Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drivers/perf: Fix ali_drw_pmu driver interrupt status clearing<br /> <br /> The alibaba_uncore_pmu driver forgot to clear all interrupt status<br /> in the interrupt processing function. After the PMU counter overflow<br /> interrupt occurred, an interrupt storm occurred, causing the system<br /> to hang.<br /> <br /> Therefore, clear the correct interrupt status in the interrupt handling<br /> function to fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()<br /> <br /> syzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce<br /> this[1], one bond device (bond1) has xdpdrv, which increases<br /> bpf_master_redirect_enabled_key. Another bond device (bond0) which is<br /> unsupported by XDP but its slave (veth3) has xdpgeneric that returns<br /> XDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect().<br /> To reduce unnecessary warnings and improve log management, we need to<br /> delete the WARN_ON_ONCE() and add ratelimit to the netdev_err().<br /> <br /> [1] Steps to reproduce:<br /> # Needs tx_xdp with return XDP_TX;<br /> ip l add veth0 type veth peer veth1<br /> ip l add veth3 type veth peer veth4<br /> ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP<br /> ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default<br /> ip l set veth0 master bond1<br /> ip l set bond1 up<br /> # Increases bpf_master_redirect_enabled_key<br /> ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx<br /> ip l set veth3 master bond0<br /> ip l set bond0 up<br /> ip l set veth4 up<br /> # Triggers WARN_ON_ONCE() from the xdp_master_redirect()<br /> ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: don&amp;#39;t use rate mask for offchannel TX either<br /> <br /> Like the commit ab9177d83c04 ("wifi: mac80211: don&amp;#39;t use rate mask for<br /> scanning"), ignore incorrect settings to avoid no supported rate warning<br /> reported by syzbot.<br /> <br /> The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211:<br /> fix default HE tx bitrate mask in 2G band"), which however corrects<br /> bitmask of HE MCS and recognizes correctly settings of empty legacy rate<br /> plus HE MCS rate instead of returning -EINVAL.<br /> <br /> As suggestions [1], follow the change of SCAN TX to consider this case of<br /> offchannel TX as well.<br /> <br /> [1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: handle overlapped pclusters out of crafted images properly<br /> <br /> syzbot reported a task hang issue due to a deadlock case where it is<br /> waiting for the folio lock of a cached folio that will be used for<br /> cache I/Os.<br /> <br /> After looking into the crafted fuzzed image, I found it&amp;#39;s formed with<br /> several overlapped big pclusters as below:<br /> <br /> Ext: logical offset | length : physical offset | length<br /> 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384<br /> 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384<br /> 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384<br /> ...<br /> <br /> Here, extent 0/1 are physically overlapped although it&amp;#39;s entirely<br /> _impossible_ for normal filesystem images generated by mkfs.<br /> <br /> First, managed folios containing compressed data will be marked as<br /> up-to-date and then unlocked immediately (unlike in-place folios) when<br /> compressed I/Os are complete. If physical blocks are not submitted in<br /> the incremental order, there should be separate BIOs to avoid dependency<br /> issues. However, the current code mis-arranges z_erofs_fill_bio_vec()<br /> and BIO submission which causes unexpected BIO waits.<br /> <br /> Second, managed folios will be connected to their own pclusters for<br /> efficient inter-queries. However, this is somewhat hard to implement<br /> easily if overlapped big pclusters exist. Again, these only appear in<br /> fuzzed images so let&amp;#39;s simply fall back to temporary short-lived pages<br /> for correctness.<br /> <br /> Additionally, it justifies that referenced managed folios cannot be<br /> truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy<br /> up `struct z_erofs_bvec`") for simplicity although it shouldn&amp;#39;t be any<br /> difference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled<br /> <br /> Fix missuse of spin_lock_irq()/spin_unlock_irq() when<br /> spin_lock_irqsave()/spin_lock_irqrestore() was hold.<br /> <br /> This was discovered through the lock debugging, and the corresponding<br /> log is as follows:<br /> <br /> raw_local_irq_restore() called with IRQs enabled<br /> WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40<br /> ...<br /> Call trace:<br /> warn_bogus_irq_restore+0x30/0x40<br /> _raw_spin_unlock_irqrestore+0x84/0xc8<br /> add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]<br /> hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]<br /> hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]<br /> create_qp+0x138/0x258<br /> ib_create_qp_kernel+0x50/0xe8<br /> create_mad_qp+0xa8/0x128<br /> ib_mad_port_open+0x218/0x448<br /> ib_mad_init_device+0x70/0x1f8<br /> add_client_context+0xfc/0x220<br /> enable_device_and_get+0xd0/0x140<br /> ib_register_device.part.0+0xf4/0x1c8<br /> ib_register_device+0x34/0x50<br /> hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]<br /> hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]<br /> __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]<br /> hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: call cache_put if xdr_reserve_space returns NULL<br /> <br /> If not enough buffer space available, but idmap_lookup has triggered<br /> lookup_fn which calls cache_get and returns successfully. Then we<br /> missed to call cache_put here which pairs with cache_get.<br /> <br /> Reviwed-by: Jeff Layton

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: hisilicon/qm - inject error before stopping queue<br /> <br /> The master ooo cannot be completely closed when the<br /> accelerator core reports memory error. Therefore, the driver<br /> needs to inject the qm error to close the master ooo. Currently,<br /> the qm error is injected after stopping queue, memory may be<br /> released immediately after stopping queue, causing the device to<br /> access the released memory. Therefore, error is injected to close master<br /> ooo before stopping queue to ensure that the device does not access<br /> the released memory.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: use work queue to process beacon tx event<br /> <br /> Commit 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template")<br /> from Feb 28, 2024 (linux-next), leads to the following Smatch static<br /> checker warning:<br /> <br /> drivers/net/wireless/ath/ath11k/wmi.c:1742 ath11k_wmi_p2p_go_bcn_ie()<br /> warn: sleeping in atomic context<br /> <br /> The reason is that ath11k_bcn_tx_status_event() will directly call might<br /> sleep function ath11k_wmi_cmd_send() during RCU read-side critical<br /> sections. The call trace is like:<br /> <br /> ath11k_bcn_tx_status_event()<br /> -&gt; rcu_read_lock()<br /> -&gt; ath11k_mac_bcn_tx_event()<br /> -&gt; ath11k_mac_setup_bcn_tmpl()<br /> ……<br /> -&gt; ath11k_wmi_bcn_tmpl()<br /> -&gt; ath11k_wmi_cmd_send()<br /> -&gt; rcu_read_unlock()<br /> <br /> Commit 886433a98425 ("ath11k: add support for BSS color change") added the<br /> ath11k_mac_bcn_tx_event(), commit 01e782c89108 ("ath11k: fix warning<br /> of RCU usage for ath11k_mac_get_arvif_by_vdev_id()") added the RCU lock<br /> to avoid warning but also introduced this BUG.<br /> <br /> Use work queue to avoid directly calling ath11k_mac_bcn_tx_event()<br /> during RCU critical sections. No need to worry about the deletion of vif<br /> because cancel_work_sync() will drop the work if it doesn&amp;#39;t start or<br /> block vif deletion until the running work is done.<br /> <br /> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to wait dio completion<br /> <br /> It should wait all existing dio write IOs before block removal,<br /> otherwise, previous direct write IO may overwrite data in the<br /> block which may be reused by other inode.