Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix cleanup null-ptr deref on encap lock<br /> <br /> During module is unloaded while a peer tc flow is still offloaded,<br /> first the peer uplink rep profile is changed to a nic profile, and so<br /> neigh encap lock is destroyed. Next during unload, the VF reps netdevs<br /> are unregistered which causes the original non-peer tc flow to be deleted,<br /> which deletes the peer flow. The peer flow deletion detaches the encap<br /> entry and try to take the already destroyed encap lock, causing the<br /> below trace.<br /> <br /> Fix this by clearing peer flows during tc eswitch cleanup<br /> (mlx5e_tc_esw_cleanup()).<br /> <br /> Relevant trace:<br /> [ 4316.837128] BUG: kernel NULL pointer dereference, address: 00000000000001d8<br /> [ 4316.842239] RIP: 0010:__mutex_lock+0xb5/0xc40<br /> [ 4316.851897] Call Trace:<br /> [ 4316.852481] <br /> [ 4316.857214] mlx5e_rep_neigh_entry_release+0x93/0x790 [mlx5_core]<br /> [ 4316.858258] mlx5e_rep_encap_entry_detach+0xa7/0xf0 [mlx5_core]<br /> [ 4316.859134] mlx5e_encap_dealloc+0xa3/0xf0 [mlx5_core]<br /> [ 4316.859867] clean_encap_dests.part.0+0x5c/0xe0 [mlx5_core]<br /> [ 4316.860605] mlx5e_tc_del_fdb_flow+0x32a/0x810 [mlx5_core]<br /> [ 4316.862609] __mlx5e_tc_del_fdb_peer_flow+0x1a2/0x250 [mlx5_core]<br /> [ 4316.863394] mlx5e_tc_del_flow+0x(/0x630 [mlx5_core]<br /> [ 4316.864090] mlx5e_flow_put+0x5f/0x100 [mlx5_core]<br /> [ 4316.864771] mlx5e_delete_flower+0x4de/0xa40 [mlx5_core]<br /> [ 4316.865486] tc_setup_cb_reoffload+0x20/0x80<br /> [ 4316.865905] fl_reoffload+0x47c/0x510 [cls_flower]<br /> [ 4316.869181] tcf_block_playback_offloads+0x91/0x1d0<br /> [ 4316.869649] tcf_block_unbind+0xe7/0x1b0<br /> [ 4316.870049] tcf_block_offload_cmd.isra.0+0x1ee/0x270<br /> [ 4316.879266] tcf_block_offload_unbind+0x61/0xa0<br /> [ 4316.879711] __tcf_block_put+0xa4/0x310

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition<br /> <br /> This bug influences both st_nci_i2c_remove and st_nci_spi_remove.<br /> Take st_nci_i2c_remove as an example.<br /> <br /> In st_nci_i2c_probe, it called ndlc_probe and bound &amp;ndlc-&gt;sm_work<br /> with llt_ndlc_sm_work.<br /> <br /> When it calls ndlc_recv or timeout handler, it will finally call<br /> schedule_work to start the work.<br /> <br /> When we call st_nci_i2c_remove to remove the driver, there<br /> may be a sequence as follows:<br /> <br /> Fix it by finishing the work before cleanup in ndlc_remove<br /> <br /> CPU0 CPU1<br /> <br /> |llt_ndlc_sm_work<br /> st_nci_i2c_remove |<br /> ndlc_remove |<br /> st_nci_remove |<br /> nci_free_device|<br /> kfree(ndev) |<br /> //free ndlc-&gt;ndev |<br /> |llt_ndlc_rcv_queue<br /> |nci_recv_frame<br /> |//use ndlc-&gt;ndev

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> veth: Fix use after free in XDP_REDIRECT<br /> <br /> Commit 718a18a0c8a6 ("veth: Rework veth_xdp_rcv_skb in order<br /> to accept non-linear skb") introduced a bug where it tried to<br /> use pskb_expand_head() if the headroom was less than<br /> XDP_PACKET_HEADROOM. This however uses kmalloc to expand the head,<br /> which will later allow consume_skb() to free the skb while is it still<br /> in use by AF_XDP.<br /> <br /> Previously if the headroom was less than XDP_PACKET_HEADROOM we<br /> continued on to allocate a new skb from pages so this restores that<br /> behavior.<br /> <br /> BUG: KASAN: use-after-free in __xsk_rcv+0x18d/0x2c0<br /> Read of size 78 at addr ffff888976250154 by task napi/iconduit-g/148640<br /> <br /> CPU: 5 PID: 148640 Comm: napi/iconduit-g Kdump: loaded Tainted: G O 6.1.4-cloudflare-kasan-2023.1.2 #1<br /> Hardware name: Quanta Computer Inc. QuantaPlex T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x48<br /> print_report+0x170/0x473<br /> ? __xsk_rcv+0x18d/0x2c0<br /> kasan_report+0xad/0x130<br /> ? __xsk_rcv+0x18d/0x2c0<br /> kasan_check_range+0x149/0x1a0<br /> memcpy+0x20/0x60<br /> __xsk_rcv+0x18d/0x2c0<br /> __xsk_map_redirect+0x1f3/0x490<br /> ? veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]<br /> xdp_do_redirect+0x5ca/0xd60<br /> veth_xdp_rcv_skb+0x935/0x1ba0 [veth]<br /> ? __netif_receive_skb_list_core+0x671/0x920<br /> ? veth_xdp+0x670/0x670 [veth]<br /> veth_xdp_rcv+0x304/0xa20 [veth]<br /> ? do_xdp_generic+0x150/0x150<br /> ? veth_xdp_rcv_one+0xde0/0xde0 [veth]<br /> ? _raw_spin_lock_bh+0xe0/0xe0<br /> ? newidle_balance+0x887/0xe30<br /> ? __perf_event_task_sched_in+0xdb/0x800<br /> veth_poll+0x139/0x571 [veth]<br /> ? veth_xdp_rcv+0xa20/0xa20 [veth]<br /> ? _raw_spin_unlock+0x39/0x70<br /> ? finish_task_switch.isra.0+0x17e/0x7d0<br /> ? __switch_to+0x5cf/0x1070<br /> ? __schedule+0x95b/0x2640<br /> ? io_schedule_timeout+0x160/0x160<br /> __napi_poll+0xa1/0x440<br /> napi_threaded_poll+0x3d1/0x460<br /> ? __napi_poll+0x440/0x440<br /> ? __kthread_parkme+0xc6/0x1f0<br /> ? __napi_poll+0x440/0x440<br /> kthread+0x2a2/0x340<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x22/0x30<br /> <br /> <br /> Freed by task 148640:<br /> kasan_save_stack+0x23/0x50<br /> kasan_set_track+0x21/0x30<br /> kasan_save_free_info+0x2a/0x40<br /> ____kasan_slab_free+0x169/0x1d0<br /> slab_free_freelist_hook+0xd2/0x190<br /> __kmem_cache_free+0x1a1/0x2f0<br /> skb_release_data+0x449/0x600<br /> consume_skb+0x9f/0x1c0<br /> veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]<br /> veth_xdp_rcv+0x304/0xa20 [veth]<br /> veth_poll+0x139/0x571 [veth]<br /> __napi_poll+0xa1/0x440<br /> napi_threaded_poll+0x3d1/0x460<br /> kthread+0x2a2/0x340<br /> ret_from_fork+0x22/0x30<br /> <br /> The buggy address belongs to the object at ffff888976250000<br /> which belongs to the cache kmalloc-2k of size 2048<br /> The buggy address is located 340 bytes inside of<br /> 2048-byte region [ffff888976250000, ffff888976250800)<br /> <br /> The buggy address belongs to the physical page:<br /> page:00000000ae18262a refcount:2 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x976250<br /> head:00000000ae18262a order:3 compound_mapcount:0 compound_pincount:0<br /> flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)<br /> raw: 002ffff800010200 0000000000000000 dead000000000122 ffff88810004cf00<br /> raw: 0000000000000000 0000000080080008 00000002ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff888976250000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff888976250080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt; ffff888976250100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff888976250180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff888976250200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/iucv: Fix size of interrupt data<br /> <br /> iucv_irq_data needs to be 4 bytes larger.<br /> These bytes are not used by the iucv module, but written by<br /> the z/VM hypervisor in case a CPU is deconfigured.<br /> <br /> Reported as:<br /> BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten<br /> -----------------------------------------------------------------------------<br /> 0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc<br /> Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1<br /> __kmem_cache_alloc_node+0x166/0x450<br /> kmalloc_node_trace+0x3a/0x70<br /> iucv_cpu_prepare+0x44/0xd0<br /> cpuhp_invoke_callback+0x156/0x2f0<br /> cpuhp_issue_call+0xf0/0x298<br /> __cpuhp_setup_state_cpuslocked+0x136/0x338<br /> __cpuhp_setup_state+0xf4/0x288<br /> iucv_init+0xf4/0x280<br /> do_one_initcall+0x78/0x390<br /> do_initcalls+0x11a/0x140<br /> kernel_init_freeable+0x25e/0x2a0<br /> kernel_init+0x2e/0x170<br /> __ret_from_fork+0x3c/0x58<br /> ret_from_fork+0xa/0x40<br /> Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1<br /> __kmem_cache_free+0x308/0x358<br /> iucv_init+0x92/0x280<br /> do_one_initcall+0x78/0x390<br /> do_initcalls+0x11a/0x140<br /> kernel_init_freeable+0x25e/0x2a0<br /> kernel_init+0x2e/0x170<br /> __ret_from_fork+0x3c/0x58<br /> ret_from_fork+0xa/0x40<br /> Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0|<br /> Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000<br /> Redzone 0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................<br /> Redzone 0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................<br /> Redzone 0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................<br /> Redzone 0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................<br /> Object 0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> Object 0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2 ................<br /> Object 0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc ................<br /> Object 0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................<br /> Redzone 0000000000400580: cc cc cc cc cc cc cc cc ........<br /> Padding 00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ<br /> Padding 00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ<br /> Padding 00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ<br /> CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1<br /> Hardware name: IBM 3931 A01 704 (z/VM 7.3.0)<br /> Call Trace:<br /> [] dump_stack_lvl+0xac/0x100<br /> [] check_bytes_and_report+0x104/0x140<br /> [] check_object+0x370/0x3c0<br /> [] free_debug_processing+0x15e/0x348<br /> [] free_to_partial_list+0x9a/0x2f0<br /> [] __slab_free+0x1e4/0x3a8<br /> [] __kmem_cache_free+0x308/0x358<br /> [] iucv_cpu_dead+0x6c/0x88<br /> [] cpuhp_invoke_callback+0x156/0x2f0<br /> [] _cpu_down.constprop.0+0x22a/0x5e0<br /> [] cpu_device_down+0x4e/0x78<br /> [] device_offline+0xc8/0x118<br /> [] online_store+0x60/0xe0<br /> [] kernfs_fop_write_iter+0x150/0x1e8<br /> [] vfs_write+0x174/0x360<br /> [] ksys_write+0x74/0x100<br /> [] __do_syscall+0x1da/0x208<br /> [] system_call+0x82/0xb0<br /> INFO: lockdep is turned off.<br /> FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc<br /> FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: tunnels: annotate lockless accesses to dev-&gt;needed_headroom<br /> <br /> IP tunnels can apparently update dev-&gt;needed_headroom<br /> in their xmit path.<br /> <br /> This patch takes care of three tunnels xmit, and also the<br /> core LL_RESERVED_SPACE() and LL_RESERVED_SPACE_EXTRA()<br /> helpers.<br /> <br /> More changes might be needed for completeness.<br /> <br /> BUG: KCSAN: data-race in ip_tunnel_xmit / ip_tunnel_xmit<br /> <br /> read to 0xffff88815b9da0ec of 2 bytes by task 888 on cpu 1:<br /> ip_tunnel_xmit+0x1270/0x1730 net/ipv4/ip_tunnel.c:803<br /> __gre_xmit net/ipv4/ip_gre.c:469 [inline]<br /> ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661<br /> __netdev_start_xmit include/linux/netdevice.h:4881 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4895 [inline]<br /> xmit_one net/core/dev.c:3580 [inline]<br /> dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596<br /> __dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246<br /> dev_queue_xmit include/linux/netdevice.h:3051 [inline]<br /> neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623<br /> neigh_output include/net/neighbour.h:546 [inline]<br /> ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228<br /> ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316<br /> NF_HOOK_COND include/linux/netfilter.h:291 [inline]<br /> ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430<br /> dst_output include/net/dst.h:444 [inline]<br /> ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126<br /> iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82<br /> ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813<br /> __gre_xmit net/ipv4/ip_gre.c:469 [inline]<br /> ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661<br /> __netdev_start_xmit include/linux/netdevice.h:4881 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4895 [inline]<br /> xmit_one net/core/dev.c:3580 [inline]<br /> dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596<br /> __dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246<br /> dev_queue_xmit include/linux/netdevice.h:3051 [inline]<br /> neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623<br /> neigh_output include/net/neighbour.h:546 [inline]<br /> ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228<br /> ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316<br /> NF_HOOK_COND include/linux/netfilter.h:291 [inline]<br /> ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430<br /> dst_output include/net/dst.h:444 [inline]<br /> ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126<br /> iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82<br /> ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813<br /> __gre_xmit net/ipv4/ip_gre.c:469 [inline]<br /> ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661<br /> __netdev_start_xmit include/linux/netdevice.h:4881 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4895 [inline]<br /> xmit_one net/core/dev.c:3580 [inline]<br /> dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596<br /> __dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246<br /> dev_queue_xmit include/linux/netdevice.h:3051 [inline]<br /> neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623<br /> neigh_output include/net/neighbour.h:546 [inline]<br /> ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228<br /> ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316<br /> NF_HOOK_COND include/linux/netfilter.h:291 [inline]<br /> ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430<br /> dst_output include/net/dst.h:444 [inline]<br /> ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126<br /> iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82<br /> ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813<br /> __gre_xmit net/ipv4/ip_gre.c:469 [inline]<br /> ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661<br /> __netdev_start_xmit include/linux/netdevice.h:4881 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4895 [inline]<br /> xmit_one net/core/dev.c:3580 [inline]<br /> dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596<br /> __dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246<br /> dev_queue_xmit include/linux/netdevice.h:3051 [inline]<br /> neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623<br /> neigh_output include/net/neighbour.h:546 [inline]<br /> ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228<br /> ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316<br /> NF_HOOK_COND include/linux/netfilter.h:291 [inline]<br /> ip_output+0xe5/0x1b0 net/i<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()<br /> <br /> When performing a stress test on SMC-R by rmmod mlx5_ib driver<br /> during the wrk/nginx test, we found that there is a probability<br /> of triggering a panic while terminating all link groups.<br /> <br /> This issue dues to the race between smc_smcr_terminate_all()<br /> and smc_buf_create().<br /> <br /> smc_smcr_terminate_all<br /> <br /> smc_buf_create<br /> /* init */<br /> conn-&gt;sndbuf_desc = NULL;<br /> ...<br /> <br /> __smc_lgr_terminate<br /> smc_conn_kill<br /> smc_close_abort<br /> smc_cdc_get_slot_and_msg_send<br /> <br /> __softirqentry_text_start<br /> smc_wr_tx_process_cqe<br /> smc_cdc_tx_handler<br /> READ(conn-&gt;sndbuf_desc-&gt;len);<br /> /* panic dues to NULL sndbuf_desc */<br /> <br /> conn-&gt;sndbuf_desc = xxx;<br /> <br /> This patch tries to fix the issue by always to check the sndbuf_desc<br /> before send any cdc msg, to make sure that no null pointer is<br /> seen during cqe processing.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: update s_journal_inum if it changes after journal replay<br /> <br /> When mounting a crafted ext4 image, s_journal_inum may change after journal<br /> replay, which is obviously unreasonable because we have successfully loaded<br /> and replayed the journal through the old s_journal_inum. And the new<br /> s_journal_inum bypasses some of the checks in ext4_get_journal(), which<br /> may trigger a null pointer dereference problem. So if s_journal_inum<br /> changes after the journal replay, we ignore the change, and rewrite the<br /> current journal_inum to the superblock.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> interconnect: exynos: fix node leak in probe PM QoS error path<br /> <br /> Make sure to add the newly allocated interconnect node to the provider<br /> before adding the PM QoS request so that the node is freed on errors.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Do not let histogram values have some modifiers<br /> <br /> Histogram values can not be strings, stacktraces, graphs, symbols,<br /> syscalls, or grouped in buckets or log. Give an error if a value is set to<br /> do so.<br /> <br /> Note, the histogram code was not prepared to handle these modifiers for<br /> histograms and caused a bug.<br /> <br /> Mark Rutland reported:<br /> <br /> # echo &amp;#39;p:copy_to_user __arch_copy_to_user n=$arg2&amp;#39; &gt;&gt; /sys/kernel/tracing/kprobe_events<br /> # echo &amp;#39;hist:keys=n:vals=hitcount.buckets=8:sort=hitcount&amp;#39; &gt; /sys/kernel/tracing/events/kprobes/copy_to_user/trigger<br /> # cat /sys/kernel/tracing/events/kprobes/copy_to_user/hist<br /> [ 143.694628] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> [ 143.695190] Mem abort info:<br /> [ 143.695362] ESR = 0x0000000096000004<br /> [ 143.695604] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 143.695889] SET = 0, FnV = 0<br /> [ 143.696077] EA = 0, S1PTW = 0<br /> [ 143.696302] FSC = 0x04: level 0 translation fault<br /> [ 143.702381] Data abort info:<br /> [ 143.702614] ISV = 0, ISS = 0x00000004<br /> [ 143.702832] CM = 0, WnR = 0<br /> [ 143.703087] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000448f9000<br /> [ 143.703407] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000<br /> [ 143.704137] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> [ 143.704714] Modules linked in:<br /> [ 143.705273] CPU: 0 PID: 133 Comm: cat Not tainted 6.2.0-00003-g6fc512c10a7c #3<br /> [ 143.706138] Hardware name: linux,dummy-virt (DT)<br /> [ 143.706723] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 143.707120] pc : hist_field_name.part.0+0x14/0x140<br /> [ 143.707504] lr : hist_field_name.part.0+0x104/0x140<br /> [ 143.707774] sp : ffff800008333a30<br /> [ 143.707952] x29: ffff800008333a30 x28: 0000000000000001 x27: 0000000000400cc0<br /> [ 143.708429] x26: ffffd7a653b20260 x25: 0000000000000000 x24: ffff10d303ee5800<br /> [ 143.708776] x23: ffffd7a6539b27b0 x22: ffff10d303fb8c00 x21: 0000000000000001<br /> [ 143.709127] x20: ffff10d303ec2000 x19: 0000000000000000 x18: 0000000000000000<br /> [ 143.709478] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> [ 143.709824] x14: 0000000000000000 x13: 203a6f666e692072 x12: 6567676972742023<br /> [ 143.710179] x11: 0a230a6d6172676f x10: 000000000000002c x9 : ffffd7a6521e018c<br /> [ 143.710584] x8 : 000000000000002c x7 : 7f7f7f7f7f7f7f7f x6 : 000000000000002c<br /> [ 143.710915] x5 : ffff10d303b0103e x4 : ffffd7a653b20261 x3 : 000000000000003d<br /> [ 143.711239] x2 : 0000000000020001 x1 : 0000000000000001 x0 : 0000000000000000<br /> [ 143.711746] Call trace:<br /> [ 143.712115] hist_field_name.part.0+0x14/0x140<br /> [ 143.712642] hist_field_name.part.0+0x104/0x140<br /> [ 143.712925] hist_field_print+0x28/0x140<br /> [ 143.713125] event_hist_trigger_print+0x174/0x4d0<br /> [ 143.713348] hist_show+0xf8/0x980<br /> [ 143.713521] seq_read_iter+0x1bc/0x4b0<br /> [ 143.713711] seq_read+0x8c/0xc4<br /> [ 143.713876] vfs_read+0xc8/0x2a4<br /> [ 143.714043] ksys_read+0x70/0xfc<br /> [ 143.714218] __arm64_sys_read+0x24/0x30<br /> [ 143.714400] invoke_syscall+0x50/0x120<br /> [ 143.714587] el0_svc_common.constprop.0+0x4c/0x100<br /> [ 143.714807] do_el0_svc+0x44/0xd0<br /> [ 143.714970] el0_svc+0x2c/0x84<br /> [ 143.715134] el0t_64_sync_handler+0xbc/0x140<br /> [ 143.715334] el0t_64_sync+0x190/0x194<br /> [ 143.715742] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (f9400000)<br /> [ 143.716510] ---[ end trace 0000000000000000 ]---<br /> Segmentation fault

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: serial: fsl_lpuart: fix race on RX DMA shutdown<br /> <br /> From time to time DMA completion can come in the middle of DMA shutdown:<br /> <br /> : :<br /> lpuart32_shutdown()<br /> lpuart_dma_shutdown()<br /> del_timer_sync()<br /> lpuart_dma_rx_complete()<br /> lpuart_copy_rx_to_tty()<br /> mod_timer()<br /> lpuart_dma_rx_free()<br /> <br /> When the timer fires a bit later, sport-&gt;dma_rx_desc is NULL:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004<br /> pc : lpuart_copy_rx_to_tty+0xcc/0x5bc<br /> lr : lpuart_timer_func+0x1c/0x2c<br /> Call trace:<br /> lpuart_copy_rx_to_tty<br /> lpuart_timer_func<br /> call_timer_fn<br /> __run_timers.part.0<br /> run_timer_softirq<br /> __do_softirq<br /> __irq_exit_rcu<br /> irq_exit<br /> handle_domain_irq<br /> gic_handle_irq<br /> call_on_irq_stack<br /> do_interrupt_handler<br /> ...<br /> <br /> To fix this fold del_timer_sync() into lpuart_dma_rx_free() after<br /> dmaengine_terminate_sync() to make sure timer will not be re-started in<br /> lpuart_copy_rx_to_tty()

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ttm: Fix a NULL pointer dereference<br /> <br /> The LRU mechanism may look up a resource in the process of being removed<br /> from an object. The locking rules here are a bit unclear but it looks<br /> currently like res-&gt;bo assignment is protected by the LRU lock, whereas<br /> bo-&gt;resource is protected by the object lock, while *clearing* of<br /> bo-&gt;resource is also protected by the LRU lock. This means that if<br /> we check that bo-&gt;resource points to the LRU resource under the LRU<br /> lock we should be safe.<br /> So perform that check before deciding to swap out a bo. That avoids<br /> dereferencing a NULL bo-&gt;resource in ttm_bo_swapout().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> interconnect: fix mem leak when freeing nodes<br /> <br /> The node link array is allocated when adding links to a node but is not<br /> deallocated when nodes are destroyed.