Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()<br /> <br /> Yang Jihing reported a race between perf_event_set_output() and<br /> perf_mmap_close():<br /> <br /> CPU1 CPU2<br /> <br /> perf_mmap_close(e2)<br /> if (atomic_dec_and_test(&amp;e2-&gt;rb-&gt;mmap_count)) // 1 - &gt; 0<br /> detach_rest = true<br /> <br /> ioctl(e1, IOC_SET_OUTPUT, e2)<br /> perf_event_set_output(e1, e2)<br /> <br /> ...<br /> list_for_each_entry_rcu(e, &amp;e2-&gt;rb-&gt;event_list, rb_entry)<br /> ring_buffer_attach(e, NULL);<br /> // e1 isn&amp;#39;t yet added and<br /> // therefore not detached<br /> <br /> ring_buffer_attach(e1, e2-&gt;rb)<br /> list_add_rcu(&amp;e1-&gt;rb_entry,<br /> &amp;e2-&gt;rb-&gt;event_list)<br /> <br /> After this; e1 is attached to an unmapped rb and a subsequent<br /> perf_mmap() will loop forever more:<br /> <br /> again:<br /> mutex_lock(&amp;e-&gt;mmap_mutex);<br /> if (event-&gt;rb) {<br /> ...<br /> if (!atomic_inc_not_zero(&amp;e-&gt;rb-&gt;mmap_count)) {<br /> ...<br /> mutex_unlock(&amp;e-&gt;mmap_mutex);<br /> goto again;<br /> }<br /> }<br /> <br /> The loop in perf_mmap_close() holds e2-&gt;mmap_mutex, while the attach<br /> in perf_event_set_output() holds e1-&gt;mmap_mutex. As such there is no<br /> serialization to avoid this race.<br /> <br /> Change perf_event_set_output() to take both e1-&gt;mmap_mutex and<br /> e2-&gt;mmap_mutex to alleviate that problem. Additionally, have the loop<br /> in perf_mmap() detach the rb directly, this avoids having to wait for<br /> the concurrent perf_mmap_close() to get around to doing it to make<br /> progress.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igc: Reinstate IGC_REMOVED logic and implement it properly<br /> <br /> The initially merged version of the igc driver code (via commit<br /> 146740f9abc4, "igc: Add support for PF") contained the following<br /> IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:<br /> <br /> u32 igc_rd32(struct igc_hw *hw, u32 reg)<br /> {<br /> u8 __iomem *hw_addr = READ_ONCE(hw-&gt;hw_addr);<br /> u32 value = 0;<br /> <br /> if (IGC_REMOVED(hw_addr))<br /> return ~value;<br /> <br /> value = readl(&amp;hw_addr[reg]);<br /> <br /> /* reads should not return all F&amp;#39;s */<br /> if (!(~value) &amp;&amp; (!reg || !(~readl(hw_addr))))<br /> hw-&gt;hw_addr = NULL;<br /> <br /> return value;<br /> }<br /> <br /> And:<br /> <br /> #define wr32(reg, val) \<br /> do { \<br /> u8 __iomem *hw_addr = READ_ONCE((hw)-&gt;hw_addr); \<br /> if (!IGC_REMOVED(hw_addr)) \<br /> writel((val), &amp;hw_addr[(reg)]); \<br /> } while (0)<br /> <br /> E.g. igb has similar checks in its MMIO accessors, and has a similar<br /> macro E1000_REMOVED, which is implemented as follows:<br /> <br /> #define E1000_REMOVED(h) unlikely(!(h))<br /> <br /> These checks serve to detect and take note of an 0xffffffff MMIO read<br /> return from the device, which can be caused by a PCIe link flap or some<br /> other kind of PCI bus error, and to avoid performing MMIO reads and<br /> writes from that point onwards.<br /> <br /> However, the IGC_REMOVED macro was not originally implemented:<br /> <br /> #ifndef IGC_REMOVED<br /> #define IGC_REMOVED(a) (0)<br /> #endif /* IGC_REMOVED */<br /> <br /> This led to the IGC_REMOVED logic to be removed entirely in a<br /> subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED<br /> function"), with the rationale that such checks matter only for<br /> virtualization and that igc does not support virtualization -- but a<br /> PCIe device can become detached even without virtualization being in<br /> use, and without proper checks, a PCIe bus error affecting an igc<br /> adapter will lead to various NULL pointer dereferences, as the first<br /> access after the error will set hw-&gt;hw_addr to NULL, and subsequent<br /> accesses will blindly dereference this now-NULL pointer.<br /> <br /> This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and<br /> implements IGC_REMOVED the way it is done for igb, by checking for the<br /> unlikely() case of hw_addr being NULL. This change prevents the oopses<br /> seen when a PCIe link flap occurs on an igc adapter.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/irdma: Fix sleep from invalid context BUG<br /> <br /> Taking the qos_mutex to process RoCEv2 QP&amp;#39;s on netdev events causes a<br /> kernel splat.<br /> <br /> Fix this by removing the handling for RoCEv2 in<br /> irdma_cm_teardown_connections that uses the mutex. This handling is only<br /> needed for iWARP to avoid having connections established while the link is<br /> down or having connections remain functional after the IP address is<br /> removed.<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/mutex.<br /> Call Trace:<br /> kernel: dump_stack+0x66/0x90<br /> kernel: ___might_sleep.cold.92+0x8d/0x9a<br /> kernel: mutex_lock+0x1c/0x40<br /> kernel: irdma_cm_teardown_connections+0x28e/0x4d0 [irdma]<br /> kernel: ? check_preempt_curr+0x7a/0x90<br /> kernel: ? select_idle_sibling+0x22/0x3c0<br /> kernel: ? select_task_rq_fair+0x94c/0xc90<br /> kernel: ? irdma_exec_cqp_cmd+0xc27/0x17c0 [irdma]<br /> kernel: ? __wake_up_common+0x7a/0x190<br /> kernel: irdma_if_notify+0x3cc/0x450 [irdma]<br /> kernel: ? sched_clock_cpu+0xc/0xb0<br /> kernel: irdma_inet6addr_event+0xc6/0x150 [irdma]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: VMX: Prevent RSB underflow before vmenter<br /> <br /> On VMX, there are some balanced returns between the time the guest&amp;#39;s<br /> SPEC_CTRL value is written, and the vmenter.<br /> <br /> Balanced returns (matched by a preceding call) are usually ok, but it&amp;#39;s<br /> at least theoretically possible an NMI with a deep call stack could<br /> empty the RSB before one of the returns.<br /> <br /> For maximum paranoia, don&amp;#39;t allow *any* returns (balanced or otherwise)<br /> between the SPEC_CTRL write and the vmenter.<br /> <br /> [ bp: Fix 32-bit build. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/speculation: Fill RSB on vmexit for IBRS<br /> <br /> Prevent RSB underflow/poisoning attacks with RSB. While at it, add a<br /> bunch of comments to attempt to document the current state of tribal<br /> knowledge about RSB attacks and what exactly is being mitigated.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> power: supply: core: Fix boundary conditions in interpolation<br /> <br /> The functions power_supply_temp2resist_simple and power_supply_ocv2cap_simple<br /> handle boundary conditions incorrectly.<br /> The change was introduced in a4585ba2050f460f749bbaf2b67bd56c41e30283<br /> ("power: supply: core: Use library interpolation").<br /> There are two issues: First, the lines "high = i - 1" and "high = i" in ocv2cap<br /> have the wrong order compared to temp2resist. As a consequence, ocv2cap<br /> sets high=-1 if ocv&gt;table[0].ocv, which causes an out-of-bounds read.<br /> Second, the logic of temp2resist is also not correct.<br /> Consider the case table[] = {{20, 100}, {10, 80}, {0, 60}}.<br /> For temp=5, we expect a resistance of 70% by interpolation.<br /> However, temp2resist sets high=low=2 and returns 60.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> serial: 8250: Fix PM usage_count for console handover<br /> <br /> When console is enabled, univ8250_console_setup() calls<br /> serial8250_console_setup() before .dev is set to uart_port. Therefore,<br /> it will not call pm_runtime_get_sync(). Later, when the actual driver<br /> is going to take over univ8250_console_exit() is called. As .dev is<br /> already set, serial8250_console_exit() makes pm_runtime_put_sync() call<br /> with usage count being zero triggering PM usage count warning<br /> (extra debug for univ8250_console_setup(), univ8250_console_exit(), and<br /> serial8250_register_ports()):<br /> <br /> [ 0.068987] univ8250_console_setup ttyS0 nodev<br /> [ 0.499670] printk: console [ttyS0] enabled<br /> [ 0.717955] printk: console [ttyS0] printing thread started<br /> [ 1.960163] serial8250_register_ports assigned dev for ttyS0<br /> [ 1.976830] printk: console [ttyS0] disabled<br /> [ 1.976888] printk: console [ttyS0] printing thread stopped<br /> [ 1.977073] univ8250_console_exit ttyS0 usage:0<br /> [ 1.977075] serial8250 serial8250: Runtime PM usage count underflow!<br /> [ 1.977429] dw-apb-uart.6: ttyS0 at MMIO 0x4010006000 (irq = 33, base_baud = 115200) is a 16550A<br /> [ 1.977812] univ8250_console_setup ttyS0 usage:2<br /> [ 1.978167] printk: console [ttyS0] printing thread started<br /> [ 1.978203] printk: console [ttyS0] enabled<br /> <br /> To fix the issue, call pm_runtime_get_sync() in<br /> serial8250_register_ports() as soon as .dev is set for an uart_port<br /> if it has console enabled.<br /> <br /> This problem became apparent only recently because 82586a721595 ("PM:<br /> runtime: Avoid device usage count underflows") added the warning<br /> printout. I confirmed this problem also occurs with v5.18 (w/o the<br /> warning printout, obviously).

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix a data-race around sysctl_tcp_probe_threshold.<br /> <br /> While reading sysctl_tcp_probe_threshold, it can be changed concurrently.<br /> Thus, we need to add READ_ONCE() to its reader.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix data-races around sysctl_tcp_min_snd_mss.<br /> <br /> While reading sysctl_tcp_min_snd_mss, it can be changed concurrently.<br /> Thus, we need to add READ_ONCE() to its readers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix data-races around sysctl_tcp_mtu_probing.<br /> <br /> While reading sysctl_tcp_mtu_probing, it can be changed concurrently.<br /> Thus, we need to add READ_ONCE() to its readers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix data-races around sysctl_tcp_base_mss.<br /> <br /> While reading sysctl_tcp_base_mss, it can be changed concurrently.<br /> Thus, we need to add READ_ONCE() to its readers.