Description
In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().
Product status
c535e923bb97a4b361e89a6383693482057f8b0c (git) before 66442cf9989bd4489fa80d9f37637d58ab016835
c535e923bb97a4b361e89a6383693482057f8b0c (git) before d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210
c535e923bb97a4b361e89a6383693482057f8b0c (git) before 9e3d47904b8153c8c3ad2f9b66d5008aad677aa8
c535e923bb97a4b361e89a6383693482057f8b0c (git) before d21923a8059fa896bfef016f55dd769299335cb4
c535e923bb97a4b361e89a6383693482057f8b0c (git) before 751f60bd48edaf03f9d84ab09e5ce6705757d50f
c535e923bb97a4b361e89a6383693482057f8b0c (git) before 85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa
c535e923bb97a4b361e89a6383693482057f8b0c (git) before 265e56714635c5dd1e5964bfd97fa6e73f62cde5
c535e923bb97a4b361e89a6383693482057f8b0c (git) before 014077044e874e270ec480515edbc1cadb976cf2
4.9
Any version before 4.9
5.10.253 (semver)
5.15.203 (semver)
6.1.167 (semver)
6.6.130 (semver)
6.12.78 (semver)
6.18.20 (semver)
6.19.10 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/66442cf9989bd4489fa80d9f37637d58ab016835
git.kernel.org/...c/d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210
git.kernel.org/...c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8
git.kernel.org/...c/d21923a8059fa896bfef016f55dd769299335cb4
git.kernel.org/...c/751f60bd48edaf03f9d84ab09e5ce6705757d50f
git.kernel.org/...c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa
git.kernel.org/...c/265e56714635c5dd1e5964bfd97fa6e73f62cde5
git.kernel.org/...c/014077044e874e270ec480515edbc1cadb976cf2