CVE-2021-47387

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47387
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47387.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47387
Related
Published
2024-05-21T15:15:24Z
Modified
2024-09-11T04:41:09.727712Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

cpufreq: schedutil: Use kobject release() method to free sugov_tunables

The struct sugovtunables is protected by the kobject, so we can't free it directly. Otherwise we would get a call trace like this: ODEBUG: free active (active state 0) object type: timerlist hint: delayedworktimerfn+0x0/0x30 WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debugprintobject+0xb8/0x100 Modules linked in: CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507 Hardware name: Marvell OcteonTX CN96XX board (DT) pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) pc : debugprintobject+0xb8/0x100 lr : debugprintobject+0xb8/0x100 sp : ffff80001ecaf910 x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80 x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000 x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20 x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010 x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365 x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69 x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0 x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001 x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000 x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000 Call trace: debugprintobject+0xb8/0x100 _debugchecknoobjfreed+0x1c0/0x230 debugchecknoobjfreed+0x20/0x88 slabfreefreelisthook+0x154/0x1c8 kfree+0x114/0x5d0 sugovexit+0xbc/0xc0 cpufreqexitgovernor+0x44/0x90 cpufreqsetpolicy+0x268/0x4a8 storescalinggovernor+0xe0/0x128 store+0xc0/0xf0 sysfskfwrite+0x54/0x80 kernfsfopwriteiter+0x128/0x1c0 newsyncwrite+0xf0/0x190 vfswrite+0x2d4/0x478 ksyswrite+0x74/0x100 _arm64syswrite+0x24/0x30 invokesyscall.constprop.0+0x54/0xe0 doel0svc+0x64/0x158 el0svc+0x2c/0xb0 el0t64synchandler+0xb0/0xb8 el0t64sync+0x198/0x19c irq event stamp: 5518 hardirqs last enabled at (5517): [<ffff8000100cbd7c>] consoleunlock+0x554/0x6c8 hardirqs last disabled at (5518): [<ffff800010fc0638>] el1dbg+0x28/0xa0 softirqs last enabled at (5504): [<ffff8000100106e0>] _dosoftirq+0x4d0/0x6c0 softirqs last disabled at (5483): [<ffff800010049548>] irqexit+0x1b0/0x1b8

So split the original sugovtunablesfree() into two functions, sugovclearglobaltunables() is just used to clear the globaltunables and the new sugovtunablesfree() is used as kobjtype::release to release the sugovtunables safely.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}