Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Move cfg_log_verbose check before calling lpfc_dmp_dbg()<br /> <br /> In an attempt to log message 0126 with LOG_TRACE_EVENT, the following hard<br /> lockup call trace hangs the system.<br /> <br /> Call Trace:<br /> _raw_spin_lock_irqsave+0x32/0x40<br /> lpfc_dmp_dbg.part.32+0x28/0x220 [lpfc]<br /> lpfc_cmpl_els_fdisc+0x145/0x460 [lpfc]<br /> lpfc_sli_cancel_jobs+0x92/0xd0 [lpfc]<br /> lpfc_els_flush_cmd+0x43c/0x670 [lpfc]<br /> lpfc_els_flush_all_cmd+0x37/0x60 [lpfc]<br /> lpfc_sli4_async_event_proc+0x956/0x1720 [lpfc]<br /> lpfc_do_work+0x1485/0x1d70 [lpfc]<br /> kthread+0x112/0x130<br /> ret_from_fork+0x1f/0x40<br /> Kernel panic - not syncing: Hard LOCKUP<br /> <br /> The same CPU tries to claim the phba-&gt;port_list_lock twice.<br /> <br /> Move the cfg_log_verbose checks as part of the lpfc_printf_vlog() and<br /> lpfc_printf_log() macros before calling lpfc_dmp_dbg(). There is no need<br /> to take the phba-&gt;port_list_lock within lpfc_dmp_dbg().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ath11k: fix the warning of dev_wake in mhi_pm_disable_transition()<br /> <br /> When test device recovery with below command, it has warning in message<br /> as below.<br /> echo assert &gt; /sys/kernel/debug/ath11k/wcn6855\ hw2.0/simulate_fw_crash<br /> echo assert &gt; /sys/kernel/debug/ath11k/qca6390\ hw2.0/simulate_fw_crash<br /> <br /> warning message:<br /> [ 1965.642121] ath11k_pci 0000:06:00.0: simulating firmware assert crash<br /> [ 1968.471364] ieee80211 phy0: Hardware restart was requested<br /> [ 1968.511305] ------------[ cut here ]------------<br /> [ 1968.511368] WARNING: CPU: 3 PID: 1546 at drivers/bus/mhi/core/pm.c:505 mhi_pm_disable_transition+0xb37/0xda0 [mhi]<br /> [ 1968.511443] Modules linked in: ath11k_pci ath11k mac80211 libarc4 cfg80211 qmi_helpers qrtr_mhi mhi qrtr nvme nvme_core<br /> [ 1968.511563] CPU: 3 PID: 1546 Comm: kworker/u17:0 Kdump: loaded Tainted: G W 5.17.0-rc3-wt-ath+ #579<br /> [ 1968.511629] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021<br /> [ 1968.511704] Workqueue: mhi_hiprio_wq mhi_pm_st_worker [mhi]<br /> [ 1968.511787] RIP: 0010:mhi_pm_disable_transition+0xb37/0xda0 [mhi]<br /> [ 1968.511870] Code: a9 fe ff ff 4c 89 ff 44 89 04 24 e8 03 46 f6 e5 44 8b 04 24 41 83 f8 01 0f 84 21 fe ff ff e9 4c fd ff ff 0f 0b e9 af f8 ff ff 0b e9 5c f8 ff ff 48 89 df e8 da 9e ee e3 e9 12 fd ff ff 4c 89<br /> [ 1968.511923] RSP: 0018:ffffc900024efbf0 EFLAGS: 00010286<br /> [ 1968.511969] RAX: 00000000ffffffff RBX: ffff88811d241250 RCX: ffffffffc0176922<br /> [ 1968.512014] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888118a90a24<br /> [ 1968.512059] RBP: ffff888118a90800 R08: 0000000000000000 R09: ffff888118a90a27<br /> [ 1968.512102] R10: ffffed1023152144 R11: 0000000000000001 R12: ffff888118a908ac<br /> [ 1968.512229] R13: ffff888118a90928 R14: dffffc0000000000 R15: ffff888118a90a24<br /> [ 1968.512310] FS: 0000000000000000(0000) GS:ffff888234200000(0000) knlGS:0000000000000000<br /> [ 1968.512405] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1968.512493] CR2: 00007f5538f443a8 CR3: 000000016dc28001 CR4: 00000000003706e0<br /> [ 1968.512587] Call Trace:<br /> [ 1968.512672] <br /> [ 1968.512751] ? _raw_spin_unlock_irq+0x1f/0x40<br /> [ 1968.512859] mhi_pm_st_worker+0x3ac/0x790 [mhi]<br /> [ 1968.512959] ? mhi_pm_mission_mode_transition.isra.0+0x7d0/0x7d0 [mhi]<br /> [ 1968.513063] process_one_work+0x86a/0x1400<br /> [ 1968.513184] ? pwq_dec_nr_in_flight+0x230/0x230<br /> [ 1968.513312] ? move_linked_works+0x125/0x290<br /> [ 1968.513416] worker_thread+0x6db/0xf60<br /> [ 1968.513536] ? process_one_work+0x1400/0x1400<br /> [ 1968.513627] kthread+0x241/0x2d0<br /> [ 1968.513733] ? kthread_complete_and_exit+0x20/0x20<br /> [ 1968.513821] ret_from_fork+0x22/0x30<br /> [ 1968.513924] <br /> <br /> Reason is mhi_deassert_dev_wake() from mhi_device_put() is called<br /> but mhi_assert_dev_wake() from __mhi_device_get_sync() is not called<br /> in progress of recovery. Commit 8e0559921f9a ("bus: mhi: core:<br /> Skip device wake in error or shutdown state") add check for the<br /> pm_state of mhi in __mhi_device_get_sync(), and the pm_state is not<br /> the normal state untill recovery is completed, so it leads the<br /> dev_wake is not 0 and above warning print in mhi_pm_disable_transition()<br /> while checking mhi_cntrl-&gt;dev_wake.<br /> <br /> Add check in ath11k_pci_write32()/ath11k_pci_read32() to skip call<br /> mhi_device_put() if mhi_device_get_sync() does not really do wake,<br /> then the warning gone.<br /> <br /> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipw2x00: Fix potential NULL dereference in libipw_xmit()<br /> <br /> crypt and crypt-&gt;ops could be null, so we need to checking null<br /> before dereference

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Cancel pending work at closing a MIDI substream<br /> <br /> At closing a USB MIDI output substream, there might be still a pending<br /> work, which would eventually access the rawmidi runtime object that is<br /> being released. For fixing the race, make sure to cancel the pending<br /> work at closing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix deadlock between concurrent dio writes when low on free data space<br /> <br /> When reserving data space for a direct IO write we can end up deadlocking<br /> if we have multiple tasks attempting a write to the same file range, there<br /> are multiple extents covered by that file range, we are low on available<br /> space for data and the writes don&amp;#39;t expand the inode&amp;#39;s i_size.<br /> <br /> The deadlock can happen like this:<br /> <br /> 1) We have a file with an i_size of 1M, at offset 0 it has an extent with<br /> a size of 128K and at offset 128K it has another extent also with a<br /> size of 128K;<br /> <br /> 2) Task A does a direct IO write against file range [0, 256K), and because<br /> the write is within the i_size boundary, it takes the inode&amp;#39;s lock (VFS<br /> level) in shared mode;<br /> <br /> 3) Task A locks the file range [0, 256K) at btrfs_dio_iomap_begin(), and<br /> then gets the extent map for the extent covering the range [0, 128K).<br /> At btrfs_get_blocks_direct_write(), it creates an ordered extent for<br /> that file range ([0, 128K));<br /> <br /> 4) Before returning from btrfs_dio_iomap_begin(), it unlocks the file<br /> range [0, 256K);<br /> <br /> 5) Task A executes btrfs_dio_iomap_begin() again, this time for the file<br /> range [128K, 256K), and locks the file range [128K, 256K);<br /> <br /> 6) Task B starts a direct IO write against file range [0, 256K) as well.<br /> It also locks the inode in shared mode, as it&amp;#39;s within the i_size limit,<br /> and then tries to lock file range [0, 256K). It is able to lock the<br /> subrange [0, 128K) but then blocks waiting for the range [128K, 256K),<br /> as it is currently locked by task A;<br /> <br /> 7) Task A enters btrfs_get_blocks_direct_write() and tries to reserve data<br /> space. Because we are low on available free space, it triggers the<br /> async data reclaim task, and waits for it to reserve data space;<br /> <br /> 8) The async reclaim task decides to wait for all existing ordered extents<br /> to complete (through btrfs_wait_ordered_roots()).<br /> It finds the ordered extent previously created by task A for the file<br /> range [0, 128K) and waits for it to complete;<br /> <br /> 9) The ordered extent for the file range [0, 128K) can not complete<br /> because it blocks at btrfs_finish_ordered_io() when trying to lock the<br /> file range [0, 128K).<br /> <br /> This results in a deadlock, because:<br /> <br /> - task B is holding the file range [0, 128K) locked, waiting for the<br /> range [128K, 256K) to be unlocked by task A;<br /> <br /> - task A is holding the file range [128K, 256K) locked and it&amp;#39;s waiting<br /> for the async data reclaim task to satisfy its space reservation<br /> request;<br /> <br /> - the async data reclaim task is waiting for ordered extent [0, 128K)<br /> to complete, but the ordered extent can not complete because the<br /> file range [0, 128K) is currently locked by task B, which is waiting<br /> on task A to unlock file range [128K, 256K) and task A waiting<br /> on the async data reclaim task.<br /> <br /> This results in a deadlock between 4 task: task A, task B, the async<br /> data reclaim task and the task doing ordered extent completion (a work<br /> queue task).<br /> <br /> This type of deadlock can sporadically be triggered by the test case<br /> generic/300 from fstests, and results in a stack trace like the following:<br /> <br /> [12084.033689] INFO: task kworker/u16:7:123749 blocked for more than 241 seconds.<br /> [12084.034877] Not tainted 5.18.0-rc2-btrfs-next-115 #1<br /> [12084.035562] "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> [12084.036548] task:kworker/u16:7 state:D stack: 0 pid:123749 ppid: 2 flags:0x00004000<br /> [12084.036554] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]<br /> [12084.036599] Call Trace:<br /> [12084.036601] <br /> [12084.036606] __schedule+0x3cb/0xed0<br /> [12084.036616] schedule+0x4e/0xb0<br /> [12084.036620] btrfs_start_ordered_extent+0x109/0x1c0 [btrfs]<br /> [12084.036651] ? prepare_to_wait_exclusive+0xc0/0xc0<br /> [12084.036659] btrfs_run_ordered_extent_work+0x1a/0x30 [btrfs]<br /> [12084.036688] btrfs_work_helper+0xf8/0x400 [btrfs]<br /> [12084.0367<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix potential array overflow in bpf_trampoline_get_progs()<br /> <br /> The cnt value in the &amp;#39;cnt &gt;= BPF_MAX_TRAMP_PROGS&amp;#39; check does not<br /> include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of<br /> the attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline<br /> can exceed BPF_MAX_TRAMP_PROGS.<br /> <br /> When this happens, the assignment &amp;#39;*progs++ = aux-&gt;prog&amp;#39; in<br /> bpf_trampoline_get_progs() will cause progs array overflow as the<br /> progs field in the bpf_tramp_progs struct can only hold at most<br /> BPF_MAX_TRAMP_PROGS bpf programs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/MCE/AMD: Fix memory leak when threshold_create_bank() fails<br /> <br /> In mce_threshold_create_device(), if threshold_create_bank() fails, the<br /> previously allocated threshold banks array @bp will be leaked because<br /> the call to mce_threshold_remove_device() will not free it.<br /> <br /> This happens because mce_threshold_remove_device() fetches the pointer<br /> through the threshold_banks per-CPU variable but bp is written there<br /> only after the bank creation is successful, and not before, when<br /> threshold_create_bank() fails.<br /> <br /> Add a helper which unwinds all the bank creation work previously done<br /> and pass into it the previously allocated threshold banks array for<br /> freeing.<br /> <br /> [ bp: Massage. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: provide block_invalidate_folio to fix memory leak<br /> <br /> The ntfs3 filesystem lacks the &amp;#39;invalidate_folio&amp;#39; method and it causes<br /> memory leak. If you write to the filesystem and then unmount it, the<br /> cached written data are not freed and they are permanently leaked.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: isp1760: Fix out-of-bounds array access<br /> <br /> Running the driver through kasan gives an interesting splat:<br /> <br /> BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c<br /> Read of size 20 at addr f1db2e64 by task swapper/0/1<br /> (...)<br /> isp1760_register from isp1760_plat_probe+0x1d8/0x220<br /> (...)<br /> <br /> This happens because the loop reading the regmap fields for the<br /> different ISP1760 variants look like this:<br /> <br /> for (i = 0; i

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/kexec: fix memory leak of elf header buffer<br /> <br /> This is reported by kmemleak detector:<br /> <br /> unreferenced object 0xffffc900002a9000 (size 4096):<br /> comm "kexec", pid 14950, jiffies 4295110793 (age 373.951s)<br /> hex dump (first 32 bytes):<br /> 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............<br /> 04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..&gt;.............<br /> backtrace:<br /> [] __vmalloc_node_range+0x101/0x170<br /> [] __vmalloc_node+0xb4/0x160<br /> [] crash_prepare_elf64_headers+0x8e/0xcd0<br /> [] crash_load_segments+0x260/0x470<br /> [] bzImage64_load+0x814/0xad0<br /> [] arch_kexec_kernel_image_load+0x1be/0x2a0<br /> [] kimage_file_alloc_init+0x2ec/0x5a0<br /> [] __do_sys_kexec_file_load+0x28d/0x530<br /> [] do_syscall_64+0x3b/0x90<br /> [] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> In crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to<br /> store elf headers. While it&amp;#39;s not freed back to system correctly when<br /> kdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it<br /> by introducing x86 specific function arch_kimage_file_post_load_cleanup(),<br /> and freeing the buffer there.<br /> <br /> And also remove the incorrect elf header buffer freeing code. Before<br /> calling arch specific kexec_file loading function, the image instance has<br /> been initialized. So &amp;#39;image-&gt;elf_headers&amp;#39; must be NULL. It doesn&amp;#39;t make<br /> sense to free the elf header buffer in the place.<br /> <br /> Three different people have reported three bugs about the memory leak on<br /> x86_64 inside Redhat.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> loop: implement -&gt;free_disk<br /> <br /> Ensure that the lo_device which is stored in the gendisk private<br /> data is valid until the gendisk is freed. Currently the loop driver<br /> uses a lot of effort to make sure a device is not freed when it is<br /> still in use, but to to fix a potential deadlock this will be relaxed<br /> a bit soon.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes<br /> <br /> drm_cvt_mode may return NULL and we should check it.<br /> <br /> This bug is found by syzkaller:<br /> <br /> FAULT_INJECTION stacktrace:<br /> [ 168.567394] FAULT_INJECTION: forcing a failure.<br /> name failslab, interval 1, probability 0, space 0, times 1<br /> [ 168.567403] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1<br /> [ 168.567406] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015<br /> [ 168.567408] Call trace:<br /> [ 168.567414] dump_backtrace+0x0/0x310<br /> [ 168.567418] show_stack+0x28/0x38<br /> [ 168.567423] dump_stack+0xec/0x15c<br /> [ 168.567427] should_fail+0x3ac/0x3d0<br /> [ 168.567437] __should_failslab+0xb8/0x120<br /> [ 168.567441] should_failslab+0x28/0xc0<br /> [ 168.567445] kmem_cache_alloc_trace+0x50/0x640<br /> [ 168.567454] drm_mode_create+0x40/0x90<br /> [ 168.567458] drm_cvt_mode+0x48/0xc78<br /> [ 168.567477] virtio_gpu_conn_get_modes+0xa8/0x140 [virtio_gpu]<br /> [ 168.567485] drm_helper_probe_single_connector_modes+0x3a4/0xd80<br /> [ 168.567492] drm_mode_getconnector+0x2e0/0xa70<br /> [ 168.567496] drm_ioctl_kernel+0x11c/0x1d8<br /> [ 168.567514] drm_ioctl+0x558/0x6d0<br /> [ 168.567522] do_vfs_ioctl+0x160/0xf30<br /> [ 168.567525] ksys_ioctl+0x98/0xd8<br /> [ 168.567530] __arm64_sys_ioctl+0x50/0xc8<br /> [ 168.567536] el0_svc_common+0xc8/0x320<br /> [ 168.567540] el0_svc_handler+0xf8/0x160<br /> [ 168.567544] el0_svc+0x10/0x218<br /> <br /> KASAN stacktrace:<br /> [ 168.567561] BUG: KASAN: null-ptr-deref in virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]<br /> [ 168.567565] Read of size 4 at addr 0000000000000054 by task syz/6425<br /> [ 168.567566]<br /> [ 168.567571] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1<br /> [ 168.567573] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015<br /> [ 168.567575] Call trace:<br /> [ 168.567578] dump_backtrace+0x0/0x310<br /> [ 168.567582] show_stack+0x28/0x38<br /> [ 168.567586] dump_stack+0xec/0x15c<br /> [ 168.567591] kasan_report+0x244/0x2f0<br /> [ 168.567594] __asan_load4+0x58/0xb0<br /> [ 168.567607] virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]<br /> [ 168.567612] drm_helper_probe_single_connector_modes+0x3a4/0xd80<br /> [ 168.567617] drm_mode_getconnector+0x2e0/0xa70<br /> [ 168.567621] drm_ioctl_kernel+0x11c/0x1d8<br /> [ 168.567624] drm_ioctl+0x558/0x6d0<br /> [ 168.567628] do_vfs_ioctl+0x160/0xf30<br /> [ 168.567632] ksys_ioctl+0x98/0xd8<br /> [ 168.567636] __arm64_sys_ioctl+0x50/0xc8<br /> [ 168.567641] el0_svc_common+0xc8/0x320<br /> [ 168.567645] el0_svc_handler+0xf8/0x160<br /> [ 168.567649] el0_svc+0x10/0x218