CVE-2021-46961

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> irqchip/gic-v3: Do not enable irqs when handling spurious interrups<br /> <br /> We triggered the following error while running our 4.19 kernel<br /> with the pseudo-NMI patches backported to it:<br /> <br /> [ 14.816231] ------------[ cut here ]------------<br /> [ 14.816231] kernel BUG at irq.c:99!<br /> [ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP<br /> [ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____))<br /> [ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14<br /> [ 14.816233] Hardware name: evb (DT)<br /> [ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO)<br /> [ 14.816234] pc : asm_nmi_enter+0x94/0x98<br /> [ 14.816235] lr : asm_nmi_enter+0x18/0x98<br /> [ 14.816235] sp : ffff000008003c50<br /> [ 14.816235] pmr_save: 00000070<br /> [ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0<br /> [ 14.816238] x27: 0000000000000000 x26: ffff000008004000<br /> [ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000<br /> [ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc<br /> [ 14.816241] x21: ffff000008003da0 x20: 0000000000000060<br /> [ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff<br /> [ 14.816243] x17: 0000000000000008 x16: 003d090000000000<br /> [ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40<br /> [ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000<br /> [ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5<br /> [ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f<br /> [ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e<br /> [ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000<br /> [ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000<br /> [ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0<br /> [ 14.816251] Call trace:<br /> [ 14.816251] asm_nmi_enter+0x94/0x98<br /> [ 14.816251] el1_irq+0x8c/0x180 (IRQ C)<br /> [ 14.816252] gic_handle_irq+0xbc/0x2e4<br /> [ 14.816252] el1_irq+0xcc/0x180 (IRQ B)<br /> [ 14.816253] arch_timer_handler_virt+0x38/0x58<br /> [ 14.816253] handle_percpu_devid_irq+0x90/0x240<br /> [ 14.816253] generic_handle_irq+0x34/0x50<br /> [ 14.816254] __handle_domain_irq+0x68/0xc0<br /> [ 14.816254] gic_handle_irq+0xf8/0x2e4<br /> [ 14.816255] el1_irq+0xcc/0x180 (IRQ A)<br /> [ 14.816255] arch_cpu_idle+0x34/0x1c8<br /> [ 14.816255] default_idle_call+0x24/0x44<br /> [ 14.816256] do_idle+0x1d0/0x2c8<br /> [ 14.816256] cpu_startup_entry+0x28/0x30<br /> [ 14.816256] rest_init+0xb8/0xc8<br /> [ 14.816257] start_kernel+0x4c8/0x4f4<br /> [ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000)<br /> [ 14.816258] Modules linked in: start_dp(O) smeth(O)<br /> [ 15.103092] ---[ end trace 701753956cb14aa8 ]---<br /> [ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt<br /> [ 15.103099] SMP: stopping secondary CPUs<br /> [ 15.103100] Kernel Offset: disabled<br /> [ 15.103100] CPU features: 0x36,a2400218<br /> [ 15.103100] Memory Limit: none<br /> <br /> which is cause by a &amp;#39;BUG_ON(in_nmi())&amp;#39; in nmi_enter().<br /> <br /> From the call trace, we can find three interrupts (noted A, B, C above):<br /> interrupt (A) is preempted by (B), which is further interrupted by (C).<br /> <br /> Subsequent investigations show that (B) results in nmi_enter() being<br /> called, but that it actually is a spurious interrupt. Furthermore,<br /> interrupts are reenabled in the context of (B), and (C) fires with<br /> NMI priority. We end-up with a nested NMI situation, something<br /> we definitely do not want to (and cannot) handle.<br /> <br /> The bug here is that spurious interrupts should never result in any<br /> state change, and we should just return to the interrupted context.<br /> Moving the handling of spurious interrupts as early as possible in<br /> the GICv3 handler fixes this issue.<br /> <br /> [maz: rewrote commit message, corrected Fixes: tag]