Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: atlantic: fix aq_vec index out of range error<br /> <br /> The final update statement of the for loop exceeds the array range, the<br /> dereference of self-&gt;aq_vec[i] is not checked and then leads to the<br /> index out of range error.<br /> Also fixed this kind of coding style in other for loop.<br /> <br /> [ 97.937604] UBSAN: array-index-out-of-bounds in drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1404:48<br /> [ 97.937607] index 8 is out of range for type &amp;#39;aq_vec_s *[8]&amp;#39;<br /> [ 97.937608] CPU: 38 PID: 3767 Comm: kworker/u256:18 Not tainted 5.19.0+ #2<br /> [ 97.937610] Hardware name: Dell Inc. Precision 7865 Tower/, BIOS 1.0.0 06/12/2022<br /> [ 97.937611] Workqueue: events_unbound async_run_entry_fn<br /> [ 97.937616] Call Trace:<br /> [ 97.937617] <br /> [ 97.937619] dump_stack_lvl+0x49/0x63<br /> [ 97.937624] dump_stack+0x10/0x16<br /> [ 97.937626] ubsan_epilogue+0x9/0x3f<br /> [ 97.937627] __ubsan_handle_out_of_bounds.cold+0x44/0x49<br /> [ 97.937629] ? __scm_send+0x348/0x440<br /> [ 97.937632] ? aq_vec_stop+0x72/0x80 [atlantic]<br /> [ 97.937639] aq_nic_stop+0x1b6/0x1c0 [atlantic]<br /> [ 97.937644] aq_suspend_common+0x88/0x90 [atlantic]<br /> [ 97.937648] aq_pm_suspend_poweroff+0xe/0x20 [atlantic]<br /> [ 97.937653] pci_pm_suspend+0x7e/0x1a0<br /> [ 97.937655] ? pci_pm_suspend_noirq+0x2b0/0x2b0<br /> [ 97.937657] dpm_run_callback+0x54/0x190<br /> [ 97.937660] __device_suspend+0x14c/0x4d0<br /> [ 97.937661] async_suspend+0x23/0x70<br /> [ 97.937663] async_run_entry_fn+0x33/0x120<br /> [ 97.937664] process_one_work+0x21f/0x3f0<br /> [ 97.937666] worker_thread+0x4a/0x3c0<br /> [ 97.937668] ? process_one_work+0x3f0/0x3f0<br /> [ 97.937669] kthread+0xf0/0x120<br /> [ 97.937671] ? kthread_complete_and_exit+0x20/0x20<br /> [ 97.937672] ret_from_fork+0x22/0x30<br /> [ 97.937676] <br /> <br /> v2. fixed "warning: variable &amp;#39;aq_vec&amp;#39; set but not used"<br /> <br /> v3. simplified a for loop

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio_net: fix memory leak inside XPD_TX with mergeable<br /> <br /> When we call xdp_convert_buff_to_frame() to get xdpf, if it returns<br /> NULL, we should check if xdp_page was allocated by xdp_linearize_page().<br /> If it is newly allocated, it should be freed here alone. Just like any<br /> other "goto err_xdp".

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bgmac: Fix a BUG triggered by wrong bytes_compl<br /> <br /> On one of our machines we got:<br /> <br /> kernel BUG at lib/dynamic_queue_limits.c:27!<br /> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM<br /> CPU: 0 PID: 1166 Comm: irq/41-bgmac Tainted: G W O 4.14.275-rt132 #1<br /> Hardware name: BRCM XGS iProc<br /> task: ee3415c0 task.stack: ee32a000<br /> PC is at dql_completed+0x168/0x178<br /> LR is at bgmac_poll+0x18c/0x6d8<br /> pc : [] lr : [] psr: 800a0313<br /> sp : ee32be14 ip : 000005ea fp : 00000bd4<br /> r10: ee558500 r9 : c0116298 r8 : 00000002<br /> r7 : 00000000 r6 : ef128810 r5 : 01993267 r4 : 01993851<br /> r3 : ee558000 r2 : 000070e1 r1 : 00000bd4 r0 : ee52c180<br /> Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none<br /> Control: 12c5387d Table: 8e88c04a DAC: 00000051<br /> Process irq/41-bgmac (pid: 1166, stack limit = 0xee32a210)<br /> Stack: (0xee32be14 to 0xee32c000)<br /> be00: ee558520 ee52c100 ef128810<br /> be20: 00000000 00000002 c0116298 c04b5a18 00000000 c0a0c8c4 c0951780 00000040<br /> be40: c0701780 ee558500 ee55d520 ef05b340 ef6f9780 ee558520 00000001 00000040<br /> be60: ffffe000 c0a56878 ef6fa040 c0952040 0000012c c0528744 ef6f97b0 fffcfb6a<br /> be80: c0a04104 2eda8000 c0a0c4ec c0a0d368 ee32bf44 c0153534 ee32be98 ee32be98<br /> bea0: ee32bea0 ee32bea0 ee32bea8 ee32bea8 00000000 c01462e4 ffffe000 ef6f22a8<br /> bec0: ffffe000 00000008 ee32bee4 c0147430 ffffe000 c094a2a8 00000003 ffffe000<br /> bee0: c0a54528 00208040 0000000c c0a0c8c4 c0a65980 c0124d3c 00000008 ee558520<br /> bf00: c094a23c c0a02080 00000000 c07a9910 ef136970 ef136970 ee30a440 ef136900<br /> bf20: ee30a440 00000001 ef136900 ee30a440 c016d990 00000000 c0108db0 c012500c<br /> bf40: ef136900 c016da14 ee30a464 ffffe000 00000001 c016dd14 00000000 c016db28<br /> bf60: ffffe000 ee21a080 ee30a400 00000000 ee32a000 ee30a440 c016dbfc ee25fd70<br /> bf80: ee21a09c c013edcc ee32a000 ee30a400 c013ec7c 00000000 00000000 00000000<br /> bfa0: 00000000 00000000 00000000 c0108470 00000000 00000000 00000000 00000000<br /> bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000<br /> [] (dql_completed) from [] (bgmac_poll+0x18c/0x6d8)<br /> [] (bgmac_poll) from [] (net_rx_action+0x1c4/0x494)<br /> [] (net_rx_action) from [] (do_current_softirqs+0x1ec/0x43c)<br /> [] (do_current_softirqs) from [] (__local_bh_enable+0x80/0x98)<br /> [] (__local_bh_enable) from [] (irq_forced_thread_fn+0x84/0x98)<br /> [] (irq_forced_thread_fn) from [] (irq_thread+0x118/0x1c0)<br /> [] (irq_thread) from [] (kthread+0x150/0x158)<br /> [] (kthread) from [] (ret_from_fork+0x14/0x24)<br /> Code: a83f15e0 0200001a 0630a0e1 c3ffffea (f201f0e7)<br /> <br /> The issue seems similar to commit 90b3b339364c ("net: hisilicon: Fix a BUG<br /> trigered by wrong bytes_compl") and potentially introduced by commit<br /> b38c83dd0866 ("bgmac: simplify tx ring index handling").<br /> <br /> If there is an RX interrupt between setting ring-&gt;end<br /> and netdev_sent_queue() we can hit the BUG_ON as bgmac_dma_tx_free()<br /> can miscalculate the queue size while called from bgmac_poll().<br /> <br /> The machine which triggered the BUG runs a v4.14 RT kernel - but the issue<br /> seems present in mainline too.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map<br /> <br /> of_parse_phandle() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when not need anymore.<br /> Add missing of_node_put() to avoid refcount leak."

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Fix missing i_op in ntfs_read_mft<br /> <br /> There is null pointer dereference because i_op == NULL.<br /> The bug happens because we don&amp;#39;t initialize i_op for records in $Extend.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Fix NULL deref in ntfs_update_mftmirr<br /> <br /> If ntfs_fill_super() wasn&amp;#39;t called then sbi-&gt;sb will be equal to NULL.<br /> Code should check this ptr before dereferencing. Syzbot hit this issue<br /> via passing wrong mount param as can be seen from log below<br /> <br /> Fail log:<br /> ntfs3: Unknown parameter &amp;#39;iochvrset&amp;#39;<br /> general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]<br /> CPU: 1 PID: 3589 Comm: syz-executor210 Not tainted 5.18.0-rc3-syzkaller-00016-gb253435746d9 #0<br /> ...<br /> Call Trace:<br /> <br /> put_ntfs+0x1ed/0x2a0 fs/ntfs3/super.c:463<br /> ntfs_fs_free+0x6a/0xe0 fs/ntfs3/super.c:1363<br /> put_fs_context+0x119/0x7a0 fs/fs_context.c:469<br /> do_new_mount+0x2b4/0xad0 fs/namespace.c:3044<br /> do_mount fs/namespace.c:3383 [inline]<br /> __do_sys_mount fs/namespace.c:3591 [inline]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa_sim_blk: set number of address spaces and virtqueue groups<br /> <br /> Commit bda324fd037a ("vdpasim: control virtqueue support") added two<br /> new fields (nas, ngroups) to vdpasim_dev_attr, but we forgot to<br /> initialize them for vdpa_sim_blk.<br /> <br /> When creating a new vdpa_sim_blk device this causes the kernel<br /> to panic in this way:<br />    $ vdpa dev add mgmtdev vdpasim_blk name blk0<br />    BUG: kernel NULL pointer dereference, address: 0000000000000030<br />    ...<br />    RIP: 0010:vhost_iotlb_add_range_ctx+0x41/0x220 [vhost_iotlb]<br />    ...<br />    Call Trace:<br />     <br />     vhost_iotlb_add_range+0x11/0x800 [vhost_iotlb]<br />     vdpasim_map_range+0x91/0xd0 [vdpa_sim]<br />     vdpasim_alloc_coherent+0x56/0x90 [vdpa_sim]<br />     ...<br /> <br /> This happens because vdpasim-&gt;iommu[0] is not initialized when<br /> dev_attr.nas is 0.<br /> <br /> Let&amp;#39;s fix this issue by initializing both (nas, ngroups) to 1 for<br /> vdpa_sim_blk.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: don&amp;#39;t leak snap_rwsem in handle_cap_grant<br /> <br /> When handle_cap_grant is called on an IMPORT op, then the snap_rwsem is<br /> held and the function is expected to release it before returning. It<br /> currently fails to do that in all cases which could lead to a deadlock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-af: Fix mcam entry resource leak<br /> <br /> The teardown sequence in FLR handler returns if no NIX LF<br /> is attached to PF/VF because it indicates that graceful<br /> shutdown of resources already happened. But there is a<br /> chance of all allocated MCAM entries not being freed by<br /> PF/VF. Hence free mcam entries even in case of detached LF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iavf: Fix NULL pointer dereference in iavf_get_link_ksettings<br /> <br /> Fix possible NULL pointer dereference, due to freeing of adapter-&gt;vf_res<br /> in iavf_init_get_resources. Previous commit introduced a regression,<br /> where receiving IAVF_ERR_ADMIN_QUEUE_NO_WORK from iavf_get_vf_config<br /> would free adapter-&gt;vf_res. However, netdev is still registered, so<br /> ethtool_ops can be called. Calling iavf_get_link_ksettings with no vf_res,<br /> will result with:<br /> [ 9385.242676] BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> [ 9385.242683] #PF: supervisor read access in kernel mode<br /> [ 9385.242686] #PF: error_code(0x0000) - not-present page<br /> [ 9385.242690] PGD 0 P4D 0<br /> [ 9385.242696] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI<br /> [ 9385.242701] CPU: 6 PID: 3217 Comm: pmdalinux Kdump: loaded Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1<br /> [ 9385.242708] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.11.0 11/02/2019<br /> [ 9385.242710] RIP: 0010:iavf_get_link_ksettings+0x29/0xd0 [iavf]<br /> [ 9385.242745] Code: 00 0f 1f 44 00 00 b8 01 ef ff ff 48 c7 46 30 00 00 00 00 48 c7 46 38 00 00 00 00 c6 46 0b 00 66 89 46 08 48 8b 87 68 0e 00 00 40 08 80 75 50 8b 87 5c 0e 00 00 83 f8 08 74 7a 76 1d 83 f8 20<br /> [ 9385.242749] RSP: 0018:ffffc0560ec7fbd0 EFLAGS: 00010246<br /> [ 9385.242755] RAX: 0000000000000000 RBX: ffffc0560ec7fc08 RCX: 0000000000000000<br /> [ 9385.242759] RDX: ffffffffc0ad4550 RSI: ffffc0560ec7fc08 RDI: ffffa0fc66674000<br /> [ 9385.242762] RBP: 00007ffd1fb2bf50 R08: b6a2d54b892363ee R09: ffffa101dc14fb00<br /> [ 9385.242765] R10: 0000000000000000 R11: 0000000000000004 R12: ffffa0fc66674000<br /> [ 9385.242768] R13: 0000000000000000 R14: ffffa0fc66674000 R15: 00000000ffffffa1<br /> [ 9385.242771] FS: 00007f93711a2980(0000) GS:ffffa0fad72c0000(0000) knlGS:0000000000000000<br /> [ 9385.242775] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 9385.242778] CR2: 0000000000000008 CR3: 0000000a8e61c003 CR4: 00000000003706e0<br /> [ 9385.242781] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 9385.242784] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 9385.242787] Call Trace:<br /> [ 9385.242791] <br /> [ 9385.242793] ethtool_get_settings+0x71/0x1a0<br /> [ 9385.242814] __dev_ethtool+0x426/0x2f40<br /> [ 9385.242823] ? slab_post_alloc_hook+0x4f/0x280<br /> [ 9385.242836] ? kmem_cache_alloc_trace+0x15d/0x2f0<br /> [ 9385.242841] ? dev_ethtool+0x59/0x170<br /> [ 9385.242848] dev_ethtool+0xa7/0x170<br /> [ 9385.242856] dev_ioctl+0xc3/0x520<br /> [ 9385.242866] sock_do_ioctl+0xa0/0xe0<br /> [ 9385.242877] sock_ioctl+0x22f/0x320<br /> [ 9385.242885] __x64_sys_ioctl+0x84/0xc0<br /> [ 9385.242896] do_syscall_64+0x3a/0x80<br /> [ 9385.242904] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> [ 9385.242918] RIP: 0033:0x7f93702396db<br /> [ 9385.242923] Code: 73 01 c3 48 8b 0d ad 57 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7d 57 38 00 f7 d8 64 89 01 48<br /> [ 9385.242927] RSP: 002b:00007ffd1fb2bf18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> [ 9385.242932] RAX: ffffffffffffffda RBX: 000055671b1d2fe0 RCX: 00007f93702396db<br /> [ 9385.242935] RDX: 00007ffd1fb2bf20 RSI: 0000000000008946 RDI: 0000000000000007<br /> [ 9385.242937] RBP: 00007ffd1fb2bf20 R08: 0000000000000003 R09: 0030763066307330<br /> [ 9385.242940] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd1fb2bf80<br /> [ 9385.242942] R13: 0000000000000007 R14: 0000556719f6de90 R15: 00007ffd1fb2c1b0<br /> [ 9385.242948] <br /> [ 9385.242949] Modules linked in: iavf(E) xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nft_compat nf_nat_tftp nft_objref nf_conntrack_tftp bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink vfat fat irdma ib_uverbs ib_core intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretem<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iavf: Fix adminq error handling<br /> <br /> iavf_alloc_asq_bufs/iavf_alloc_arq_bufs allocates with dma_alloc_coherent<br /> memory for VF mailbox.<br /> Free DMA regions for both ASQ and ARQ in case error happens during<br /> configuration of ASQ/ARQ registers.<br /> Without this change it is possible to see when unloading interface:<br /> 74626.583369: dma_debug_device_change: device driver has pending DMA allocations while released from device [count=32]<br /> One of leaked entries details: [device address=0x0000000b27ff9000] [size=4096 bytes] [mapped with DMA_BIDIRECTIONAL] [mapped as coherent]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iavf: Fix reset error handling<br /> <br /> Do not call iavf_close in iavf_reset_task error handling. Doing so can<br /> lead to double call of napi_disable, which can lead to deadlock there.<br /> Removing VF would lead to iavf_remove task being stuck, because it<br /> requires crit_lock, which is held by iavf_close.<br /> Call iavf_disable_vf if reset fail, so that driver will clean up<br /> remaining invalid resources.<br /> During rapid VF resets, HW can fail to setup VF mailbox. Wrong<br /> error handling can lead to iavf_remove being stuck with:<br /> [ 5218.999087] iavf 0000:82:01.0: Failed to init adminq: -53<br /> ...<br /> [ 5267.189211] INFO: task repro.sh:11219 blocked for more than 30 seconds.<br /> [ 5267.189520] Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1<br /> [ 5267.189764] "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> [ 5267.190062] task:repro.sh state:D stack: 0 pid:11219 ppid: 8162 flags:0x00000000<br /> [ 5267.190347] Call Trace:<br /> [ 5267.190647] <br /> [ 5267.190927] __schedule+0x460/0x9f0<br /> [ 5267.191264] schedule+0x44/0xb0<br /> [ 5267.191563] schedule_preempt_disabled+0x14/0x20<br /> [ 5267.191890] __mutex_lock.isra.12+0x6e3/0xac0<br /> [ 5267.192237] ? iavf_remove+0xf9/0x6c0 [iavf]<br /> [ 5267.192565] iavf_remove+0x12a/0x6c0 [iavf]<br /> [ 5267.192911] ? _raw_spin_unlock_irqrestore+0x1e/0x40<br /> [ 5267.193285] pci_device_remove+0x36/0xb0<br /> [ 5267.193619] device_release_driver_internal+0xc1/0x150<br /> [ 5267.193974] pci_stop_bus_device+0x69/0x90<br /> [ 5267.194361] pci_stop_and_remove_bus_device+0xe/0x20<br /> [ 5267.194735] pci_iov_remove_virtfn+0xba/0x120<br /> [ 5267.195130] sriov_disable+0x2f/0xe0<br /> [ 5267.195506] ice_free_vfs+0x7d/0x2f0 [ice]<br /> [ 5267.196056] ? pci_get_device+0x4f/0x70<br /> [ 5267.196496] ice_sriov_configure+0x78/0x1a0 [ice]<br /> [ 5267.196995] sriov_numvfs_store+0xfe/0x140<br /> [ 5267.197466] kernfs_fop_write_iter+0x12e/0x1c0<br /> [ 5267.197918] new_sync_write+0x10c/0x190<br /> [ 5267.198404] vfs_write+0x24e/0x2d0<br /> [ 5267.198886] ksys_write+0x5c/0xd0<br /> [ 5267.199367] do_syscall_64+0x3a/0x80<br /> [ 5267.199827] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> [ 5267.200317] RIP: 0033:0x7f5b381205c8<br /> [ 5267.200814] RSP: 002b:00007fff8c7e8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001<br /> [ 5267.201981] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f5b381205c8<br /> [ 5267.202620] RDX: 0000000000000002 RSI: 00005569420ee900 RDI: 0000000000000001<br /> [ 5267.203426] RBP: 00005569420ee900 R08: 000000000000000a R09: 00007f5b38180820<br /> [ 5267.204327] R10: 000000000000000a R11: 0000000000000246 R12: 00007f5b383c06e0<br /> [ 5267.205193] R13: 0000000000000002 R14: 00007f5b383bb880 R15: 0000000000000002<br /> [ 5267.206041] <br /> [ 5267.206970] Kernel panic - not syncing: hung_task: blocked tasks<br /> [ 5267.207809] CPU: 48 PID: 551 Comm: khungtaskd Kdump: loaded Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1<br /> [ 5267.208726] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.11.0 11/02/2019<br /> [ 5267.209623] Call Trace:<br /> [ 5267.210569] <br /> [ 5267.211480] dump_stack_lvl+0x33/0x42<br /> [ 5267.212472] panic+0x107/0x294<br /> [ 5267.213467] watchdog.cold.8+0xc/0xbb<br /> [ 5267.214413] ? proc_dohung_task_timeout_secs+0x30/0x30<br /> [ 5267.215511] kthread+0xf4/0x120<br /> [ 5267.216459] ? kthread_complete_and_exit+0x20/0x20<br /> [ 5267.217505] ret_from_fork+0x22/0x30<br /> [ 5267.218459]