RHEL7: Kernel panic at start_motor+0x21 when /dev/fd0 is read by multiple threads (CVE-2021-20261)
Issue
- What is CVE-2021-20261?
- Kernel crashes with following logs:
[ 2623.408125] ------------[ cut here ]------------
[ 2623.408853] WARNING: CPU: 0 PID: 2057 at drivers/block/floppy.c:971 schedule_bh+0x4b/0x50 [floppy]
[ 2623.409570] Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat iptable_mangle iptable_security iptable_raw nf_conntrack ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter nfit libnvdimm iosf_mbi crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ppdev ablk_helper parport_pc joydev cryptd sg parport virtio_balloon virtio_rng i2c_piix4 pcspkr ip_tables xfs libcrc32c sr_mod cdrom ata_generic pata_acpi virtio_net net_failover virtio_console virtio_blk failover ata_piix virtio_pci crct10dif_pclmul
[ 2623.419529] crct10dif_common libata serio_raw floppy virtio_ring crc32c_intel virtio dm_mirror dm_region_hash dm_log dm_mod
[ 2623.420296] CPU: 0 PID: 2057 Comm: mount Kdump: loaded Not tainted 3.10.0-1160.el7.x86_64 #1
[ 2623.420931] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 2623.421391] Call Trace:
[ 2623.421638] [<ffffffff88181340>] dump_stack+0x19/0x1b
[ 2623.421995] [<ffffffff87a9b228>] __warn+0xd8/0x100
[ 2623.422403] [<ffffffffc0364f80>] ? setup_rw_floppy+0x320/0x320 [floppy]
[ 2623.422878] [<ffffffff87a9b36d>] warn_slowpath_null+0x1d/0x20
[ 2623.423334] [<ffffffffc03603bb>] schedule_bh+0x4b/0x50 [floppy]
[ 2623.423784] [<ffffffffc03628b6>] wait_til_done+0x26/0x1c0 [floppy]
[ 2623.424214] [<ffffffffc03622c0>] ? lock_fdc.isra.20+0x100/0x130 [floppy]
[ 2623.424753] [<ffffffffc0362ac2>] poll_drive+0x72/0x90 [floppy]
[ 2623.425151] [<ffffffffc0362cc1>] floppy_check_events+0xc1/0xe0 [floppy]
[ 2623.425702] [<ffffffff87d69496>] disk_check_events+0x66/0x190
[ 2623.426150] [<ffffffff87d6aaae>] disk_clear_events+0x7e/0x130
[ 2623.426661] [<ffffffff87c8eaac>] check_disk_change+0x2c/0x70
[ 2623.427293] [<ffffffffc036663b>] floppy_open+0x1eb/0x3d0 [floppy]
[ 2623.427983] [<ffffffff87c8f8c1>] __blkdev_get+0x3d1/0x4e0
[ 2623.428687] [<ffffffff87c8fbad>] blkdev_get+0x1dd/0x360
[ 2623.429077] [<ffffffff87c8fddb>] blkdev_open+0x5b/0x80
[ 2623.429542] [<ffffffff87c4b272>] do_dentry_open+0x1e2/0x2d0
[ 2623.429925] [<ffffffff87d08642>] ? security_inode_permission+0x22/0x30
[ 2623.430423] [<ffffffff87c8fd80>] ? blkdev_get_by_dev+0x50/0x50
[ 2623.430861] [<ffffffff87c4b3fa>] vfs_open+0x5a/0xb0
[ 2623.431251] [<ffffffff87c59b53>] ? may_open+0xa3/0x120
[ 2623.431701] [<ffffffff87c5da36>] do_last+0x1f6/0x1340
[ 2623.432086] [<ffffffffc0541b1c>] ? xfs_filemap_fault+0x2c/0x30 [xfs]
[ 2623.432622] [<ffffffff87bede3a>] ? __do_fault.isra.61+0x8a/0x100
[ 2623.433249] [<ffffffff87c5ec4d>] path_openat+0xcd/0x5a0
[ 2623.433705] [<ffffffff87c60e9d>] do_filp_open+0x4d/0xb0
[ 2623.434073] [<ffffffff87c6f012>] ? __alloc_fd+0xc2/0x170
[ 2623.434665] [<ffffffff87c4c9e4>] do_sys_open+0x124/0x220
[ 2623.435305] [<ffffffff87c4cafe>] SyS_open+0x1e/0x20
[ 2623.435919] [<ffffffff88193f92>] system_call_fastpath+0x25/0x2a
[ 2623.436666] ---[ end trace f525cb24e19e9e82 ]---
[ 2623.437061] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 2623.437726] IP: [<ffffffffc03626e1>] start_motor+0x21/0x120 [floppy]
[ 2623.438192] PGD 0
[ 2623.438384] Oops: 0000 [#1] SMP
[ 2623.438688] Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat iptable_mangle iptable_security iptable_raw nf_conntrack ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter nfit libnvdimm iosf_mbi crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ppdev ablk_helper parport_pc joydev cryptd sg parport virtio_balloon virtio_rng i2c_piix4 pcspkr ip_tables xfs libcrc32c sr_mod cdrom ata_generic pata_acpi virtio_net net_failover virtio_console virtio_blk failover ata_piix virtio_pci crct10dif_pclmul
[ 2623.444546] crct10dif_common libata serio_raw floppy virtio_ring crc32c_intel virtio dm_mirror dm_region_hash dm_log dm_mod
[ 2623.445334] CPU: 34 PID: 221 Comm: kworker/u80:1 Kdump: loaded Tainted: G W ------------ 3.10.0-1160.el7.x86_64 #1
[ 2623.446105] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 2623.446565] Workqueue: floppy floppy_ready [floppy]
[ 2623.447121] task: ffff995cd796e300 ti: ffff995a3d788000 task.ti: ffff995a3d788000
[ 2623.447698] RIP: 0010:[<ffffffffc03626e1>] [<ffffffffc03626e1>] start_motor+0x21/0x120 [floppy]
[ 2623.448293] RSP: 0018:ffff995a3d78bde0 EFLAGS: 00010246
[ 2623.448711] RAX: 0000000000000000 RBX: ffffffffc036a180 RCX: 0000000000000000
[ 2623.449164] RDX: 0000000000000000 RSI: 0c00000000000000 RDI: ffffffffc0364f80
[ 2623.449704] RBP: ffff995a3d78bdf8 R08: ffffffffc036a188 R09: 0000ff253a36a180
[ 2623.450146] R10: 0000ff253a36a180 R11: 0000000000000400 R12: ffff995cd7c73c80
[ 2623.450680] R13: ffff995a3fd63800 R14: ffff995cd210ce00 R15: 0000000000000a00
[ 2623.451123] FS: 0000000000000000(0000) GS:ffff995cd7e80000(0000) knlGS:0000000000000000
[ 2623.451725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2623.452101] CR2: 0000000000000000 CR3: 00000002d6a10000 CR4: 0000000000760fe0
[ 2623.452675] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2623.453141] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2623.453726] PKRU: 00000000
[ 2623.453914] Call Trace:
[ 2623.454078] [<ffffffffc0364fb1>] floppy_ready+0x31/0x750 [floppy]
[ 2623.454589] [<ffffffff87abdc4f>] process_one_work+0x17f/0x440
[ 2623.454969] [<ffffffff87abed66>] worker_thread+0x126/0x3c0
[ 2623.455362] [<ffffffff87abec40>] ? manage_workers.isra.26+0x2a0/0x2a0
[ 2623.455820] [<ffffffff87ac5c21>] kthread+0xd1/0xe0
[ 2623.456138] [<ffffffff87ac5b50>] ? insert_kthread_work+0x40/0x40
[ 2623.456617] [<ffffffff88193ddd>] ret_from_fork_nospec_begin+0x7/0x21
[ 2623.457022] [<ffffffff87ac5b50>] ? insert_kthread_work+0x40/0x40
[ 2623.457488] Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 0f b6 05 e3 9e 00 00 48 8b 15 74 a9 00 00 48 89 e5 41 55 41 54 89 c1 83 e1 03 53 <f6> 02 04 48 89 fb 44 0f b6 e1 ba 10 00 00 00 0f 85 b2 00 00 00
[ 2623.459578] RIP [<ffffffffc03626e1>] start_motor+0x21/0x120 [floppy]
[ 2623.460027] RSP <ffff995a3d78bde0>
[ 2623.460276] CR2: 0000000000000000
Environment
- Red Hat Enterprise Linux 7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
