Bug 1221980 (CVE-2021-47163) - VUL-0: CVE-2021-47163: kernel: tipc: wait and exit until all work queues are done
Summary: VUL-0: CVE-2021-47163: kernel: tipc: wait and exit until all work queues are ...
Status: NEW
Alias: CVE-2021-47163
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Michal Kubeček
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/398807/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-47163:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-26 10:49 UTC by SMASH SMASH
Modified: 2024-07-03 05:39 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (mkubecek)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-26 10:49:35 UTC 
In the Linux kernel, the following vulnerability has been resolved:

tipc: wait and exit until all work queues are done

On some host, a crash could be triggered simply by repeating these
commands several times:

  # modprobe tipc
  # tipc bearer enable media udp name UDP1 localip 127.0.0.1
  # rmmod tipc

  [] BUG: unable to handle kernel paging request at ffffffffc096bb00
  [] Workqueue: events 0xffffffffc096bb00
  [] Call Trace:
  []  ? process_one_work+0x1a7/0x360
  []  ? worker_thread+0x30/0x390
  []  ? create_worker+0x1a0/0x1a0
  []  ? kthread+0x116/0x130
  []  ? kthread_flush_work_fn+0x10/0x10
  []  ? ret_from_fork+0x35/0x40

When removing the TIPC module, the UDP tunnel sock will be delayed to
release in a work queue as sock_release() can't be done in rtnl_lock().
If the work queue is schedule to run after the TIPC module is removed,
kernel will crash as the work queue function cleanup_beareri() code no
longer exists when trying to invoke it.

To fix it, this patch introduce a member wq_count in tipc_net to track
the numbers of work queues in schedule, and  wait and exit until all
work queues are done in tipc_exit_net().

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47163
https://git.kernel.org/stable/c/5195ec5e365a2a9331bfeb585b613a6e94f98dba
https://git.kernel.org/stable/c/b9f5b7ad4ac3af006443f535b1ce7bff1d130d7d
https://git.kernel.org/stable/c/04c26faa51d1e2fe71cf13c45791f5174c37f986
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2021/CVE-2021-47163.mbox
https://git.kernel.org/stable/c/d1f76dfadaf8f47ed1753f97dbcbd41c16215ffa
https://www.cve.org/CVERecord?id=CVE-2021-47163
https://bugzilla.redhat.com/show_bug.cgi?id=2271452
Comment 1 Gabriele Sonnu 2024-03-26 13:23:44 UTC 
Offending commit (d0f91938bede) found in:
 - ALP-current
 - cve/linux-4.4-LTSS
 - cve/linux-5.3-LTSS
 - cve/linux-5.14-LTSS
 - SLE12-SP2-LTSS
 - SLE12-SP3-LTSS
 - SLE12-SP3-TD
 - SLE12-SP4-LTSS
 - SLE12-SP5
 - SLE15-LTSS
 - SLE15-SP1-LTSS
 - SLE15-SP2-LTSS
 - SLE15-SP3-LTSS
 - SLE15-SP4-LTSS
 - SLE15-SP5
 - SLE15-SP6
 - stable

Fixing commit (b9f5b7ad4ac3) found in:
 - ALP-current
 - cve/linux-5.14-LTSS
 - SLE15-SP4-LTSS
 - SLE15-SP5
 - SLE15-SP6
 - stable

Tracking as affected:
 - cve/linux-4.4-LTSS
 - cve/linux-5.3-LTSS
 - SLE12-SP2-LTSS
 - SLE12-SP3-LTSS
 - SLE12-SP3-TD
 - SLE12-SP4-LTSS
 - SLE12-SP5
 - SLE15-LTSS
 - SLE15-SP1-LTSS
 - SLE15-SP2-LTSS
 - SLE15-SP3-LTSS
Comment 2 Gabriel Krisman Bertazi 2024-04-26 23:06:00 UTC 
This is low score, so not really LTSS material.  so we should only patch

 - SLE12-SP5

I'll handle the backport.
Comment 3 Gabriel Krisman Bertazi 2024-05-29 20:46:57 UTC 
Michal, actually can you take this one?

It needs a custom fix to avoid ABI breakages, so I'd rather have an expert on this code to decide on the fix.