In the Linux kernel, the following vulnerability has been resolved:
cpufreq: schedutil: Use kobject release() method to free sugov_tunables The
struct sugov_tunables is protected by the kobject, so we can’t free it
directly. Otherwise we would get a call trace like this: ODEBUG: free
active (active state 0) object type: timer_list hint:
delayed_work_timer_fn+0x0/0x30 WARNING: CPU: 3 PID: 720 at
lib/debugobjects.c:505 debug_print_object+0xb8/0x100 Modules linked in:
CPU: 3 PID: 720 Comm: a.sh Tainted: G W
5.14.0-rc1-next-20210715-yocto-standard+ #507 Hardware name: Marvell
OcteonTX CN96XX board (DT) pstate: 40400009 (nZcv daif +PAN -UAO -TCO
BTYPE=–) pc : debug_print_object+0xb8/0x100 lr :
debug_print_object+0xb8/0x100 sp : ffff80001ecaf910 x29: ffff80001ecaf910
x28: ffff00011b10b8d0 x27: ffff800011043d80 x26: ffff00011a8f0000 x25:
ffff800013cb3ff0 x24: 0000000000000000 x23: ffff80001142aa68 x22:
ffff800011043d80 x21: ffff00010de46f20 x20: ffff800013c0c520 x19:
ffff800011d8f5b0 x18: 0000000000000010 x17: 6e6968207473696c x16:
5f72656d6974203a x15: 6570797420746365 x14: 6a626f2029302065 x13:
303378302f307830 x12: 2b6e665f72656d69 x11: ffff8000124b1560 x10:
ffff800012331520 x9 : ffff8000100ca6b0 x8 : 000000000017ffe8 x7 :
c0000000fffeffff x6 : 0000000000000001 x5 : ffff800011d8c000 x4 :
ffff800011d8c740 x3 : 0000000000000000 x2 : ffff0001108301c0 x1 :
ab3c90eedf9c0f00 x0 : 0000000000000000 Call trace:
debug_print_object+0xb8/0x100 __debug_check_no_obj_freed+0x1c0/0x230
debug_check_no_obj_freed+0x20/0x88 slab_free_freelist_hook+0x154/0x1c8
kfree+0x114/0x5d0 sugov_exit+0xbc/0xc0 cpufreq_exit_governor+0x44/0x90
cpufreq_set_policy+0x268/0x4a8 store_scaling_governor+0xe0/0x128
store+0xc0/0xf0 sysfs_kf_write+0x54/0x80 kernfs_fop_write_iter+0x128/0x1c0
new_sync_write+0xf0/0x190 vfs_write+0x2d4/0x478 ksys_write+0x74/0x100
__arm64_sys_write+0x24/0x30 invoke_syscall.constprop.0+0x54/0xe0
do_el0_svc+0x64/0x158 el0_svc+0x2c/0xb0 el0t_64_sync_handler+0xb0/0xb8
el0t_64_sync+0x198/0x19c irq event stamp: 5518 hardirqs last enabled at
(5517): [<ffff8000100cbd7c>] console_unlock+0x554/0x6c8 hardirqs last
disabled at (5518): [<ffff800010fc0638>] el1_dbg+0x28/0xa0 softirqs last
enabled at (5504): [<ffff8000100106e0>] __do_softirq+0x4d0/0x6c0 softirqs
last disabled at (5483): [<ffff800010049548>] irq_exit+0x1b0/0x1b8 So split
the original sugov_tunables_free() into two functions,
sugov_clear_global_tunables() is just used to clear the global_tunables and
the new sugov_tunables_free() is used as kobj_type::release to release the
sugov_tunables safely.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux-aws-hwe | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-azure-4.15 | < any | UNKNOWN |
git.kernel.org/linus/e5c6b312ce3cc97e90ea159446e6bfa06645364d (5.15-rc1)
git.kernel.org/stable/c/30d57cf2c4116ca6d34ecd1cac94ad84f8bc446c
git.kernel.org/stable/c/463c46705f321201090b69c4ad5da0cd2ce614c9
git.kernel.org/stable/c/67c98e023135ff81b8d52998a6fdb8ca0c518d82
git.kernel.org/stable/c/8d62aec52a8c5b1d25a2364b243fcc5098a2ede9
git.kernel.org/stable/c/a7d4fc84404d45d72f4490417e8cc3efa4af93f1
git.kernel.org/stable/c/cb4a53ba37532c861a5f3f22803391018a41849a
git.kernel.org/stable/c/e5c6b312ce3cc97e90ea159446e6bfa06645364d
launchpad.net/bugs/cve/CVE-2021-47387
nvd.nist.gov/vuln/detail/CVE-2021-47387
security-tracker.debian.org/tracker/CVE-2021-47387
www.cve.org/CVERecord?id=CVE-2021-47387