CVE-2021-47189

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47189
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47189.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47189
Related
Published
2024-04-10T19:15:47Z
Modified
2024-11-01T20:50:42.317038Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix memory ordering between normal and ordered work functions

Ordered work functions aren't guaranteed to be handled by the same thread which executed the normal work functions. The only way execution between normal/ordered functions is synchronized is via the WORKDONEBIT, unfortunately the used bitops don't guarantee any ordering whatsoever.

This manifested as seemingly inexplicable crashes on ARM64, where asyncchunk::inode is seen as non-null in asynccowsubmit which causes submitcompressedextents to be called and crash occurs because asyncchunk::inode suddenly became NULL. The call trace was similar to:

pc : submit_compressed_extents+0x38/0x3d0
lr : async_cow_submit+0x50/0xd0
sp : ffff800015d4bc20

<registers omitted for brevity>

Call trace:
 submit_compressed_extents+0x38/0x3d0
 async_cow_submit+0x50/0xd0
 run_ordered_work+0xc8/0x280
 btrfs_work_helper+0x98/0x250
 process_one_work+0x1f0/0x4ac
 worker_thread+0x188/0x504
 kthread+0x110/0x114
 ret_from_fork+0x10/0x18

Fix this by adding respective barrier calls which ensure that all accesses preceding setting of WORKDONEBIT are strictly ordered before setting the flag. At the same time add a read barrier after reading of WORKDONEBIT in runorderedwork which ensures all subsequent loads would be strictly ordered after reading the bit. This in turn ensures are all accesses before WORKDONEBIT are going to be strictly ordered before any access that can occur in ordered_func.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}