Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: LAPIC: Also cancel preemption timer during SET_LAPIC<br /> <br /> The below warning is splatting during guest reboot.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]<br /> CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5<br /> RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]<br /> Call Trace:<br /> <br /> kvm_vcpu_ioctl+0x279/0x710 [kvm]<br /> __x64_sys_ioctl+0x83/0xb0<br /> do_syscall_64+0x3b/0xc0<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7fd39797350b<br /> <br /> This can be triggered by not exposing tsc-deadline mode and doing a reboot in<br /> the guest. The lapic_shutdown() function which is called in sys_reboot path<br /> will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears<br /> APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode<br /> switch between tsc-deadline and oneshot/periodic, which can result in preemption<br /> timer be cancelled in apic_update_lvtt(). However, We can&amp;#39;t depend on this when<br /> not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption<br /> timer. Qemu will synchronise states around reset, let&amp;#39;s cancel preemption timer<br /> under KVM_SET_LAPIC.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU.<br /> <br /> Mirrors the logic for dcn30. Cue lots of WARNs and some<br /> kernel panics without this fix.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: properly put ceph_string reference after async create attempt<br /> <br /> The reference acquired by try_prep_async_create is currently leaked.<br /> Ensure we put it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing/histogram: Fix a potential memory leak for kstrdup()<br /> <br /> kfree() is missing on an error path to free the memory allocated by<br /> kstrdup():<br /> <br /> p = param = kstrdup(data-&gt;params[i], GFP_KERNEL);<br /> <br /> So it is better to free it via kfree(p).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> efi: runtime: avoid EFIv2 runtime services on Apple x86 machines<br /> <br /> Aditya reports [0] that his recent MacbookPro crashes in the firmware<br /> when using the variable services at runtime. The culprit appears to be a<br /> call to QueryVariableInfo(), which we did not use to call on Apple x86<br /> machines in the past as they only upgraded from EFI v1.10 to EFI v2.40<br /> firmware fairly recently, and QueryVariableInfo() (along with<br /> UpdateCapsule() et al) was added in EFI v2.00.<br /> <br /> The only runtime service introduced in EFI v2.00 that we actually use in<br /> Linux is QueryVariableInfo(), as the capsule based ones are optional,<br /> generally not used at runtime (all the LVFS/fwupd firmware update<br /> infrastructure uses helper EFI programs that invoke capsule update at<br /> boot time, not runtime), and not implemented by Apple machines in the<br /> first place. QueryVariableInfo() is used to &amp;#39;safely&amp;#39; set variables,<br /> i.e., only when there is enough space. This prevents machines with buggy<br /> firmwares from corrupting their NVRAMs when they run out of space.<br /> <br /> Given that Apple machines have been using EFI v1.10 services only for<br /> the longest time (the EFI v2.0 spec was released in 2006, and Linux<br /> support for the newly introduced runtime services was added in 2011, but<br /> the MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only),<br /> let&amp;#39;s avoid the EFI v2.0 ones on all Apple x86 machines.<br /> <br /> [0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Guard against accessing NULL pt_regs in bpf_get_task_stack()<br /> <br /> task_pt_regs() can return NULL on powerpc for kernel threads. This is<br /> then used in __bpf_get_stack() to check for user mode, resulting in a<br /> kernel oops. Guard against this by checking return value of<br /> task_pt_regs() before trying to obtain the call chain.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: vlan: fix memory leak in __allowed_ingress<br /> <br /> When using per-vlan state, if vlan snooping and stats are disabled,<br /> untagged or priority-tagged ingress frame will go to check pvid state.<br /> If the port state is forwarding and the pvid state is not<br /> learning/forwarding, untagged or priority-tagged frame will be dropped<br /> but skb memory is not freed.<br /> Should free skb when __allowed_ingress returns false.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc<br /> <br /> The function performs a check on the "ctx" input parameter, however, it<br /> is used before the check.<br /> <br /> Initialize the "base" variable after the sanity check to avoid a<br /> possible NULL pointer dereference.<br /> <br /> Addresses-Coverity-ID: 1493866 ("Null pointer dereference")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwmon: (nct6775) Fix crash in clear_caseopen<br /> <br /> Paweł Marciniak reports the following crash, observed when clearing<br /> the chassis intrusion alarm.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000028<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 3 PID: 4815 Comm: bash Tainted: G S 5.16.2-200.fc35.x86_64 #1<br /> Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P2.60A 05/03/2018<br /> RIP: 0010:clear_caseopen+0x5a/0x120 [nct6775]<br /> Code: 68 70 e8 e9 32 b1 e3 85 c0 0f 85 d2 00 00 00 48 83 7c 24 ...<br /> RSP: 0018:ffffabcb02803dd8 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000<br /> RDX: ffff8e8808192880 RSI: 0000000000000000 RDI: ffff8e87c7509a68<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000000a<br /> R10: 000000000000000a R11: f000000000000000 R12: 000000000000001f<br /> R13: ffff8e87c7509828 R14: ffff8e87c7509a68 R15: ffff8e88494527a0<br /> FS: 00007f4db9151740(0000) GS:ffff8e8ebfec0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000028 CR3: 0000000166b66001 CR4: 00000000001706e0<br /> Call Trace:<br /> <br /> kernfs_fop_write_iter+0x11c/0x1b0<br /> new_sync_write+0x10b/0x180<br /> vfs_write+0x209/0x2a0<br /> ksys_write+0x4f/0xc0<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> The problem is that the device passed to clear_caseopen() is the hwmon<br /> device, not the platform device, and the platform data is not set in the<br /> hwmon device. Store the pointer to sio_data in struct nct6775_data and<br /> get if from there if needed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: Transitional solution for clcsock race issue<br /> <br /> We encountered a crash in smc_setsockopt() and it is caused by<br /> accessing smc-&gt;clcsock after clcsock was released.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000020<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53<br /> RIP: 0010:smc_setsockopt+0x59/0x280 [smc]<br /> Call Trace:<br /> <br /> __sys_setsockopt+0xfc/0x190<br /> __x64_sys_setsockopt+0x20/0x30<br /> do_syscall_64+0x34/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f16ba83918e<br /> <br /> <br /> This patch tries to fix it by holding clcsock_release_lock and<br /> checking whether clcsock has already been released before access.<br /> <br /> In case that a crash of the same reason happens in smc_getsockopt()<br /> or smc_switch_to_fallback(), this patch also checkes smc-&gt;clcsock<br /> in them too. And the caller of smc_switch_to_fallback() will identify<br /> whether fallback succeeds according to the return value.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending<br /> <br /> Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel<br /> triggered below warning:<br /> <br /> [ 172.851380] ------------[ cut here ]------------<br /> [ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280<br /> [ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse<br /> [ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2<br /> [ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180<br /> [ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598)<br /> [ 172.851465] MSR: 8000000000029033 CR: 48004884 XER: 20040000<br /> [ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1<br /> [ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004<br /> [ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000<br /> [ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68<br /> [ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000<br /> [ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0<br /> [ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003<br /> [ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600<br /> [ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8<br /> [ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280<br /> [ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280<br /> [ 172.851565] Call Trace:<br /> [ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable)<br /> [ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60<br /> [ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660<br /> [ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0<br /> [ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140<br /> [ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40<br /> [ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380<br /> [ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268<br /> <br /> The warning indicates that MSR_EE being set(interrupt enabled) when<br /> there was an overflown PMC detected. This could happen in<br /> power_pmu_disable since it runs under interrupt soft disable<br /> condition ( local_irq_save ) and not with interrupts hard disabled.<br /> commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear<br /> pending PMI before resetting an overflown PMC") intended to clear<br /> PMI pending bit in Paca when disabling the PMU. It could happen<br /> that PMC gets overflown while code is in power_pmu_disable<br /> callback function. Hence add a check to see if PMI pending bit<br /> is set in Paca before clearing it via clear_pmi_pending.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix memory leak in disk_register_independent_access_ranges<br /> <br /> kobject_init_and_add() takes reference even when it fails.<br /> According to the doc of kobject_init_and_add()<br /> <br /> If this function returns an error, kobject_put() must be called to<br /> properly clean up the memory associated with the object.<br /> <br /> Fix this issue by adding kobject_put().<br /> Callback function blk_ia_ranges_sysfs_release() in kobject_put()<br /> can handle the pointer "iars" properly.