Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Fix double list_add when enabling VMD in scalable mode<br /> <br /> When enabling VMD and IOMMU scalable mode, the following kernel panic<br /> call trace/kernel log is shown in Eagle Stream platform (Sapphire Rapids<br /> CPU) during booting:<br /> <br /> pci 0000:59:00.5: Adding to iommu group 42<br /> ...<br /> vmd 0000:59:00.5: PCI host bridge to bus 10000:80<br /> pci 10000:80:01.0: [8086:352a] type 01 class 0x060400<br /> pci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]<br /> pci 10000:80:01.0: enabling Extended Tags<br /> pci 10000:80:01.0: PME# supported from D0 D3hot D3cold<br /> pci 10000:80:01.0: DMAR: Setup RID2PASID failed<br /> pci 10000:80:01.0: Failed to add to iommu group 42: -16<br /> pci 10000:80:03.0: [8086:352b] type 01 class 0x060400<br /> pci 10000:80:03.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]<br /> pci 10000:80:03.0: enabling Extended Tags<br /> pci 10000:80:03.0: PME# supported from D0 D3hot D3cold<br /> ------------[ cut here ]------------<br /> kernel BUG at lib/list_debug.c:29!<br /> invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3+ #7<br /> Hardware name: Lenovo ThinkSystem SR650V3/SB27A86647, BIOS ESE101Y-1.00 01/13/2022<br /> Workqueue: events work_for_cpu_fn<br /> RIP: 0010:__list_add_valid.cold+0x26/0x3f<br /> Code: 9a 4a ab ff 4c 89 c1 48 c7 c7 40 0c d9 9e e8 b9 b1 fe ff 0f<br /> 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 f0 0c d9 9e e8 a2 b1<br /> fe ff 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 98 0c d9<br /> 9e e8 8b b1 fe<br /> RSP: 0000:ff5ad434865b3a40 EFLAGS: 00010246<br /> RAX: 0000000000000058 RBX: ff4d61160b74b880 RCX: ff4d61255e1fffa8<br /> RDX: 0000000000000000 RSI: 00000000fffeffff RDI: ffffffff9fd34f20<br /> RBP: ff4d611d8e245c00 R08: 0000000000000000 R09: ff5ad434865b3888<br /> R10: ff5ad434865b3880 R11: ff4d61257fdc6fe8 R12: ff4d61160b74b8a0<br /> R13: ff4d61160b74b8a0 R14: ff4d611d8e245c10 R15: ff4d611d8001ba70<br /> FS: 0000000000000000(0000) GS:ff4d611d5ea00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ff4d611fa1401000 CR3: 0000000aa0210001 CR4: 0000000000771ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> intel_pasid_alloc_table+0x9c/0x1d0<br /> dmar_insert_one_dev_info+0x423/0x540<br /> ? device_to_iommu+0x12d/0x2f0<br /> intel_iommu_attach_device+0x116/0x290<br /> __iommu_attach_device+0x1a/0x90<br /> iommu_group_add_device+0x190/0x2c0<br /> __iommu_probe_device+0x13e/0x250<br /> iommu_probe_device+0x24/0x150<br /> iommu_bus_notifier+0x69/0x90<br /> blocking_notifier_call_chain+0x5a/0x80<br /> device_add+0x3db/0x7b0<br /> ? arch_memremap_can_ram_remap+0x19/0x50<br /> ? memremap+0x75/0x140<br /> pci_device_add+0x193/0x1d0<br /> pci_scan_single_device+0xb9/0xf0<br /> pci_scan_slot+0x4c/0x110<br /> pci_scan_child_bus_extend+0x3a/0x290<br /> vmd_enable_domain.constprop.0+0x63e/0x820<br /> vmd_probe+0x163/0x190<br /> local_pci_probe+0x42/0x80<br /> work_for_cpu_fn+0x13/0x20<br /> process_one_work+0x1e2/0x3b0<br /> worker_thread+0x1c4/0x3a0<br /> ? rescuer_thread+0x370/0x370<br /> kthread+0xc7/0xf0<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x1f/0x30<br /> <br /> Modules linked in:<br /> ---[ end trace 0000000000000000 ]---<br /> ...<br /> Kernel panic - not syncing: Fatal exception<br /> Kernel Offset: 0x1ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)<br /> ---[ end Kernel panic - not syncing: Fatal exception ]---<br /> <br /> The following &amp;#39;lspci&amp;#39; output shows devices &amp;#39;10000:80:*&amp;#39; are subdevices of<br /> the VMD device 0000:59:00.5:<br /> <br /> $ lspci<br /> ...<br /> 0000:59:00.5 RAID bus controller: Intel Corporation Volume Management Device NVMe RAID Controller (rev 20)<br /> ...<br /> 10000:80:01.0 PCI bridge: Intel Corporation Device 352a (rev 03)<br /> 10000:80:03.0 PCI bridge: Intel Corporation Device 352b (rev 03)<br /> 10000:80:05.0 PCI bridge: Intel Corporation Device 352c (rev 03)<br /> 10000:80:07.0 PCI bridge: Intel Corporation Device 352d (rev 03)<br /> 10000:81:00.0 Non-Volatile memory controller: Intel Corporation NVMe Datacenter SSD [3DNAND, Beta Rock Controller]<br /> 10000:82:00<br /> ---truncated---

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iwlwifi: mvm: check debugfs_dir ptr before use<br /> <br /> When "debugfs=off" is used on the kernel command line, iwiwifi&amp;#39;s<br /> mvm module uses an invalid/unchecked debugfs_dir pointer and causes<br /> a BUG:<br /> <br /> BUG: kernel NULL pointer dereference, address: 000000000000004f<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 1 PID: 503 Comm: modprobe Tainted: G W 5.17.0-rc5 #7<br /> Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021<br /> RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm]<br /> Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73<br /> RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246<br /> RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328<br /> RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c<br /> RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620<br /> R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000<br /> R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320<br /> FS: 00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm]<br /> iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm]<br /> iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm]<br /> _iwl_op_mode_start+0x6f/0xd0 [iwlwifi]<br /> iwl_opmode_register+0x6a/0xe0 [iwlwifi]<br /> ? 0xffffffffa0231000<br /> iwl_mvm_init+0x35/0x1000 [iwlmvm]<br /> ? 0xffffffffa0231000<br /> do_one_initcall+0x5a/0x1b0<br /> ? kmem_cache_alloc+0x1e5/0x2f0<br /> ? do_init_module+0x1e/0x220<br /> do_init_module+0x48/0x220<br /> load_module+0x2602/0x2bc0<br /> ? __kernel_read+0x145/0x2e0<br /> ? kernel_read_file+0x229/0x290<br /> __do_sys_finit_module+0xc5/0x130<br /> ? __do_sys_finit_module+0xc5/0x130<br /> __x64_sys_finit_module+0x13/0x20<br /> do_syscall_64+0x38/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f64dda564dd<br /> Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48<br /> RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd<br /> RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001<br /> RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002<br /> R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2<br /> R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018<br /> <br /> Modules linked in: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev<br /> CR2: 000000000000004f<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Check the debugfs_dir pointer for an error before using it.<br /> <br /> [change to make both conditional]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: fix double free race when mount fails in cifs_get_root()<br /> <br /> When cifs_get_root() fails during cifs_smb3_do_mount() we call<br /> deactivate_locked_super() which eventually will call delayed_free() which<br /> will free the context.<br /> In this situation we should not proceed to enter the out: section in<br /> cifs_smb3_do_mount() and free the same resources a second time.<br /> <br /> [Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60<br /> [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0<br /> <br /> [Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4<br /> [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019<br /> [Thu Feb 10 12:59:06 2022] Call Trace:<br /> [Thu Feb 10 12:59:06 2022] <br /> [Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78<br /> [Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150<br /> [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60<br /> [Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117<br /> [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60<br /> [Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0<br /> [Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60<br /> [Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0<br /> [Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0<br /> [Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20<br /> [Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140<br /> [Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10<br /> [Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b<br /> [Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150<br /> [Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30<br /> [Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0<br /> ...<br /> [Thu Feb 10 12:59:07 2022] Freed by task 58179:<br /> [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50<br /> [Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30<br /> [Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40<br /> [Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170<br /> [Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20<br /> [Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0<br /> [Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520<br /> [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140<br /> [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0<br /> [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210<br /> [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0<br /> [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> [Thu Feb 10 12:59:07 2022] Last potentially related work creation:<br /> [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50<br /> [Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0<br /> [Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10<br /> [Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0<br /> [Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0<br /> [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140<br /> [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0<br /> [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210<br /> [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0<br /> [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op()<br /> <br /> In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(),<br /> which could lead to a NULL pointer dereference on failure of<br /> kzalloc().<br /> <br /> Fix this bug by adding a check of tmpbuf.<br /> <br /> This bug was found by a static analyzer. The analysis employs<br /> differential checking to identify inconsistent security operations<br /> (e.g., checks or kfrees) between two code paths and confirms that the<br /> inconsistent operations are not recovered in the current function or<br /> the callers, so they constitute bugs.<br /> <br /> Note that, as a bug found by static analysis, it can be a false<br /> positive or hard to trigger. Multiple researchers have cross-reviewed<br /> the bug.<br /> <br /> Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings,<br /> and our static analyzer no longer warns about this code.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: do not start relocation until in progress drops are done<br /> <br /> We hit a bug with a recovering relocation on mount for one of our file<br /> systems in production. I reproduced this locally by injecting errors<br /> into snapshot delete with balance running at the same time. This<br /> presented as an error while looking up an extent item<br /> <br /> WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680<br /> CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8<br /> RIP: 0010:lookup_inline_extent_backref+0x647/0x680<br /> RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202<br /> RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000<br /> RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001<br /> R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000<br /> R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000<br /> FS: 0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0<br /> Call Trace:<br /> <br /> insert_inline_extent_backref+0x46/0xd0<br /> __btrfs_inc_extent_ref.isra.0+0x5f/0x200<br /> ? btrfs_merge_delayed_refs+0x164/0x190<br /> __btrfs_run_delayed_refs+0x561/0xfa0<br /> ? btrfs_search_slot+0x7b4/0xb30<br /> ? btrfs_update_root+0x1a9/0x2c0<br /> btrfs_run_delayed_refs+0x73/0x1f0<br /> ? btrfs_update_root+0x1a9/0x2c0<br /> btrfs_commit_transaction+0x50/0xa50<br /> ? btrfs_update_reloc_root+0x122/0x220<br /> prepare_to_merge+0x29f/0x320<br /> relocate_block_group+0x2b8/0x550<br /> btrfs_relocate_block_group+0x1a6/0x350<br /> btrfs_relocate_chunk+0x27/0xe0<br /> btrfs_balance+0x777/0xe60<br /> balance_kthread+0x35/0x50<br /> ? btrfs_balance+0xe60/0xe60<br /> kthread+0x16b/0x190<br /> ? set_kthread_struct+0x40/0x40<br /> ret_from_fork+0x22/0x30<br /> <br /> <br /> Normally snapshot deletion and relocation are excluded from running at<br /> the same time by the fs_info-&gt;cleaner_mutex. However if we had a<br /> pending balance waiting to get the -&gt;cleaner_mutex, and a snapshot<br /> deletion was running, and then the box crashed, we would come up in a<br /> state where we have a half deleted snapshot.<br /> <br /> Again, in the normal case the snapshot deletion needs to complete before<br /> relocation can start, but in this case relocation could very well start<br /> before the snapshot deletion completes, as we simply add the root to the<br /> dead roots list and wait for the next time the cleaner runs to clean up<br /> the snapshot.<br /> <br /> Fix this by setting a bit on the fs_info if we have any DEAD_ROOT&amp;#39;s that<br /> had a pending drop_progress key. If they do then we know we were in the<br /> middle of the drop operation and set a flag on the fs_info. Then<br /> balance can wait until this flag is cleared to start up again.<br /> <br /> If there are DEAD_ROOT&amp;#39;s that don&amp;#39;t have a drop_progress set then we&amp;#39;re<br /> safe to start balance right away as we&amp;#39;ll be properly protected by the<br /> cleaner_mutex.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: do not WARN_ON() if we have PageError set<br /> <br /> Whenever we do any extent buffer operations we call<br /> assert_eb_page_uptodate() to complain loudly if we&amp;#39;re operating on an<br /> non-uptodate page. Our overnight tests caught this warning earlier this<br /> week<br /> <br /> WARNING: CPU: 1 PID: 553508 at fs/btrfs/extent_io.c:6849 assert_eb_page_uptodate+0x3f/0x50<br /> CPU: 1 PID: 553508 Comm: kworker/u4:13 Tainted: G W 5.17.0-rc3+ #564<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014<br /> Workqueue: btrfs-cache btrfs_work_helper<br /> RIP: 0010:assert_eb_page_uptodate+0x3f/0x50<br /> RSP: 0018:ffffa961440a7c68 EFLAGS: 00010246<br /> RAX: 0017ffffc0002112 RBX: ffffe6e74453f9c0 RCX: 0000000000001000<br /> RDX: ffffe6e74467c887 RSI: ffffe6e74453f9c0 RDI: ffff8d4c5efc2fc0<br /> RBP: 0000000000000d56 R08: ffff8d4d4a224000 R09: 0000000000000000<br /> R10: 00015817fa9d1ef0 R11: 000000000000000c R12: 00000000000007b1<br /> R13: ffff8d4c5efc2fc0 R14: 0000000001500000 R15: 0000000001cb1000<br /> FS: 0000000000000000(0000) GS:ffff8d4dbbd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ff31d3448d8 CR3: 0000000118be8004 CR4: 0000000000370ee0<br /> Call Trace:<br /> <br /> extent_buffer_test_bit+0x3f/0x70<br /> free_space_test_bit+0xa6/0xc0<br /> load_free_space_tree+0x1f6/0x470<br /> caching_thread+0x454/0x630<br /> ? rcu_read_lock_sched_held+0x12/0x60<br /> ? rcu_read_lock_sched_held+0x12/0x60<br /> ? rcu_read_lock_sched_held+0x12/0x60<br /> ? lock_release+0x1f0/0x2d0<br /> btrfs_work_helper+0xf2/0x3e0<br /> ? lock_release+0x1f0/0x2d0<br /> ? finish_task_switch.isra.0+0xf9/0x3a0<br /> process_one_work+0x26d/0x580<br /> ? process_one_work+0x580/0x580<br /> worker_thread+0x55/0x3b0<br /> ? process_one_work+0x580/0x580<br /> kthread+0xf0/0x120<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x1f/0x30<br /> <br /> This was partially fixed by c2e39305299f01 ("btrfs: clear extent buffer<br /> uptodate when we fail to write it"), however all that fix did was keep<br /> us from finding extent buffers after a failed writeout. It didn&amp;#39;t keep<br /> us from continuing to use a buffer that we already had found.<br /> <br /> In this case we&amp;#39;re searching the commit root to cache the block group,<br /> so we can start committing the transaction and switch the commit root<br /> and then start writing. After the switch we can look up an extent<br /> buffer that hasn&amp;#39;t been written yet and start processing that block<br /> group. Then we fail to write that block out and clear Uptodate on the<br /> page, and then we start spewing these errors.<br /> <br /> Normally we&amp;#39;re protected by the tree lock to a certain degree here. If<br /> we read a block we have that block read locked, and we block the writer<br /> from locking the block before we submit it for the write. However this<br /> isn&amp;#39;t necessarily fool proof because the read could happen before we do<br /> the submit_bio and after we locked and unlocked the extent buffer.<br /> <br /> Also in this particular case we have path-&gt;skip_locking set, so that<br /> won&amp;#39;t save us here. We&amp;#39;ll simply get a block that was valid when we<br /> read it, but became invalid while we were using it.<br /> <br /> What we really want is to catch the case where we&amp;#39;ve "read" a block but<br /> it&amp;#39;s not marked Uptodate. On read we ClearPageError(), so if we&amp;#39;re<br /> !Uptodate and !Error we know we didn&amp;#39;t do the right thing for reading<br /> the page.<br /> <br /> Fix this by checking !Uptodate &amp;&amp; !Error, this way we will not complain<br /> if our buffer gets invalidated while we&amp;#39;re using it, and we&amp;#39;ll maintain<br /> the spirit of the check which is to make sure we have a fully in-cache<br /> block while we&amp;#39;re messing with it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix relocation crash due to premature return from btrfs_commit_transaction()<br /> <br /> We are seeing crashes similar to the following trace:<br /> <br /> [38.969182] WARNING: CPU: 20 PID: 2105 at fs/btrfs/relocation.c:4070 btrfs_relocate_block_group+0x2dc/0x340 [btrfs]<br /> [38.973556] CPU: 20 PID: 2105 Comm: btrfs Not tainted 5.17.0-rc4 #54<br /> [38.974580] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014<br /> [38.976539] RIP: 0010:btrfs_relocate_block_group+0x2dc/0x340 [btrfs]<br /> [38.980336] RSP: 0000:ffffb0dd42e03c20 EFLAGS: 00010206<br /> [38.981218] RAX: ffff96cfc4ede800 RBX: ffff96cfc3ce0000 RCX: 000000000002ca14<br /> [38.982560] RDX: 0000000000000000 RSI: 4cfd109a0bcb5d7f RDI: ffff96cfc3ce0360<br /> [38.983619] RBP: ffff96cfc309c000 R08: 0000000000000000 R09: 0000000000000000<br /> [38.984678] R10: ffff96cec0000001 R11: ffffe84c80000000 R12: ffff96cfc4ede800<br /> [38.985735] R13: 0000000000000000 R14: 0000000000000000 R15: ffff96cfc3ce0360<br /> [38.987146] FS: 00007f11c15218c0(0000) GS:ffff96d6dfb00000(0000) knlGS:0000000000000000<br /> [38.988662] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [38.989398] CR2: 00007ffc922c8e60 CR3: 00000001147a6001 CR4: 0000000000370ee0<br /> [38.990279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [38.991219] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [38.992528] Call Trace:<br /> [38.992854] <br /> [38.993148] btrfs_relocate_chunk+0x27/0xe0 [btrfs]<br /> [38.993941] btrfs_balance+0x78e/0xea0 [btrfs]<br /> [38.994801] ? vsnprintf+0x33c/0x520<br /> [38.995368] ? __kmalloc_track_caller+0x351/0x440<br /> [38.996198] btrfs_ioctl_balance+0x2b9/0x3a0 [btrfs]<br /> [38.997084] btrfs_ioctl+0x11b0/0x2da0 [btrfs]<br /> [38.997867] ? mod_objcg_state+0xee/0x340<br /> [38.998552] ? seq_release+0x24/0x30<br /> [38.999184] ? proc_nr_files+0x30/0x30<br /> [38.999654] ? call_rcu+0xc8/0x2f0<br /> [39.000228] ? __x64_sys_ioctl+0x84/0xc0<br /> [39.000872] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs]<br /> [39.001973] __x64_sys_ioctl+0x84/0xc0<br /> [39.002566] do_syscall_64+0x3a/0x80<br /> [39.003011] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [39.003735] RIP: 0033:0x7f11c166959b<br /> [39.007324] RSP: 002b:00007fff2543e998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> [39.008521] RAX: ffffffffffffffda RBX: 00007f11c1521698 RCX: 00007f11c166959b<br /> [39.009833] RDX: 00007fff2543ea40 RSI: 00000000c4009420 RDI: 0000000000000003<br /> [39.011270] RBP: 0000000000000003 R08: 0000000000000013 R09: 00007f11c16f94e0<br /> [39.012581] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff25440df3<br /> [39.014046] R13: 0000000000000000 R14: 00007fff2543ea40 R15: 0000000000000001<br /> [39.015040] <br /> [39.015418] ---[ end trace 0000000000000000 ]---<br /> [43.131559] ------------[ cut here ]------------<br /> [43.132234] kernel BUG at fs/btrfs/extent-tree.c:2717!<br /> [43.133031] invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> [43.133702] CPU: 1 PID: 1839 Comm: btrfs Tainted: G W 5.17.0-rc4 #54<br /> [43.134863] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014<br /> [43.136426] RIP: 0010:unpin_extent_range+0x37a/0x4f0 [btrfs]<br /> [43.139913] RSP: 0000:ffffb0dd4216bc70 EFLAGS: 00010246<br /> [43.140629] RAX: 0000000000000000 RBX: ffff96cfc34490f8 RCX: 0000000000000001<br /> [43.141604] RDX: 0000000080000001 RSI: 0000000051d00000 RDI: 00000000ffffffff<br /> [43.142645] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff96cfd07dca50<br /> [43.143669] R10: ffff96cfc46e8a00 R11: fffffffffffec000 R12: 0000000041d00000<br /> [43.144657] R13: ffff96cfc3ce0000 R14: ffffb0dd4216bd08 R15: 0000000000000000<br /> [43.145686] FS: 00007f7657dd68c0(0000) GS:ffff96d6df640000(0000) knlGS:0000000000000000<br /> [43.146808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [43.147584] CR2: 00007f7fe81bf5b0 CR3: 00000001093ee004 CR4: 0000000000370ee0<br /> [43.148589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [43.149581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/amd: Fix I/O page table memory leak<br /> <br /> The current logic updates the I/O page table mode for the domain<br /> before calling the logic to free memory used for the page table.<br /> This results in IOMMU page table memory leak, and can be observed<br /> when launching VM w/ pass-through devices.<br /> <br /> Fix by freeing the memory used for page table before updating the mode.

Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1.

JPress through 5.1.1 on Windows has an arbitrary file upload vulnerability that could cause arbitrary code execution via ::$DATA to AttachmentController, such as a .jsp::$DATA file to io.jpress.web.commons.controller.AttachmentController#upload. NOTE: this is unrelated to the attack vector for CVE-2024-32358.