Users belonging to video group may trigger a deadlock WARN
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Cengiz Can |
Bug Description
[Impact]
One of the fixing commits for CVE-2021-33655, commit 159a96b199b4
("fbcon: Prevent that screen size is smaller than font size") introduced
an extraneous lock_fb_info line into the ioctl flow in fbmem.c.
This line only exists in bionic tree.
Users belonging to video group may trigger a deadlock and potentially
lock the system.
=======
WARNING: possible recursive locking detected
4.15.0-195-generic #206 Not tainted
-------
refresh/1248 is trying to acquire lock:
(&fb_
but task is already holding lock:
(&fb_
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(
lock(
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by refresh/1248:
#0: (console_
#1: (&fb_info-
stack backtrace:
CPU: 0 PID: 1248 Comm: refresh Not tainted 4.15.0-195-generic #206
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
dump_
__lock_
? sched_clock_
? sched_clock+
? sched_clock_
lock_
? lock_acquire+
? lock_fb_
? lock_fb_
__mutex_
? lock_fb_
? sched_clock_
? lock_acquire+
mutex_
? mutex_lock_
lock_
do_fb_
? __fd_install+
fb_ioctl+
? fb_ioctl+0x33/0x40
do_vfs_
? putname+0x4c/0x60
? do_sys_
SyS_ioctl+
do_syscall_
entry_
RIP: 0033:0x7f22acca7217
RSP: 002b:00007ffe2a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f22acca7217
RDX: 00007ffe2a930c30 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 00007ffe2a930d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000213 R12: 00005624ac8fc7c0
R13: 00007ffe2a930e20 R14: 0000000000000000 R15: 0000000000000000
[Test case]
Run a sample framebuffer userspace test to call FBIOPUT_VSCREENINFO
and verified with LOCKDEP.
[Potential regressions]
There are no new potential regressions.
CVE References
Changed in linux (Ubuntu): | |
assignee: | nobody → Cengiz Can (cengizcan) |
importance: | Medium → Undecided |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu): | |
status: | New → Invalid |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Cengiz Can (cengizcan) |
Changed in linux (Ubuntu): | |
assignee: | Cengiz Can (cengizcan) → nobody |
description: | updated |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
I don't know if this is where you track it, but the problem described here appears to have made it into Ubuntu Advantage 16.04-ESM as well, specifically across the 4.15.0- 189.200~ 16.04.1 -> 4.15.0- 193.204~ 16.04.1 upgrade. (Just based on changelog text this fix was not in 4.15.0- 194.205~ 16.04.1 but I haven't dug far enough to track more closely.)