| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061830-CVE-2022-50174-df49@gregkh> Date: Wed, 18 Jun 2025 13:03:59 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50174: net: hinic: avoid kernel hung in hinic_get_stats64() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: net: hinic: avoid kernel hung in hinic_get_stats64() When using hinic device as a bond slave device, and reading device stats of master bond device, the kernel may hung. The kernel panic calltrace as follows: Kernel panic - not syncing: softlockup: hung tasks Call trace: native_queued_spin_lock_slowpath+0x1ec/0x31c dev_get_stats+0x60/0xcc dev_seq_printf_stats+0x40/0x120 dev_seq_show+0x1c/0x40 seq_read_iter+0x3c8/0x4dc seq_read+0xe0/0x130 proc_reg_read+0xa8/0xe0 vfs_read+0xb0/0x1d4 ksys_read+0x70/0xfc __arm64_sys_read+0x20/0x30 el0_svc_common+0x88/0x234 do_el0_svc+0x2c/0x90 el0_svc+0x1c/0x30 el0_sync_handler+0xa8/0xb0 el0_sync+0x148/0x180 And the calltrace of task that actually caused kernel hungs as follows: __switch_to+124 __schedule+548 schedule+72 schedule_timeout+348 __down_common+188 __down+24 down+104 hinic_get_stats64+44 [hinic] dev_get_stats+92 bond_get_stats+172 [bonding] dev_get_stats+92 dev_seq_printf_stats+60 dev_seq_show+24 seq_read_iter+964 seq_read+220 proc_reg_read+164 vfs_read+172 ksys_read+108 __arm64_sys_read+28 el0_svc_common+132 do_el0_svc+40 el0_svc+24 el0_sync_handler+164 el0_sync+324 When getting device stats from bond, kernel will call bond_get_stats(). It first holds the spinlock bond->stats_lock, and then call hinic_get_stats64() to collect hinic device's stats. However, hinic_get_stats64() calls `down(&nic_dev->mgmt_lock)` to protect its critical section, which may schedule current task out. And if system is under high pressure, the task cannot be woken up immediately, which eventually triggers kernel hung panic. Since previous patch has replaced hinic_dev.tx_stats/rx_stats with local variable in hinic_get_stats64(), there is nothing need to be protected by lock, so just removing down()/up() is ok. The Linux kernel CVE team has assigned CVE-2022-50174 to this issue. Affected and fixed versions =========================== Issue introduced in 4.14 with commit edd384f682cc2981420628b769a1929db680f02f and fixed in 5.10.137 with commit e74f3097a9c713ce855cda07713393bcc23a005d Issue introduced in 4.14 with commit edd384f682cc2981420628b769a1929db680f02f and fixed in 5.15.61 with commit 693f31dc91568e61047fd2980a8235e856cd9ce8 Issue introduced in 4.14 with commit edd384f682cc2981420628b769a1929db680f02f and fixed in 5.18.18 with commit fced5bce712122654ec8a20356342698cce104d2 Issue introduced in 4.14 with commit edd384f682cc2981420628b769a1929db680f02f and fixed in 5.19.2 with commit 3ba59bbe4f306bb6ee15753db0a40564c0eb7909 Issue introduced in 4.14 with commit edd384f682cc2981420628b769a1929db680f02f and fixed in 6.0 with commit 98f9fcdee35add80505b6c73f72de5f750d5c03c Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50174 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/huawei/hinic/hinic_main.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e74f3097a9c713ce855cda07713393bcc23a005d https://git.kernel.org/stable/c/693f31dc91568e61047fd2980a8235e856cd9ce8 https://git.kernel.org/stable/c/fced5bce712122654ec8a20356342698cce104d2 https://git.kernel.org/stable/c/3ba59bbe4f306bb6ee15753db0a40564c0eb7909 https://git.kernel.org/stable/c/98f9fcdee35add80505b6c73f72de5f750d5c03c
Powered by blists - more mailing lists