Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: m_can: m_can_read_fifo: fix memory leak in error branch<br /> <br /> In m_can_read_fifo(), if the second call to m_can_fifo_read() fails,<br /> the function jump to the out_fail label and returns without calling<br /> m_can_receive_skb(). This means that the skb previously allocated by<br /> alloc_can_skb() is not freed. In other terms, this is a memory leak.<br /> <br /> This patch adds a goto label to destroy the skb if an error occurs.<br /> <br /> Issue was found with GCC -fanalyzer, please follow the link below for<br /> details.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix re-dirty process of tree-log nodes<br /> <br /> There is a report of a transaction abort of -EAGAIN with the following<br /> script.<br /> <br /> #!/bin/sh<br /> <br /> for d in sda sdb; do<br /> mkfs.btrfs -d single -m single -f /dev/\${d}<br /> done<br /> <br /> mount /dev/sda /mnt/test<br /> mount /dev/sdb /mnt/scratch<br /> <br /> for dir in test scratch; do<br /> echo 3 &gt;/proc/sys/vm/drop_caches<br /> fio --directory=/mnt/\${dir} --name=fio.\${dir} --rw=read --size=50G --bs=64m \<br /> --numjobs=$(nproc) --time_based --ramp_time=5 --runtime=480 \<br /> --group_reporting |&amp; tee /dev/shm/fio.\${dir}<br /> echo 3 &gt;/proc/sys/vm/drop_caches<br /> done<br /> <br /> for d in sda sdb; do<br /> umount /dev/\${d}<br /> done<br /> <br /> The stack trace is shown in below.<br /> <br /> [3310.967991] BTRFS: error (device sda) in btrfs_commit_transaction:2341: errno=-11 unknown (Error while writing out transaction)<br /> [3310.968060] BTRFS info (device sda): forced readonly<br /> [3310.968064] BTRFS warning (device sda): Skipping commit of aborted transaction.<br /> [3310.968065] ------------[ cut here ]------------<br /> [3310.968066] BTRFS: Transaction aborted (error -11)<br /> [3310.968074] WARNING: CPU: 14 PID: 1684 at fs/btrfs/transaction.c:1946 btrfs_commit_transaction.cold+0x209/0x2c8<br /> [3310.968131] CPU: 14 PID: 1684 Comm: fio Not tainted 5.14.10-300.fc35.x86_64 #1<br /> [3310.968135] Hardware name: DIAWAY Tartu/Tartu, BIOS V2.01.B10 04/08/2021<br /> [3310.968137] RIP: 0010:btrfs_commit_transaction.cold+0x209/0x2c8<br /> [3310.968144] RSP: 0018:ffffb284ce393e10 EFLAGS: 00010282<br /> [3310.968147] RAX: 0000000000000026 RBX: ffff973f147b0f60 RCX: 0000000000000027<br /> [3310.968149] RDX: ffff974ecf098a08 RSI: 0000000000000001 RDI: ffff974ecf098a00<br /> [3310.968150] RBP: ffff973f147b0f08 R08: 0000000000000000 R09: ffffb284ce393c48<br /> [3310.968151] R10: ffffb284ce393c40 R11: ffffffff84f47468 R12: ffff973f101bfc00<br /> [3310.968153] R13: ffff971f20cf2000 R14: 00000000fffffff5 R15: ffff973f147b0e58<br /> [3310.968154] FS: 00007efe65468740(0000) GS:ffff974ecf080000(0000) knlGS:0000000000000000<br /> [3310.968157] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [3310.968158] CR2: 000055691bcbe260 CR3: 000000105cfa4001 CR4: 0000000000770ee0<br /> [3310.968160] PKRU: 55555554<br /> [3310.968161] Call Trace:<br /> [3310.968167] ? dput+0xd4/0x300<br /> [3310.968174] btrfs_sync_file+0x3f1/0x490<br /> [3310.968180] __x64_sys_fsync+0x33/0x60<br /> [3310.968185] do_syscall_64+0x3b/0x90<br /> [3310.968190] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [3310.968194] RIP: 0033:0x7efe6557329b<br /> [3310.968200] RSP: 002b:00007ffe0236ebc0 EFLAGS: 00000293 ORIG_RAX: 000000000000004a<br /> [3310.968203] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efe6557329b<br /> [3310.968204] RDX: 0000000000000000 RSI: 00007efe58d77010 RDI: 0000000000000006<br /> [3310.968205] RBP: 0000000004000000 R08: 0000000000000000 R09: 00007efe58d77010<br /> [3310.968207] R10: 0000000016cacc0c R11: 0000000000000293 R12: 00007efe5ce95980<br /> [3310.968208] R13: 0000000000000000 R14: 00007efe6447c790 R15: 0000000c80000000<br /> [3310.968212] ---[ end trace 1a346f4d3c0d96ba ]---<br /> [3310.968214] BTRFS: error (device sda) in cleanup_transaction:1946: errno=-11 unknown<br /> <br /> The abort occurs because of a write hole while writing out freeing tree<br /> nodes of a tree-log tree. For zoned btrfs, we re-dirty a freed tree<br /> node to ensure btrfs can write the region and does not leave a hole on<br /> write on a zoned device. The current code fails to re-dirty a node<br /> when the tree-log tree&amp;#39;s depth is greater or equal to 2. That leads to<br /> a transaction abort with -EAGAIN.<br /> <br /> Fix the issue by properly re-dirtying a node on walking up the tree.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: pcm: oss: Fix negative period/buffer sizes<br /> <br /> The period size calculation in OSS layer may receive a negative value<br /> as an error, but the code there assumes only the positive values and<br /> handle them with size_t. Due to that, a too big value may be passed<br /> to the lower layers.<br /> <br /> This patch changes the code to handle with ssize_t and adds the proper<br /> error checks appropriately.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: fq_pie: prevent dismantle issue<br /> <br /> For some reason, fq_pie_destroy() did not copy<br /> working code from pie_destroy() and other qdiscs,<br /> thus causing elusive bug.<br /> <br /> Before calling del_timer_sync(&amp;q-&gt;adapt_timer),<br /> we need to ensure timer will not rearm itself.<br /> <br /> rcu: INFO: rcu_preempt self-detected stall on CPU<br /> rcu: 0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579<br /> (t=10501 jiffies g=13085 q=3989)<br /> NMI backtrace for cpu 0<br /> CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111<br /> nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62<br /> trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]<br /> rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343<br /> print_cpu_stall kernel/rcu/tree_stall.h:627 [inline]<br /> check_cpu_stall kernel/rcu/tree_stall.h:711 [inline]<br /> rcu_pending kernel/rcu/tree.c:3878 [inline]<br /> rcu_sched_clock_irq.cold+0x9d/0x746 kernel/rcu/tree.c:2597<br /> update_process_times+0x16d/0x200 kernel/time/timer.c:1785<br /> tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226<br /> tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428<br /> __run_hrtimer kernel/time/hrtimer.c:1685 [inline]<br /> __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749<br /> hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811<br /> local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline]<br /> __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103<br /> sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638<br /> RIP: 0010:write_comp_data kernel/kcov.c:221 [inline]<br /> RIP: 0010:__sanitizer_cov_trace_const_cmp1+0x1d/0x80 kernel/kcov.c:273<br /> Code: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00<br /> RSP: 0018:ffffc90000d27b28 EFLAGS: 00000246<br /> RAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000<br /> RDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003<br /> RBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000<br /> R13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000<br /> pie_calculate_probability+0x405/0x7c0 net/sched/sch_pie.c:418<br /> fq_pie_timer+0x170/0x2a0 net/sched/sch_fq_pie.c:383<br /> call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421<br /> expire_timers kernel/time/timer.c:1466 [inline]<br /> __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734<br /> __run_timers kernel/time/timer.c:1715 [inline]<br /> run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747<br /> __do_softirq+0x29b/0x9c2 kernel/softirq.c:558<br /> run_ksoftirqd kernel/softirq.c:921 [inline]<br /> run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913<br /> smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164<br /> kthread+0x405/0x4f0 kernel/kthread.c:327<br /> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: felix: Fix memory leak in felix_setup_mmio_filtering<br /> <br /> Avoid a memory leak if there is not a CPU port defined.<br /> <br /> Addresses-Coverity-ID: 1492897 ("Resource leak")<br /> Addresses-Coverity-ID: 1492899 ("Resource leak")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> devlink: fix netns refcount leak in devlink_nl_cmd_reload()<br /> <br /> While preparing my patch series adding netns refcount tracking,<br /> I spotted bugs in devlink_nl_cmd_reload()<br /> <br /> Some error paths forgot to release a refcount on a netns.<br /> <br /> To fix this, we can reduce the scope of get_net()/put_net()<br /> section around the call to devlink_reload().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> seg6: fix the iif in the IPv6 socket control block<br /> <br /> When an IPv4 packet is received, the ip_rcv_core(...) sets the receiving<br /> interface index into the IPv4 socket control block (v5.16-rc4,<br /> net/ipv4/ip_input.c line 510):<br /> <br /> IPCB(skb)-&gt;iif = skb-&gt;skb_iif;<br /> <br /> If that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH<br /> header, the seg6_do_srh_encap(...) performs the required encapsulation.<br /> In this case, the seg6_do_srh_encap function clears the IPv6 socket control<br /> block (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):<br /> <br /> memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));<br /> <br /> The memset(...) was introduced in commit ef489749aae5 ("ipv6: sr: clear<br /> IP6CB(skb) on SRH ip4ip6 encapsulation") a long time ago (2019-01-29).<br /> <br /> Since the IPv6 socket control block and the IPv4 socket control block share<br /> the same memory area (skb-&gt;cb), the receiving interface index info is lost<br /> (IP6CB(skb)-&gt;iif is set to zero).<br /> <br /> As a side effect, that condition triggers a NULL pointer dereference if<br /> commit 0857d6f8c759 ("ipv6: When forwarding count rx stats on the orig<br /> netdev") is applied.<br /> <br /> To fix that issue, we set the IP6CB(skb)-&gt;iif with the index of the<br /> receiving interface once again.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> aio: fix use-after-free due to missing POLLFREE handling<br /> <br /> signalfd_poll() and binder_poll() are special in that they use a<br /> waitqueue whose lifetime is the current task, rather than the struct<br /> file as is normally the case. This is okay for blocking polls, since a<br /> blocking poll occurs within one task; however, non-blocking polls<br /> require another solution. This solution is for the queue to be cleared<br /> before it is freed, by sending a POLLFREE notification to all waiters.<br /> <br /> Unfortunately, only eventpoll handles POLLFREE. A second type of<br /> non-blocking poll, aio poll, was added in kernel v4.18, and it doesn&amp;#39;t<br /> handle POLLFREE. This allows a use-after-free to occur if a signalfd or<br /> binder fd is polled with aio poll, and the waitqueue gets freed.<br /> <br /> Fix this by making aio poll handle POLLFREE.<br /> <br /> A patch by Ramji Jiyani <br /> (https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)<br /> tried to do this by making aio_poll_wake() always complete the request<br /> inline if POLLFREE is seen. However, that solution had two bugs.<br /> First, it introduced a deadlock, as it unconditionally locked the aio<br /> context while holding the waitqueue lock, which inverts the normal<br /> locking order. Second, it didn&amp;#39;t consider that POLLFREE notifications<br /> are missed while the request has been temporarily de-queued.<br /> <br /> The second problem was solved by my previous patch. This patch then<br /> properly fixes the use-after-free by handling POLLFREE in a<br /> deadlock-free way. It does this by taking advantage of the fact that<br /> freeing of the waitqueue is RCU-delayed, similar to what eventpoll does.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: fix use-after-free due to delegation race<br /> <br /> A delegation break could arrive as soon as we&amp;#39;ve called vfs_setlease. A<br /> delegation break runs a callback which immediately (in<br /> nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we<br /> then exit nfs4_set_delegation without hashing the delegation, it will be<br /> freed as soon as the callback is done with it, without ever being<br /> removed from del_recall_lru.<br /> <br /> Symptoms show up later as use-after-free or list corruption warnings,<br /> usually in the laundromat thread.<br /> <br /> I suspect aba2072f4523 "nfsd: grant read delegations to clients holding<br /> writes" made this bug easier to hit, but I looked as far back as v3.0<br /> and it looks to me it already had the same problem. So I&amp;#39;m not sure<br /> where the bug was introduced; it may have been there from the beginning.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: Fix nsfd startup race (again)<br /> <br /> Commit bd5ae9288d64 ("nfsd: register pernet ops last, unregister first")<br /> has re-opened rpc_pipefs_event() race against nfsd_net_id registration<br /> (register_pernet_subsys()) which has been fixed by commit bb7ffbf29e76<br /> ("nfsd: fix nsfd startup race triggering BUG_ON").<br /> <br /> Restore the order of register_pernet_subsys() vs register_cld_notifier().<br /> Add WARN_ON() to prevent a future regression.<br /> <br /> Crash info:<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000012<br /> CPU: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1<br /> pc : rpc_pipefs_event+0x54/0x120 [nfsd]<br /> lr : rpc_pipefs_event+0x48/0x120 [nfsd]<br /> Call trace:<br /> rpc_pipefs_event+0x54/0x120 [nfsd]<br /> blocking_notifier_call_chain<br /> rpc_fill_super<br /> get_tree_keyed<br /> rpc_fs_get_tree<br /> vfs_get_tree<br /> do_mount<br /> ksys_mount<br /> __arm64_sys_mount<br /> el0_svc_handler<br /> el0_svc

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: free exchange changeset on failures<br /> <br /> Fstests runs on my VMs have show several kmemleak reports like the following.<br /> <br /> unreferenced object 0xffff88811ae59080 (size 64):<br /> comm "xfs_io", pid 12124, jiffies 4294987392 (age 6.368s)<br /> hex dump (first 32 bytes):<br /> 00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00 ................<br /> 90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff ................<br /> backtrace:<br /> [] ulist_add_merge+0x60/0x150 [btrfs]<br /> [] set_state_bits+0x86/0xc0 [btrfs]<br /> [] set_extent_bit+0x270/0x690 [btrfs]<br /> [] set_record_extent_bits+0x19/0x20 [btrfs]<br /> [] qgroup_reserve_data+0x274/0x310 [btrfs]<br /> [] btrfs_check_data_free_space+0x5c/0xa0 [btrfs]<br /> [] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs]<br /> [] btrfs_dio_iomap_begin+0x415/0x970 [btrfs]<br /> [] iomap_iter+0x161/0x1e0<br /> [] __iomap_dio_rw+0x1df/0x700<br /> [] iomap_dio_rw+0x5/0x20<br /> [] btrfs_file_write_iter+0x290/0x530 [btrfs]<br /> [] new_sync_write+0x106/0x180<br /> [] vfs_write+0x24d/0x2f0<br /> [] __x64_sys_pwrite64+0x69/0xa0<br /> [] do_syscall_64+0x43/0x90<br /> <br /> In case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata()<br /> fail the allocated extent_changeset will not be freed.<br /> <br /> So in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space()<br /> free the allocated extent_changeset to get rid of the allocated memory.<br /> <br /> The issue currently only happens in the direct IO write path, but only<br /> after 65b3c08606e5 ("btrfs: fix ENOSPC failure when attempting direct IO<br /> write into NOCOW range"), and also at defrag_one_locked_target(). Every<br /> other place is always calling extent_changeset_free() even if its call<br /> to btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has<br /> failed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: pcm: oss: Limit the period size to 16MB<br /> <br /> Set the practical limit to the period size (the fragment shift in OSS)<br /> instead of a full 31bit; a too large value could lead to the exhaust<br /> of memory as we allocate temporary buffers of the period size, too.<br /> <br /> As of this patch, we set to 16MB limit, which should cover all use<br /> cases.