Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: rt7*-sdw: harden jack_detect_handler<br /> <br /> Realtek headset codec drivers typically check if the card is<br /> instantiated before proceeding with the jack detection.<br /> <br /> The rt700, rt711 and rt711-sdca are however missing a check on the<br /> card pointer, which can lead to NULL dereferences encountered in<br /> driver bind/unbind tests.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: sof_sdw: handle errors on card registration<br /> <br /> If the card registration fails, typically because of deferred probes,<br /> the device properties added for headset codecs are not removed, which<br /> leads to kernel oopses in driver bind/unbind tests.<br /> <br /> We already clean-up the device properties when the card is removed,<br /> this code can be moved as a helper and called upon card registration<br /> errors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux()<br /> <br /> pdesc could be null but still dereference pdesc-&gt;name and it will lead to<br /> a null pointer access. So we move a null check before dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sfp: fix memory leak in sfp_probe()<br /> <br /> sfp_probe() allocates a memory chunk from sfp with sfp_alloc(). When<br /> devm_add_action() fails, sfp is not freed, which leads to a memory leak.<br /> <br /> We should use devm_add_action_or_reset() instead of devm_add_action().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: tipc: fix possible refcount leak in tipc_sk_create()<br /> <br /> Free sk in case tipc_sk_insert() fails.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: pmac32-cpufreq: Fix refcount leak bug<br /> <br /> In pmac_cpufreq_init_MacRISC3(), we need to add corresponding<br /> of_node_put() for the three node pointers whose refcount have<br /> been incremented by of_find_node_by_name().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: avoid skb access on nf_stolen<br /> <br /> When verdict is NF_STOLEN, the skb might have been freed.<br /> <br /> When tracing is enabled, this can result in a use-after-free:<br /> 1. access to skb-&gt;nf_trace<br /> 2. access to skb-&gt;mark<br /> 3. computation of trace id<br /> 4. dump of packet payload<br /> <br /> To avoid 1, keep a cached copy of skb-&gt;nf_trace in the<br /> trace state struct.<br /> Refresh this copy whenever verdict is != STOLEN.<br /> <br /> Avoid 2 by skipping skb-&gt;mark access if verdict is STOLEN.<br /> <br /> 3 is avoided by precomputing the trace id.<br /> <br /> Only dump the packet when verdict is not "STOLEN".

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/xive/spapr: correct bitmap allocation size<br /> <br /> kasan detects access beyond the end of the xibm-&gt;bitmap allocation:<br /> <br /> BUG: KASAN: slab-out-of-bounds in _find_first_zero_bit+0x40/0x140<br /> Read of size 8 at addr c00000001d1d0118 by task swapper/0/1<br /> <br /> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-rc2-00001-g90df023b36dd #28<br /> Call Trace:<br /> [c00000001d98f770] [c0000000012baab8] dump_stack_lvl+0xac/0x108 (unreliable)<br /> [c00000001d98f7b0] [c00000000068faac] print_report+0x37c/0x710<br /> [c00000001d98f880] [c0000000006902c0] kasan_report+0x110/0x354<br /> [c00000001d98f950] [c000000000692324] __asan_load8+0xa4/0xe0<br /> [c00000001d98f970] [c0000000011c6ed0] _find_first_zero_bit+0x40/0x140<br /> [c00000001d98f9b0] [c0000000000dbfbc] xive_spapr_get_ipi+0xcc/0x260<br /> [c00000001d98fa70] [c0000000000d6d28] xive_setup_cpu_ipi+0x1e8/0x450<br /> [c00000001d98fb30] [c000000004032a20] pSeries_smp_probe+0x5c/0x118<br /> [c00000001d98fb60] [c000000004018b44] smp_prepare_cpus+0x944/0x9ac<br /> [c00000001d98fc90] [c000000004009f9c] kernel_init_freeable+0x2d4/0x640<br /> [c00000001d98fd90] [c0000000000131e8] kernel_init+0x28/0x1d0<br /> [c00000001d98fe10] [c00000000000cd54] ret_from_kernel_thread+0x5c/0x64<br /> <br /> Allocated by task 0:<br /> kasan_save_stack+0x34/0x70<br /> __kasan_kmalloc+0xb4/0xf0<br /> __kmalloc+0x268/0x540<br /> xive_spapr_init+0x4d0/0x77c<br /> pseries_init_irq+0x40/0x27c<br /> init_IRQ+0x44/0x84<br /> start_kernel+0x2a4/0x538<br /> start_here_common+0x1c/0x20<br /> <br /> The buggy address belongs to the object at c00000001d1d0118<br /> which belongs to the cache kmalloc-8 of size 8<br /> The buggy address is located 0 bytes inside of<br /> 8-byte region [c00000001d1d0118, c00000001d1d0120)<br /> <br /> The buggy address belongs to the physical page:<br /> page:c00c000000074740 refcount:1 mapcount:0 mapping:0000000000000000 index:0xc00000001d1d0558 pfn:0x1d1d<br /> flags: 0x7ffff000000200(slab|node=0|zone=0|lastcpupid=0x7ffff)<br /> raw: 007ffff000000200 c00000001d0003c8 c00000001d0003c8 c00000001d010480<br /> raw: c00000001d1d0558 0000000001e1000a 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> c00000001d1d0000: fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> c00000001d1d0080: fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> &gt;c00000001d1d0100: fc fc fc 02 fc fc fc fc fc fc fc fc fc fc fc fc<br /> ^<br /> c00000001d1d0180: fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc<br /> c00000001d1d0200: fc fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc<br /> <br /> This happens because the allocation uses the wrong unit (bits) when it<br /> should pass (BITS_TO_LONGS(count) * sizeof(long)) or equivalent. With small<br /> numbers of bits, the allocated object can be smaller than sizeof(long),<br /> which results in invalid accesses.<br /> <br /> Use bitmap_zalloc() to allocate and initialize the irq bitmap, paired with<br /> bitmap_free() for consistency.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: atlantic: remove aq_nic_deinit() when resume<br /> <br /> aq_nic_deinit() has been called while suspending, so we don&amp;#39;t have to call<br /> it again on resume.<br /> Actually, call it again leads to another hang issue when resuming from<br /> S3.<br /> <br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992345] Call Trace:<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992346] <br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992348] aq_nic_deinit+0xb4/0xd0 [atlantic]<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992356] aq_pm_thaw+0x7f/0x100 [atlantic]<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992362] pci_pm_resume+0x5c/0x90<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992366] ? pci_pm_thaw+0x80/0x80<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992368] dpm_run_callback+0x4e/0x120<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992371] device_resume+0xad/0x200<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992373] async_resume+0x1e/0x40<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992374] async_run_entry_fn+0x33/0x120<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992377] process_one_work+0x220/0x3c0<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992380] worker_thread+0x4d/0x3f0<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992382] ? process_one_work+0x3c0/0x3c0<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992384] kthread+0x12a/0x150<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992386] ? set_kthread_struct+0x40/0x40<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992387] ret_from_fork+0x22/0x30<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992391] <br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992392] ---[ end trace 1ec8c79604ed5e0d ]---<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992394] PM: dpm_run_callback(): pci_pm_resume+0x0/0x90 returns -110<br /> Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992397] atlantic 0000:02:00.0: PM: failed to resume async: error -110

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sfc: fix kernel panic when creating VF<br /> <br /> When creating VFs a kernel panic can happen when calling to<br /> efx_ef10_try_update_nic_stats_vf.<br /> <br /> When releasing a DMA coherent buffer, sometimes, I don&amp;#39;t know in what<br /> specific circumstances, it has to unmap memory with vunmap. It is<br /> disallowed to do that in IRQ context or with BH disabled. Otherwise, we<br /> hit this line in vunmap, causing the crash:<br /> BUG_ON(in_interrupt());<br /> <br /> This patch reenables BH to release the buffer.<br /> <br /> Log messages when the bug is hit:<br /> kernel BUG at mm/vmalloc.c:2727!<br /> invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G I --------- --- 5.14.0-119.el9.x86_64 #1<br /> Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020<br /> RIP: 0010:vunmap+0x2e/0x30<br /> ...skip...<br /> Call Trace:<br /> __iommu_dma_free+0x96/0x100<br /> efx_nic_free_buffer+0x2b/0x40 [sfc]<br /> efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc]<br /> efx_ef10_update_stats_vf+0x18/0x40 [sfc]<br /> efx_start_all+0x15e/0x1d0 [sfc]<br /> efx_net_open+0x5a/0xe0 [sfc]<br /> __dev_open+0xe7/0x1a0<br /> __dev_change_flags+0x1d7/0x240<br /> dev_change_flags+0x21/0x60<br /> ...skip...

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sfc: fix use after free when disabling sriov<br /> <br /> Use after free is detected by kfence when disabling sriov. What was read<br /> after being freed was vf-&gt;pci_dev: it was freed from pci_disable_sriov<br /> and later read in efx_ef10_sriov_free_vf_vports, called from<br /> efx_ef10_sriov_free_vf_vswitching.<br /> <br /> Set the pointer to NULL at release time to not trying to read it later.<br /> <br /> Reproducer and dmesg log (note that kfence doesn&amp;#39;t detect it every time):<br /> $ echo 1 &gt; /sys/class/net/enp65s0f0np0/device/sriov_numvfs<br /> $ echo 0 &gt; /sys/class/net/enp65s0f0np0/device/sriov_numvfs<br /> <br /> BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]<br /> <br /> Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224):<br /> efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]<br /> efx_ef10_pci_sriov_disable+0x38/0x70 [sfc]<br /> efx_pci_sriov_configure+0x24/0x40 [sfc]<br /> sriov_numvfs_store+0xfe/0x140<br /> kernfs_fop_write_iter+0x11c/0x1b0<br /> new_sync_write+0x11f/0x1b0<br /> vfs_write+0x1eb/0x280<br /> ksys_write+0x5f/0xe0<br /> do_syscall_64+0x5c/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k<br /> <br /> allocated by task 6771 on cpu 10 at 3137.860196s:<br /> pci_alloc_dev+0x21/0x60<br /> pci_iov_add_virtfn+0x2a2/0x320<br /> sriov_enable+0x212/0x3e0<br /> efx_ef10_sriov_configure+0x67/0x80 [sfc]<br /> efx_pci_sriov_configure+0x24/0x40 [sfc]<br /> sriov_numvfs_store+0xba/0x140<br /> kernfs_fop_write_iter+0x11c/0x1b0<br /> new_sync_write+0x11f/0x1b0<br /> vfs_write+0x1eb/0x280<br /> ksys_write+0x5f/0xe0<br /> do_syscall_64+0x5c/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> freed by task 6771 on cpu 12 at 3170.991309s:<br /> device_release+0x34/0x90<br /> kobject_cleanup+0x3a/0x130<br /> pci_iov_remove_virtfn+0xd9/0x120<br /> sriov_disable+0x30/0xe0<br /> efx_ef10_pci_sriov_disable+0x57/0x70 [sfc]<br /> efx_pci_sriov_configure+0x24/0x40 [sfc]<br /> sriov_numvfs_store+0xfe/0x140<br /> kernfs_fop_write_iter+0x11c/0x1b0<br /> new_sync_write+0x11f/0x1b0<br /> vfs_write+0x1eb/0x280<br /> ksys_write+0x5f/0xe0<br /> do_syscall_64+0x5c/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igc: Reinstate IGC_REMOVED logic and implement it properly<br /> <br /> The initially merged version of the igc driver code (via commit<br /> 146740f9abc4, "igc: Add support for PF") contained the following<br /> IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:<br /> <br /> u32 igc_rd32(struct igc_hw *hw, u32 reg)<br /> {<br /> u8 __iomem *hw_addr = READ_ONCE(hw-&gt;hw_addr);<br /> u32 value = 0;<br /> <br /> if (IGC_REMOVED(hw_addr))<br /> return ~value;<br /> <br /> value = readl(&amp;hw_addr[reg]);<br /> <br /> /* reads should not return all F&amp;#39;s */<br /> if (!(~value) &amp;&amp; (!reg || !(~readl(hw_addr))))<br /> hw-&gt;hw_addr = NULL;<br /> <br /> return value;<br /> }<br /> <br /> And:<br /> <br /> #define wr32(reg, val) \<br /> do { \<br /> u8 __iomem *hw_addr = READ_ONCE((hw)-&gt;hw_addr); \<br /> if (!IGC_REMOVED(hw_addr)) \<br /> writel((val), &amp;hw_addr[(reg)]); \<br /> } while (0)<br /> <br /> E.g. igb has similar checks in its MMIO accessors, and has a similar<br /> macro E1000_REMOVED, which is implemented as follows:<br /> <br /> #define E1000_REMOVED(h) unlikely(!(h))<br /> <br /> These checks serve to detect and take note of an 0xffffffff MMIO read<br /> return from the device, which can be caused by a PCIe link flap or some<br /> other kind of PCI bus error, and to avoid performing MMIO reads and<br /> writes from that point onwards.<br /> <br /> However, the IGC_REMOVED macro was not originally implemented:<br /> <br /> #ifndef IGC_REMOVED<br /> #define IGC_REMOVED(a) (0)<br /> #endif /* IGC_REMOVED */<br /> <br /> This led to the IGC_REMOVED logic to be removed entirely in a<br /> subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED<br /> function"), with the rationale that such checks matter only for<br /> virtualization and that igc does not support virtualization -- but a<br /> PCIe device can become detached even without virtualization being in<br /> use, and without proper checks, a PCIe bus error affecting an igc<br /> adapter will lead to various NULL pointer dereferences, as the first<br /> access after the error will set hw-&gt;hw_addr to NULL, and subsequent<br /> accesses will blindly dereference this now-NULL pointer.<br /> <br /> This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and<br /> implements IGC_REMOVED the way it is done for igb, by checking for the<br /> unlikely() case of hw_addr being NULL. This change prevents the oopses<br /> seen when a PCIe link flap occurs on an igc adapter.