Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/papr_scm: Fix leaking nvdimm_events_map elements<br /> <br /> Right now &amp;#39;char *&amp;#39; elements allocated for individual &amp;#39;stat_id&amp;#39; in<br /> &amp;#39;papr_scm_priv.nvdimm_events_map[]&amp;#39; during papr_scm_pmu_check_events(), get<br /> leaked in papr_scm_remove() and papr_scm_pmu_register(),<br /> papr_scm_pmu_check_events() error paths.<br /> <br /> Also individual &amp;#39;stat_id&amp;#39; arent NULL terminated &amp;#39;char *&amp;#39; instead they are fixed<br /> 8-byte sized identifiers. However papr_scm_pmu_register() assumes it to be a<br /> NULL terminated &amp;#39;char *&amp;#39; and at other places it assumes it to be a<br /> &amp;#39;papr_scm_perf_stat.stat_id&amp;#39; sized string which is 8-byes in size.<br /> <br /> Fix this by allocating the memory for papr_scm_priv.nvdimm_events_map to also<br /> include space for &amp;#39;stat_id&amp;#39; entries. This is possible since number of available<br /> events/stat_ids are known upfront. This saves some memory and one extra level of<br /> indirection from &amp;#39;nvdimm_events_map&amp;#39; to &amp;#39;stat_id&amp;#39;. Also rest of the code<br /> can continue to call &amp;#39;kfree(papr_scm_priv.nvdimm_events_map)&amp;#39; without needing to<br /> iterate over the array and free up individual elements.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/xive: Fix refcount leak in xive_spapr_init<br /> <br /> of_find_compatible_node() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when done.<br /> Add missing of_node_put() to avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: sparcspkr - fix refcount leak in bbc_beep_probe<br /> <br /> of_find_node_by_path() calls of_find_node_opts_by_path(),<br /> which returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when done.<br /> Add missing of_node_put() to avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/fsl_rio: Fix refcount leak in fsl_rio_setup<br /> <br /> of_parse_phandle() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when not need anymore.<br /> Add missing of_node_put() to avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/rtas: Keep MSR[RI] set when calling RTAS<br /> <br /> RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big<br /> endian mode (MSR[SF,LE] unset).<br /> <br /> The change in MSR is done in enter_rtas() in a relatively complex way,<br /> since the MSR value could be hardcoded.<br /> <br /> Furthermore, a panic has been reported when hitting the watchdog interrupt<br /> while running in RTAS, this leads to the following stack trace:<br /> <br /> watchdog: CPU 24 Hard LOCKUP<br /> watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)<br /> ...<br /> Supported: No, Unreleased kernel<br /> CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c<br /> NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000<br /> REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)<br /> MSR: 8000000002981000 CR: 48800002 XER: 20040020<br /> CFAR: 000000000000011c IRQMASK: 1<br /> GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc<br /> GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010<br /> GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000<br /> GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034<br /> GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008<br /> GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f<br /> GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40<br /> GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000<br /> NIP [000000001fb41050] 0x1fb41050<br /> LR [000000001fb4104c] 0x1fb4104c<br /> Call Trace:<br /> Instruction dump:<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> Oops: Unrecoverable System Reset, sig: 6 [#1]<br /> LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries<br /> ...<br /> Supported: No, Unreleased kernel<br /> CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c<br /> NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000<br /> REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)<br /> MSR: 8000000002981000 CR: 48800002 XER: 20040020<br /> CFAR: 000000000000011c IRQMASK: 1<br /> GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc<br /> GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010<br /> GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000<br /> GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034<br /> GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008<br /> GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f<br /> GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40<br /> GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000<br /> NIP [000000001fb41050] 0x1fb41050<br /> LR [000000001fb4104c] 0x1fb4104c<br /> Call Trace:<br /> Instruction dump:<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> ---[ end trace 3ddec07f638c34a2 ]---<br /> <br /> This happens because MSR[RI] is unset when entering RTAS but there is no<br /> valid reason to not set it here.<br /> <br /> RTAS is expected to be called with MSR[RI] as specified in PAPR+ section<br /> "7.2.1 Machine State":<br /> <br /> R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect<br /> its own critical regions from recursion by setting the MSR[RI] bit to<br /> 0 when in the critical regions.<br /> <br /> Fixing this by reviewing the way MSR is compute before calling RTAS. Now a<br /> hardcoded value meaning real <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: fix deadlock caused by calling printk() under tty_port-&gt;lock<br /> <br /> pty_write() invokes kmalloc() which may invoke a normal printk() to print<br /> failure message. This can cause a deadlock in the scenario reported by<br /> syz-bot below:<br /> <br /> CPU0 CPU1 CPU2<br /> ---- ---- ----<br /> lock(console_owner);<br /> lock(&amp;port_lock_key);<br /> lock(&amp;port-&gt;lock);<br /> lock(&amp;port_lock_key);<br /> lock(&amp;port-&gt;lock);<br /> lock(console_owner);<br /> <br /> As commit dbdda842fe96 ("printk: Add console owner and waiter logic to<br /> load balance console writes") said, such deadlock can be prevented by<br /> using printk_deferred() in kmalloc() (which is invoked in the section<br /> guarded by the port-&gt;lock). But there are too many printk() on the<br /> kmalloc() path, and kmalloc() can be called from anywhere, so changing<br /> printk() to printk_deferred() is too complicated and inelegant.<br /> <br /> Therefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so<br /> that printk() will not be called, and this deadlock problem can be<br /> avoided.<br /> <br /> Syzbot reported the following lockdep error:<br /> <br /> ======================================================<br /> WARNING: possible circular locking dependency detected<br /> 5.4.143-00237-g08ccc19a-dirty #10 Not tainted<br /> ------------------------------------------------------<br /> syz-executor.4/29420 is trying to acquire lock:<br /> ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]<br /> ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023<br /> <br /> but task is already holding lock:<br /> ffff8880119c9158 (&amp;port-&gt;lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #2 (&amp;port-&gt;lock){-.-.}-{2:2}:<br /> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]<br /> _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159<br /> tty_port_tty_get drivers/tty/tty_port.c:288 [inline] lock);<br /> tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47<br /> serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767<br /> serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854<br /> serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] #1 (&amp;port_lock_key){-.-.}-{2:2}:<br /> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]<br /> _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159<br /> serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drivers/base/node.c: fix compaction sysfs file leak<br /> <br /> Compaction sysfs file is created via compaction_register_node in<br /> register_node. But we forgot to remove it in unregister_node. Thus<br /> compaction sysfs file is leaked. Using compaction_unregister_node to fix<br /> this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> list: fix a data-race around ep-&gt;rdllist<br /> <br /> ep_poll() first calls ep_events_available() with no lock held and checks<br /> if ep-&gt;rdllist is empty by list_empty_careful(), which reads<br /> rdllist-&gt;prev. Thus all accesses to it need some protection to avoid<br /> store/load-tearing.<br /> <br /> Note INIT_LIST_HEAD_RCU() already has the annotation for both prev<br /> and next.<br /> <br /> Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket<br /> fds.") added the first lockless ep_events_available(), and commit<br /> c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()")<br /> made some ep_events_available() calls lockless and added single call under<br /> a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock<br /> for zero timeout") made the last ep_events_available() lockless.<br /> <br /> BUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait<br /> <br /> write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0:<br /> INIT_LIST_HEAD include/linux/list.h:38 [inline]<br /> list_splice_init include/linux/list.h:492 [inline]<br /> ep_start_scan fs/eventpoll.c:622 [inline]<br /> ep_send_events fs/eventpoll.c:1656 [inline]<br /> ep_poll fs/eventpoll.c:1806 [inline]<br /> do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234<br /> do_epoll_pwait fs/eventpoll.c:2268 [inline]<br /> __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]<br /> __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275<br /> __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1:<br /> list_empty_careful include/linux/list.h:329 [inline]<br /> ep_events_available fs/eventpoll.c:381 [inline]<br /> ep_poll fs/eventpoll.c:1797 [inline]<br /> do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234<br /> do_epoll_pwait fs/eventpoll.c:2268 [inline]<br /> __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]<br /> __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275<br /> __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> value changed: 0xffff88810480c7d0 -&gt; 0xffff888103c15098<br /> <br /> Reported by Kernel Concurrency Sanitizer on:<br /> CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> module: fix [e_shstrndx].sh_size=0 OOB access<br /> <br /> It is trivial to craft a module to trigger OOB access in this line:<br /> <br /> if (info-&gt;secstrings[strhdr-&gt;sh_size - 1] != &amp;#39;\0&amp;#39;) {<br /> <br /> BUG: unable to handle page fault for address: ffffc90000aa0fff<br /> PGD 100000067 P4D 100000067 PUD 100066067 PMD 10436f067 PTE 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 7 PID: 1215 Comm: insmod Not tainted 5.18.0-rc5-00007-g9bf578647087-dirty #10<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014<br /> RIP: 0010:load_module+0x19b/0x2391<br /> <br /> [rebased patch onto modules-next]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: renesas: core: Fix possible null-ptr-deref in sh_pfc_map_resources()<br /> <br /> It will cause null-ptr-deref when using &amp;#39;res&amp;#39;, if platform_get_resource()<br /> returns NULL, so move using &amp;#39;res&amp;#39; after devm_ioremap_resource() that<br /> will check it to avoid null-ptr-deref.<br /> And use devm_platform_get_and_ioremap_resource() to simplify code.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/arm-smmu-v3-sva: Fix mm use-after-free<br /> <br /> We currently call arm64_mm_context_put() without holding a reference to<br /> the mm, which can result in use-after-free. Call mmgrab()/mmdrop() to<br /> ensure the mm only gets freed after we unpinned the ASID.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/mediatek: Remove clk_disable in mtk_iommu_remove<br /> <br /> After the commit b34ea31fe013 ("iommu/mediatek: Always enable the clk on<br /> resume"), the iommu clock is controlled by the runtime callback.<br /> thus remove the clk control in the mtk_iommu_remove.<br /> <br /> Otherwise, it will warning like:<br /> <br /> echo 14018000.iommu &gt; /sys/bus/platform/drivers/mtk-iommu/unbind<br /> <br /> [ 51.413044] ------------[ cut here ]------------<br /> [ 51.413648] vpp0_smi_iommu already disabled<br /> [ 51.414233] WARNING: CPU: 2 PID: 157 at */v5.15-rc1/kernel/mediatek/<br /> drivers/clk/clk.c:952 clk_core_disable+0xb0/0xb8<br /> [ 51.417174] Hardware name: MT8195V/C(ENG) (DT)<br /> [ 51.418635] pc : clk_core_disable+0xb0/0xb8<br /> [ 51.419177] lr : clk_core_disable+0xb0/0xb8<br /> ...<br /> [ 51.429375] Call trace:<br /> [ 51.429694] clk_core_disable+0xb0/0xb8<br /> [ 51.430193] clk_core_disable_lock+0x24/0x40<br /> [ 51.430745] clk_disable+0x20/0x30<br /> [ 51.431189] mtk_iommu_remove+0x58/0x118<br /> [ 51.431705] platform_remove+0x28/0x60<br /> [ 51.432197] device_release_driver_internal+0x110/0x1f0<br /> [ 51.432873] device_driver_detach+0x18/0x28<br /> [ 51.433418] unbind_store+0xd4/0x108<br /> [ 51.433886] drv_attr_store+0x24/0x38<br /> [ 51.434363] sysfs_kf_write+0x40/0x58<br /> [ 51.434843] kernfs_fop_write_iter+0x164/0x1e0