Package linux-image-4.9.0 needs to be updated in stretch to upstream >=4.9.276 to fix memory corruption bug in wireless stack

Wed, 20 Oct 2021 07:33:15 -0700 

Package linux-image-4.9.0-16 in stretch is based on upstream 4.9.272
which has a bug introduced in 4.9.270 and fixed only in 4.9.276. Bug
resides on the RX path of the wireless stack and leads to memory
corruption when wireless stack is active (both STA and AP modes seem to
be affected). Memory corruption leads to either full system lockup or
kernel bugs (see example below). We probably need to update the package
to upstream >=4.9.276 to fix the issue.

Commit which introduced the bug:
5551cb1c68d4 mac80211: do not accept/forward invalid EAPOL frames
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=5551cb1c68d4ecdabf8b9ea33410f68532b895cc

Commit which fixed the bug:
54ec4c414cf6 mac80211: fix memory corruption in EAPOL handling
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=54ec4c414cf6cc8ba3eb6bee7452c37da6c00437

BUG: Bad page map in process make  pte:5400000000000000 pmd:1532e5067
addr:00007fc692c0f000 vm_flags:08000070 anon_vma:          (null) 
mapping:ffff8d6dd0ef3920 index:1b1
file:libdl-2.24.so fault:ext4_filemap_fault [ext4] mmap:ext4_file_mmap [ext4] 
readpage:ext4_readpage [ext4]
CPU: 0 PID: 8342 Comm: make Not tainted 4.9.0-16-amd64 #1 Debian 4.9.272-2
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77 Extreme4-M, 
BIOS P1.00 03/02/2012
 0000000000000000 ffffffffad013377 00007fc692c0f000 ffff8d6dd4798640
 ffffffffacbb7c31 00007fc692c60000 0000000000000000 000000000000000a
 00007fc692c0f000 ffff8d6d132e5078 5400000000000000 ffffa256481ffdd8
Call Trace:
 [<ffffffffad013377>] ? dump_stack+0x66/0x81
 [<ffffffffacbb7c31>] ? print_bad_pte+0x1d1/0x2a0
 [<ffffffffacbba434>] ? unmap_page_range+0x5d4/0x9d0
 [<ffffffffacbbabfc>] ? unmap_vmas+0x4c/0xa0
 [<ffffffffacbc3b9f>] ? exit_mmap+0x8f/0x140
 [<ffffffffaca77604>] ? mmput+0x54/0x100
 [<ffffffffaca7f1be>] ? do_exit+0x27e/0xb60
 [<ffffffffaca7fb1a>] ? do_group_exit+0x3a/0xa0
 [<ffffffffaca7fb90>] ? SyS_exit_group+0x10/0x10
 [<ffffffffaca03b7d>] ? do_syscall_64+0x8d/0x100
 [<ffffffffad02238e>] ? entry_SYSCALL_64_after_swapgs+0x58/0xc6

Reply via email to