CVE-2021-47271

usb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

usb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler

Patch fixes the following critical issue caused by deadlock which has been
detected during testing NCM class:

smp: csd: Detected non-responsive CSD lock (#1) on CPU#0
smp: csd: CSD lock (#1) unresponsive.
....
RIP: 0010:native_queued_spin_lock_slowpath+0x61/0x1d0
RSP: 0018:ffffbc494011cde0 EFLAGS: 00000002
RAX: 0000000000000101 RBX: ffff9ee8116b4a68 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ee8116b4658
RBP: ffffbc494011cde0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658
R13: ffff9ee8116b4670 R14: 0000000000000246 R15: ffff9ee8116b4658
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7bcc41a830 CR3: 000000007a612003 CR4: 00000000001706e0
Call Trace:
<IRQ>
do_raw_spin_lock+0xc0/0xd0
_raw_spin_lock_irqsave+0x95/0xa0
cdnsp_gadget_ep_queue.cold+0x88/0x107 [cdnsp_udc_pci]
usb_ep_queue+0x35/0x110
eth_start_xmit+0x220/0x3d0 [u_ether]
ncm_tx_timeout+0x34/0x40 [usb_f_ncm]
? ncm_free_inst+0x50/0x50 [usb_f_ncm]
__hrtimer_run_queues+0xac/0x440
hrtimer_run_softirq+0x8c/0xb0
__do_softirq+0xcf/0x428
asm_call_irq_on_stack+0x12/0x20
</IRQ>
do_softirq_own_stack+0x61/0x70
irq_exit_rcu+0xc1/0xd0
sysvec_apic_timer_interrupt+0x52/0xb0
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:do_raw_spin_trylock+0x18/0x40
RSP: 0018:ffffbc494138bda8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9ee8116b4658 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9ee8116b4658
RBP: ffffbc494138bda8 R08: 0000000000000001 R09: 0000000000000000
R10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658
R13: ffff9ee8116b4670 R14: ffff9ee7b5c73d80 R15: ffff9ee8116b4000
_raw_spin_lock+0x3d/0x70
? cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci]
cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci]
? cdnsp_remove_request+0x1f0/0x1f0 [cdnsp_udc_pci]
? cdnsp_thread_irq_handler+0x5/0xa0 [cdnsp_udc_pci]
? irq_thread+0xa0/0x1c0
irq_thread_fn+0x28/0x60
irq_thread+0x105/0x1c0
? __kthread_parkme+0x42/0x90
? irq_forced_thread_fn+0x90/0x90
? wake_threads_waitq+0x30/0x30
? irq_thread_check_affinity+0xe0/0xe0
kthread+0x12a/0x160
? kthread_park+0x90/0x90
ret_from_fork+0x22/0x30

The root cause of issue is spin_lock/spin_unlock instruction instead
spin_lock_irqsave/spin_lock_irqrestore in cdnsp_thread_irq_handler
function.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: cdnsp: soluciona el problema de interbloqueo en cdnsp_thread_irq_handler. El parche corrige el siguiente problema crítico causado por el interbloqueo que se detectó durante las pruebas Clase NCM: smp: csd: se detectó un bloqueo CSD que no responde ( #1) en CPU#0 smp: csd: el bloqueo CSD (#1) no responde. .... RIP: 0010:native_queued_spin_lock_slowpath+0x61/0x1d0 RSP: 0018:ffffbc494011cde0 EFLAGS: 00000002 RAX: 0000000000000101 RBX: ffff9ee8116b4a68 RCX: 0000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ee8116b4658 RBP: ffffbc494011cde0 R08: 0000000000000001 R09: 00000000000000000 R 10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658 R13: ffff9ee8116b4670 R14: 00000000000000246 R15: ffff9ee8116b4658 CS: 0010 DS: 0 ES: 0000 CR0: 0000000080050033 CR2: 00007f7bcc41a830 CR3: 000000007a612003 CR4: 00000000001706e0 Seguimiento de llamadas: do_raw_spin_lock+0xc0/0xd0 _raw_spin_lock_irqsave + 0x95/0xa0 cdnsp_gadget_ep_queue.cold+0x88/0x107 [cdnsp_udc_pci] usb_ep_queue+0x35/0x110 eth_start_xmit+0x220/0x3d0 [u_ether] ncm_tx_timeout+0x34/0x40 [usb_f_ncm] ? ncm_free_inst+0x50/0x50 [usb_f_ncm] __hrtimer_run_queues+0xac/0x440 hrtimer_run_softirq+0x8c/0xb0 __do_softirq+0xcf/0x428 asm_call_irq_on_stack+0x12/0x20 +0x61/0x70 irq_exit_rcu+0xc1/0xd0 sysvec_apic_timer_interrupt+0x52/0xb0 asm_sysvec_apic_timer_interrupt+0x12 /0x20 RIP: 0010:do_raw_spin_trylock+0x18/0x40 RSP: 0018:ffffbc494138bda8 EFLAGS: 00000246 RAX: 00000000000000000 RBX: ffff9ee8116b4658 RCX: 0000000000000 000 RDX: 0000000000000001 RSI: 00000000000000000 RDI: ffff9ee8116b4658 RBP: ffffbc494138bda8 R08: 00000000000000001 R09: 0000000000000000 R10: ffff9ee8116b4670 R11 : 0000000000000000 R12: ffff9ee8116b4658 R13: ffff9ee8116b4670 R14: ffff9ee7b5c73d80 R15: ffff9ee8116b4000 _raw_spin_lock+0x3d/0x70 ? cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci] cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci] ? cdnsp_remove_request+0x1f0/0x1f0 [cdnsp_udc_pci] ? cdnsp_thread_irq_handler+0x5/0xa0 [cdnsp_udc_pci] ? irq_thread+0xa0/0x1c0 irq_thread_fn+0x28/0x60 irq_thread+0x105/0x1c0 ? __kthread_parkme+0x42/0x90 ? irq_forced_thread_fn+0x90/0x90? wake_threads_waitq+0x30/0x30? irq_thread_check_affinity+0xe0/0xe0 kthread+0x12a/0x160 ? kthread_park+0x90/0x90 ret_from_fork+0x22/0x30 La causa principal del problema es la instrucción spin_lock/spin_unlock en lugar de spin_lock_irqsave/spin_lock_irqrestore en la función cdnsp_thread_irq_handler.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://git.kernel.org/stable/c/3d82904559f4f5a2622db1b21de3edf2eded7664	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/ae746b6f4ce619cf4032fd798a232b010907a397	2021-06-16
https://git.kernel.org/stable/c/a9aecef198faae3240921b707bc09b602e966fce	2021-05-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.12 < 5.12.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 5.12.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.12 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 5.13"		en		Affected