x1ff/0x770
  __napi_poll.constprop.0+0xa9/0x5c0
  net_rx_action+0x7b3/0xb30
  __do_softirq+0x1f0/0x940
  do_softirq+0xa1/0xd0
  __local_bh_enable_ip+0xd8/0x100
  ip_finish_output2+0x6b7/0x18a0
  __ip_queue_xmit+0x706/0x1aa0
  __tcp_transmit_skb+0x2068/0x2e20
  tcp_write_xmit+0xc9e/0x2bb0
  __tcp_push_pending_frames+0x92/0x310
  inet_shutdown+0x158/0x300
  __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp]
  nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp]
  nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp]
  nvme_do_delete_ctrl+0x100/0x10c [nvme_core]
  nvme_sysfs_delete.cold+0x8/0xd [nvme_core]
  kernfs_fop_write_iter+0x2c7/0x460
  new_sync_write+0x36c/0x610
  vfs_write+0x5c0/0x870
  ksys_write+0xf9/0x1d0
  do_syscall_64+0x33/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xae
irq event stamp: 10687
hardirqs last  enabled at (10687): [<ffffffff9ec376bd>] _raw_spin_unlock_irqrestore+0x2d/0x40
hardirqs last disabled at (10686): [<ffffffff9ec374d8>] _raw_spin_lock_irqsave+0x68/0x90
softirqs last  enabled at (10684): [<ffffffff9f000608>] __do_softirq+0x608/0x940
softirqs last disabled at (10649): [<ffffffff9cdedd31>] do_softirq+0xa1/0xd0

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(clock-AF_INET);
  <Interrupt>
    lock(clock-AF_INET);

 *** DEADLOCK ***

5 locks held by nvme/1324:
 #0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0
 #1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460
 #2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330
 #3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp]
 #4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300

stack backtrace:
CPU: 26 PID: 1324 Comm: nvme Tainted: G          I       5.12.0-rc3 #1
Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020
Call Trace:
 dump_stack+0x93/0xc2
 mark_lock_irq.cold+0x2c/0xb3
 ? verify_lock_unused+0x390/0x390
 ? stack_trace_consume_entry+0x160/0x160
 ? lock_downgrade+0x100/0x100
 ? save_trace+0x88/0x5e0
 ? _raw_spin_unlock_irqrestore+0x2d/0x40
 mark_lock+0x530/0x1470
 ? mark_lock_irq+0x1d10/0x1d10
 ? enqueue_timer+0x660/0x660
 mark_usage+0x215/0x2a0
 __lock_acquire+0x79b/0x18d0
 ? tcp_schedule_loss_probe.part.0+0x38c/0x520
 lock_acquire+0x1ca/0x480
 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp]
 ? rcu_read_unlock+0x40/0x40
 ? tcp_mtu_probe+0x1ae0/0x1ae0
 ? kmalloc_reserve+0xa0/0xa0
 ? sysfs_file_ops+0x170/0x170
 _raw_read_lock+0x3d/0xa0
 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp]
 nvme_tcp_state_change+0x21/0x150 [nvme_tcp]
 ? sysfs_file_ops
---truncated---

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47041
https://www.cve.org/CVERecord?id=CVE-2021-47041
https://git.kernel.org/stable/c/06beaa1a9f6e501213195e47c30416032fd2bbd5
https://git.kernel.org/stable/c/60ade0d56b06537a28884745059b3801c78e03bc
https://git.kernel.org/stable/c/906c538340dde6d891df89fe7dac8eaa724e40da
https://git.kernel.org/stable/c/999d606a820c36ae9b9e9611360c8b3d8d4bb777
https://git.kernel.org/stable/c/b5332a9f3f3d884a1b646ce155e664cc558c1722
https://bugzilla.redhat.com/show_bug.cgi?id=2267006
Comment 1 Gabriele Sonnu 2024-03-01 10:54:30 UTC 
Tracked as affected:

 - SLE12-SP5
 - cve/linux-5.3

Other branches already have the fix (999d606a820c), SLE15-SP4 included. 

https://git.kernel.org/stable/c/999d606a820c36ae9b9e9611360c8b3d8d4bb777
Comment 4 Daniel Wagner 2024-03-26 17:42:39 UTC 
I haven't looked at this yet. No idea, if this CVE is actually a real security
problem or not.
Comment 5 Daniel Wagner 2024-04-16 12:01:26 UTC 
cve/linux-5.3: added

sle12sp5:
> blacklisted: b5332a9f3f3d884a1b646ce155e664cc558c1722 # no nvme core/fabric fixes to missing infrastructure

This is mentioned in the cve as well: affected at 5.0
The fixes tag is just wrong.
Comment 11 Maintenance Automation 2024-05-14 16:31:40 UTC 
SUSE-SU-2024:1645-1: An update that solves 41 vulnerabilities and has 12 security fixes can now be installed.

Category: security (important)
Bug References: 1190576, 1192145, 1200313, 1201489, 1203906, 1203935, 1204614, 1211592, 1218562, 1218917, 1219169, 1219170, 1219264, 1220513, 1220755, 1220854, 1221113, 1221299, 1221543, 1221545, 1222449, 1222482, 1222503, 1222559, 1222624, 1222666, 1222709, 1222790, 1222792, 1222829, 1222876, 1222881, 1222883, 1222894, 1222976, 1223016, 1223057, 1223111, 1223187, 1223202, 1223475, 1223482, 1223509, 1223513, 1223522, 1223824, 1223921, 1223923, 1223931, 1223941, 1223948, 1223952, 1223963
CVE References: CVE-2021-46955, CVE-2021-47041, CVE-2021-47074, CVE-2021-47113, CVE-2021-47131, CVE-2021-47184, CVE-2021-47194, CVE-2021-47198, CVE-2021-47201, CVE-2021-47203, CVE-2021-47206, CVE-2021-47207, CVE-2021-47212, CVE-2021-47216, CVE-2022-48631, CVE-2022-48638, CVE-2022-48650, CVE-2022-48651, CVE-2022-48654, CVE-2022-48672, CVE-2022-48686, CVE-2022-48687, CVE-2022-48693, CVE-2022-48695, CVE-2022-48701, CVE-2022-48702, CVE-2024-0639, CVE-2024-23307, CVE-2024-26610, CVE-2024-26688, CVE-2024-26689, CVE-2024-26739, CVE-2024-26744, CVE-2024-26816, CVE-2024-26840, CVE-2024-26852, CVE-2024-26862, CVE-2024-26898, CVE-2024-26903, CVE-2024-26906, CVE-2024-27043
Maintenance Incident: [SUSE:Maintenance:33806](https://smelt.suse.de/incident/33806/)
Sources used:
SUSE Linux Enterprise Micro 5.1 (src):
 kernel-source-rt-5.3.18-150300.169.1
SUSE Linux Enterprise Micro 5.2 (src):
 kernel-source-rt-5.3.18-150300.169.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 kernel-source-rt-5.3.18-150300.169.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-05-14 16:33:12 UTC 
SUSE-SU-2024:1642-1: An update that solves 48 vulnerabilities and has eight security fixes can now be installed.

Category: security (important)
Bug References: 1190576, 1192145, 1200313, 1201489, 1203906, 1203935, 1204614, 1211592, 1218562, 1218917, 1219169, 1219170, 1219264, 1220513, 1220755, 1220854, 1221113, 1221299, 1221543, 1221545, 1222449, 1222482, 1222503, 1222559, 1222585, 1222624, 1222666, 1222669, 1222709, 1222790, 1222792, 1222829, 1222876, 1222878, 1222881, 1222883, 1222894, 1222976, 1223016, 1223057, 1223111, 1223187, 1223202, 1223475, 1223482, 1223509, 1223513, 1223522, 1223824, 1223921, 1223923, 1223931, 1223941, 1223948, 1223952, 1223963
CVE References: CVE-2021-46955, CVE-2021-47041, CVE-2021-47074, CVE-2021-47113, CVE-2021-47131, CVE-2021-47184, CVE-2021-47185, CVE-2021-47194, CVE-2021-47198, CVE-2021-47201, CVE-2021-47202, CVE-2021-47203, CVE-2021-47206, CVE-2021-47207, CVE-2021-47212, CVE-2021-47216, CVE-2022-48631, CVE-2022-48638, CVE-2022-48650, CVE-2022-48651, CVE-2022-48654, CVE-2022-48672, CVE-2022-48686, CVE-2022-48687, CVE-2022-48693, CVE-2022-48695, CVE-2022-48701, CVE-2022-48702, CVE-2023-2860, CVE-2023-6270, CVE-2024-0639, CVE-2024-0841, CVE-2024-22099, CVE-2024-23307, CVE-2024-26610, CVE-2024-26688, CVE-2024-26689, CVE-2024-26733, CVE-2024-26739, CVE-2024-26744, CVE-2024-26816, CVE-2024-26840, CVE-2024-26852, CVE-2024-26862, CVE-2024-26898, CVE-2024-26903, CVE-2024-26906, CVE-2024-27043
Maintenance Incident: [SUSE:Maintenance:33776](https://smelt.suse.de/incident/33776/)
Sources used:
openSUSE Leap 15.3 (src):
 kernel-livepatch-SLE15-SP3_Update_44-1-150300.7.3.1, kernel-obs-qa-5.3.18-150300.59.161.1, kernel-default-base-5.3.18-150300.59.161.1.150300.18.94.1, kernel-syms-5.3.18-150300.59.161.1, kernel-obs-build-5.3.18-150300.59.161.1, kernel-source-5.3.18-150300.59.161.1
SUSE Linux Enterprise Live Patching 15-SP3 (src):
 kernel-livepatch-SLE15-SP3_Update_44-1-150300.7.3.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 kernel-default-base-5.3.18-150300.59.161.1.150300.18.94.1, kernel-syms-5.3.18-150300.59.161.1, kernel-obs-build-5.3.18-150300.59.161.1, kernel-source-5.3.18-150300.59.161.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 kernel-default-base-5.3.18-150300.59.161.1.150300.18.94.1, kernel-syms-5.3.18-150300.59.161.1, kernel-obs-build-5.3.18-150300.59.161.1, kernel-source-5.3.18-150300.59.161.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 kernel-default-base-5.3.18-150300.59.161.1.150300.18.94.1, kernel-syms-5.3.18-150300.59.161.1, kernel-obs-build-5.3.18-150300.59.161.1, kernel-source-5.3.18-150300.59.161.1
SUSE Enterprise Storage 7.1 (src):
 kernel-default-base-5.3.18-150300.59.161.1.150300.18.94.1, kernel-syms-5.3.18-150300.59.161.1, kernel-obs-build-5.3.18-150300.59.161.1, kernel-source-5.3.18-150300.59.161.1
SUSE Linux Enterprise Micro 5.1 (src):
 kernel-default-base-5.3.18-150300.59.161.1.150300.18.94.1
SUSE Linux Enterprise Micro 5.2 (src):
 kernel-default-base-5.3.18-150300.59.161.1.150300.18.94.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 kernel-default-base-5.3.18-150300.59.161.1.150300.18.94.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-05-15 08:30:04 UTC 
SUSE-SU-2024:1650-1: An update that solves 37 vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1190576, 1192145, 1204614, 1211592, 1218562, 1218917, 1219169, 1219170, 1219264, 1220513, 1220755, 1220854, 1221543, 1221545, 1222449, 1222482, 1222503, 1222559, 1222585, 1222624, 1222666, 1222669, 1222709, 1222790, 1222792, 1222829, 1222881, 1222883, 1222894, 1222976, 1223016, 1223057, 1223111, 1223187, 1223202, 1223475, 1223482, 1223513, 1223824, 1223952
CVE References: CVE-2021-46955, CVE-2021-47041, CVE-2021-47074, CVE-2021-47113, CVE-2021-47131, CVE-2021-47184, CVE-2021-47185, CVE-2021-47194, CVE-2021-47198, CVE-2021-47201, CVE-2021-47203, CVE-2021-47206, CVE-2021-47207, CVE-2021-47212, CVE-2022-48631, CVE-2022-48651, CVE-2022-48654, CVE-2022-48687, CVE-2023-2860, CVE-2023-6270, CVE-2024-0639, CVE-2024-0841, CVE-2024-22099, CVE-2024-23307, CVE-2024-26688, CVE-2024-26689, CVE-2024-26733, CVE-2024-26739, CVE-2024-26744, CVE-2024-26816, CVE-2024-26840, CVE-2024-26852, CVE-2024-26862, CVE-2024-26898, CVE-2024-26903, CVE-2024-26906, CVE-2024-27043
Maintenance Incident: [SUSE:Maintenance:33791](https://smelt.suse.de/incident/33791/)
Sources used:
SUSE Linux Enterprise Live Patching 15-SP2 (src):
 kernel-livepatch-SLE15-SP2_Update_48-1-150200.5.3.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 kernel-syms-5.3.18-150200.24.191.1, kernel-default-base-5.3.18-150200.24.191.1.150200.9.97.1, kernel-source-5.3.18-150200.24.191.1, kernel-obs-build-5.3.18-150200.24.191.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 kernel-syms-5.3.18-150200.24.191.1, kernel-default-base-5.3.18-150200.24.191.1.150200.9.97.1, kernel-source-5.3.18-150200.24.191.1, kernel-obs-build-5.3.18-150200.24.191.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 kernel-syms-5.3.18-150200.24.191.1, kernel-default-base-5.3.18-150200.24.191.1.150200.9.97.1, kernel-source-5.3.18-150200.24.191.1, kernel-obs-build-5.3.18-150200.24.191.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.