Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mips: bmips: BCM6358: make sure CBR is correctly set<br /> <br /> It was discovered that some device have CBR address set to 0 causing<br /> kernel panic when arch_sync_dma_for_cpu_all is called.<br /> <br /> This was notice in situation where the system is booted from TP1 and<br /> BMIPS_GET_CBR() returns 0 instead of a valid address and<br /> !!(read_c0_brcm_cmt_local() &amp; (1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: add the option to have a tty reject a new ldisc<br /> <br /> ... and use it to limit the virtual terminals to just N_TTY. They are<br /> kind of special, and in particular, the "con_write()" routine violates<br /> the "writes cannot sleep" rule that some ldiscs rely on.<br /> <br /> This avoids the<br /> <br /> BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659<br /> <br /> when N_GSM has been attached to a virtual console, and gsmld_write()<br /> calls con_write() while holding a spinlock, and con_write() then tries<br /> to get the console lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> serial: imx: Introduce timeout when waiting on transmitter empty<br /> <br /> By waiting at most 1 second for USR2_TXDC to be set, we avoid a potential<br /> deadlock.<br /> <br /> In case of the timeout, there is not much we can do, so we simply ignore<br /> the transmitter state and optimistically try to continue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> MIPS: Octeon: Add PCIe link status check<br /> <br /> The standard PCIe configuration read-write interface is used to<br /> access the configuration space of the peripheral PCIe devices<br /> of the mips processor after the PCIe link surprise down, it can<br /> generate kernel panic caused by "Data bus error". So it is<br /> necessary to add PCIe link status check for system protection.<br /> When the PCIe link is down or in training, assigning a value<br /> of 0 to the configuration address can prevent read-write behavior<br /> to the configuration space of peripheral PCIe devices, thereby<br /> preventing kernel panic.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Avoid hw_desc array overrun in dw-axi-dmac<br /> <br /> I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3<br /> segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()<br /> handles the hw_desc considering the descs_allocated, this scenario would result in a<br /> kernel panic (hw_desc array will be overrun).<br /> <br /> To fix this, the proposal is to add a new member to the axi_dma_desc structure,<br /> where we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in<br /> axi_desc_put() to handle the hw_desc array correctly.<br /> <br /> Additionally I propose to remove the axi_chan_start_first_queued() call after completing<br /> the transfer, since it was identified that unbalance can occur (started descriptors can<br /> be interrupted and transfer ignored due to DMA channel not being enabled).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: remove clear SB_INLINECRYPT flag in default_options<br /> <br /> In f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.<br /> If create new file or open file during this gap, these files<br /> will not use inlinecrypt. Worse case, it may lead to data<br /> corruption if wrappedkey_v0 is enable.<br /> <br /> Thread A: Thread B:<br /> <br /> -f2fs_remount -f2fs_file_open or f2fs_new_inode<br /> -default_options<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: do not create EA inode under buffer lock<br /> <br /> ext4_xattr_set_entry() creates new EA inodes while holding buffer lock<br /> on the external xattr block. This is problematic as it nests all the<br /> allocation locking (which acquires locks on other buffers) under the<br /> buffer lock. This can even deadlock when the filesystem is corrupted and<br /> e.g. quota file is setup to contain xattr block as data block. Move the<br /> allocation of EA inode out of ext4_xattr_set_entry() into the callers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/pseries: Enforce hcall result buffer validity and size<br /> <br /> plpar_hcall(), plpar_hcall9(), and related functions expect callers to<br /> provide valid result buffers of certain minimum size. Currently this<br /> is communicated only through comments in the code and the compiler has<br /> no idea.<br /> <br /> For example, if I write a bug like this:<br /> <br /> long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE<br /> plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);<br /> <br /> This compiles with no diagnostics emitted, but likely results in stack<br /> corruption at runtime when plpar_hcall9() stores results past the end<br /> of the array. (To be clear this is a contrived example and I have not<br /> found a real instance yet.)<br /> <br /> To make this class of error less likely, we can use explicitly-sized<br /> array parameters instead of pointers in the declarations for the hcall<br /> APIs. When compiled with -Warray-bounds[1], the code above now<br /> provokes a diagnostic like this:<br /> <br /> error: array argument is too small;<br /> is of size 32, callee requires at least 72 [-Werror,-Warray-bounds]<br /> 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,<br /> | ^ ~~~~~~<br /> <br /> [1] Enabled for LLVM builds but not GCC for now. See commit<br /> 0da6e5fd6c37 ("gcc: disable &amp;#39;-Warray-bounds&amp;#39; for gcc-13 too") and<br /> related changes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: shmem: fix getting incorrect lruvec when replacing a shmem folio<br /> <br /> When testing shmem swapin, I encountered the warning below on my machine. <br /> The reason is that replacing an old shmem folio with a new one causes<br /> mem_cgroup_migrate() to clear the old folio&amp;#39;s memcg data. As a result,<br /> the old folio cannot get the correct memcg&amp;#39;s lruvec needed to remove<br /> itself from the LRU list when it is being freed. This could lead to<br /> possible serious problems, such as LRU list crashes due to holding the<br /> wrong LRU lock, and incorrect LRU statistics.<br /> <br /> To fix this issue, we can fallback to use the mem_cgroup_replace_folio()<br /> to replace the old shmem folio.<br /> <br /> [ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960<br /> [ 5241.100317] head: order:4 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> [ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff)<br /> [ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000<br /> [ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000<br /> [ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000<br /> [ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000<br /> [ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000<br /> [ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000<br /> [ 5241.100330] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg &amp;&amp; !mem_cgroup_disabled())<br /> [ 5241.100338] ------------[ cut here ]------------<br /> [ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 folio_lruvec_lock_irqsave+0x140/0x150<br /> [...]<br /> [ 5241.100374] pc : folio_lruvec_lock_irqsave+0x140/0x150<br /> [ 5241.100375] lr : folio_lruvec_lock_irqsave+0x138/0x150<br /> [ 5241.100376] sp : ffff80008b38b930<br /> [...]<br /> [ 5241.100398] Call trace:<br /> [ 5241.100399] folio_lruvec_lock_irqsave+0x140/0x150<br /> [ 5241.100401] __page_cache_release+0x90/0x300<br /> [ 5241.100404] __folio_put+0x50/0x108<br /> [ 5241.100406] shmem_replace_folio+0x1b4/0x240<br /> [ 5241.100409] shmem_swapin_folio+0x314/0x528<br /> [ 5241.100411] shmem_get_folio_gfp+0x3b4/0x930<br /> [ 5241.100412] shmem_fault+0x74/0x160<br /> [ 5241.100414] __do_fault+0x40/0x218<br /> [ 5241.100417] do_shared_fault+0x34/0x1b0<br /> [ 5241.100419] do_fault+0x40/0x168<br /> [ 5241.100420] handle_pte_fault+0x80/0x228<br /> [ 5241.100422] __handle_mm_fault+0x1c4/0x440<br /> [ 5241.100424] handle_mm_fault+0x60/0x1f0<br /> [ 5241.100426] do_page_fault+0x120/0x488<br /> [ 5241.100429] do_translation_fault+0x4c/0x68<br /> [ 5241.100431] do_mem_abort+0x48/0xa0<br /> [ 5241.100434] el0_da+0x38/0xc0<br /> [ 5241.100436] el0t_64_sync_handler+0x68/0xc0<br /> [ 5241.100437] el0t_64_sync+0x14c/0x150<br /> [ 5241.100439] ---[ end trace 0000000000000000 ]---<br /> <br /> [baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: huge_memory: fix misused mapping_large_folio_support() for anon folios<br /> <br /> When I did a large folios split test, a WARNING "[ 5059.122759][ T166]<br /> Cannot split file folio to non-0 order" was triggered. But the test cases<br /> are only for anonmous folios. while mapping_large_folio_support() is only<br /> reasonable for page cache folios.<br /> <br /> In split_huge_page_to_list_to_order(), the folio passed to<br /> mapping_large_folio_support() maybe anonmous folio. The folio_test_anon()<br /> check is missing. So the split of the anonmous THP is failed. This is<br /> also the same for shmem_mapping(). We&amp;#39;d better add a check for both. But<br /> the shmem_mapping() in __split_huge_page() is not involved, as for<br /> anonmous folios, the end parameter is set to -1, so (head[i].index &gt;= end)<br /> is always false. shmem_mapping() is not called.<br /> <br /> Also add a VM_WARN_ON_ONCE() in mapping_large_folio_support() for anon<br /> mapping, So we can detect the wrong use more easily.<br /> <br /> THP folios maybe exist in the pagecache even the file system doesn&amp;#39;t<br /> support large folio, it is because when CONFIG_TRANSPARENT_HUGEPAGE is<br /> enabled, khugepaged will try to collapse read-only file-backed pages to<br /> THP. But the mapping does not actually support multi order large folios<br /> properly.<br /> <br /> Using /sys/kernel/debug/split_huge_pages to verify this, with this patch,<br /> large anon THP is successfully split and the warning is ceased.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()<br /> <br /> bdev-&gt;bd_super has been removed and commit 8887b94d9322 change the usage<br /> from bdev-&gt;bd_super to b_assoc_map-&gt;host-&gt;i_sb. Since ocfs2 hasn&amp;#39;t set<br /> bh-&gt;b_assoc_map, it will trigger NULL pointer dereference when calling<br /> into ocfs2_abort_trigger().<br /> <br /> Actually this was pointed out in history, see commit 74e364ad1b13. But<br /> I&amp;#39;ve made a mistake when reviewing commit 8887b94d9322 and then<br /> re-introduce this regression.<br /> <br /> Since we cannot revive bdev in buffer head, so fix this issue by<br /> initializing all types of ocfs2 triggers when fill super, and then get the<br /> specific ocfs2 trigger from ocfs2_caching_info when access journal.<br /> <br /> [joseph.qi@linux.alibaba.com: v2]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()<br /> <br /> bdev-&gt;bd_super has been removed and commit 8887b94d9322 change the usage<br /> from bdev-&gt;bd_super to b_assoc_map-&gt;host-&gt;i_sb. This introduces the<br /> following NULL pointer dereference in ocfs2_journal_dirty() since<br /> b_assoc_map is still not initialized. This can be easily reproduced by<br /> running xfstests generic/186, which simulate no more credits.<br /> <br /> [ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> ...<br /> [ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]<br /> ...<br /> [ 134.365071] Call Trace:<br /> [ 134.365312] <br /> [ 134.365524] ? __die_body+0x1e/0x60<br /> [ 134.365868] ? page_fault_oops+0x13d/0x4f0<br /> [ 134.366265] ? __pfx_bit_wait_io+0x10/0x10<br /> [ 134.366659] ? schedule+0x27/0xb0<br /> [ 134.366981] ? exc_page_fault+0x6a/0x140<br /> [ 134.367356] ? asm_exc_page_fault+0x26/0x30<br /> [ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]<br /> [ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]<br /> [ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]<br /> [ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2]<br /> [ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]<br /> [ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2]<br /> [ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2]<br /> [ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]<br /> [ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]<br /> [ 134.372994] ? inode_update_timestamps+0x4a/0x120<br /> [ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]<br /> [ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]<br /> [ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]<br /> [ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2]<br /> [ 134.376971] ? security_file_permission+0x29/0x50<br /> [ 134.377644] vfs_clone_file_range+0xfe/0x320<br /> [ 134.378268] ioctl_file_clone+0x45/0xa0<br /> [ 134.378853] do_vfs_ioctl+0x457/0x990<br /> [ 134.379422] __x64_sys_ioctl+0x6e/0xd0<br /> [ 134.379987] do_syscall_64+0x5d/0x170<br /> [ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 134.381231] RIP: 0033:0x7fa4926397cb<br /> [ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48<br /> [ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> [ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb<br /> [ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003<br /> [ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000<br /> [ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> [ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000<br /> [ 134.389207] <br /> <br /> Fix it by only aborting transaction and journal in ocfs2_journal_dirty()<br /> now, and leave ocfs2_abort() later when detecting an aborted handle,<br /> e.g. start next transaction. Also log the handle details in this case.