Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> serial: imx: Introduce timeout when waiting on transmitter empty<br /> <br /> By waiting at most 1 second for USR2_TXDC to be set, we avoid a potential<br /> deadlock.<br /> <br /> In case of the timeout, there is not much we can do, so we simply ignore<br /> the transmitter state and optimistically try to continue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> MIPS: Octeon: Add PCIe link status check<br /> <br /> The standard PCIe configuration read-write interface is used to<br /> access the configuration space of the peripheral PCIe devices<br /> of the mips processor after the PCIe link surprise down, it can<br /> generate kernel panic caused by "Data bus error". So it is<br /> necessary to add PCIe link status check for system protection.<br /> When the PCIe link is down or in training, assigning a value<br /> of 0 to the configuration address can prevent read-write behavior<br /> to the configuration space of peripheral PCIe devices, thereby<br /> preventing kernel panic.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Avoid hw_desc array overrun in dw-axi-dmac<br /> <br /> I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3<br /> segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()<br /> handles the hw_desc considering the descs_allocated, this scenario would result in a<br /> kernel panic (hw_desc array will be overrun).<br /> <br /> To fix this, the proposal is to add a new member to the axi_dma_desc structure,<br /> where we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in<br /> axi_desc_put() to handle the hw_desc array correctly.<br /> <br /> Additionally I propose to remove the axi_chan_start_first_queued() call after completing<br /> the transfer, since it was identified that unbalance can occur (started descriptors can<br /> be interrupted and transfer ignored due to DMA channel not being enabled).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: remove clear SB_INLINECRYPT flag in default_options<br /> <br /> In f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.<br /> If create new file or open file during this gap, these files<br /> will not use inlinecrypt. Worse case, it may lead to data<br /> corruption if wrappedkey_v0 is enable.<br /> <br /> Thread A: Thread B:<br /> <br /> -f2fs_remount -f2fs_file_open or f2fs_new_inode<br /> -default_options<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: do not create EA inode under buffer lock<br /> <br /> ext4_xattr_set_entry() creates new EA inodes while holding buffer lock<br /> on the external xattr block. This is problematic as it nests all the<br /> allocation locking (which acquires locks on other buffers) under the<br /> buffer lock. This can even deadlock when the filesystem is corrupted and<br /> e.g. quota file is setup to contain xattr block as data block. Move the<br /> allocation of EA inode out of ext4_xattr_set_entry() into the callers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/pseries: Enforce hcall result buffer validity and size<br /> <br /> plpar_hcall(), plpar_hcall9(), and related functions expect callers to<br /> provide valid result buffers of certain minimum size. Currently this<br /> is communicated only through comments in the code and the compiler has<br /> no idea.<br /> <br /> For example, if I write a bug like this:<br /> <br /> long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE<br /> plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);<br /> <br /> This compiles with no diagnostics emitted, but likely results in stack<br /> corruption at runtime when plpar_hcall9() stores results past the end<br /> of the array. (To be clear this is a contrived example and I have not<br /> found a real instance yet.)<br /> <br /> To make this class of error less likely, we can use explicitly-sized<br /> array parameters instead of pointers in the declarations for the hcall<br /> APIs. When compiled with -Warray-bounds[1], the code above now<br /> provokes a diagnostic like this:<br /> <br /> error: array argument is too small;<br /> is of size 32, callee requires at least 72 [-Werror,-Warray-bounds]<br /> 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,<br /> | ^ ~~~~~~<br /> <br /> [1] Enabled for LLVM builds but not GCC for now. See commit<br /> 0da6e5fd6c37 ("gcc: disable &amp;#39;-Warray-bounds&amp;#39; for gcc-13 too") and<br /> related changes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: shmem: fix getting incorrect lruvec when replacing a shmem folio<br /> <br /> When testing shmem swapin, I encountered the warning below on my machine. <br /> The reason is that replacing an old shmem folio with a new one causes<br /> mem_cgroup_migrate() to clear the old folio&amp;#39;s memcg data. As a result,<br /> the old folio cannot get the correct memcg&amp;#39;s lruvec needed to remove<br /> itself from the LRU list when it is being freed. This could lead to<br /> possible serious problems, such as LRU list crashes due to holding the<br /> wrong LRU lock, and incorrect LRU statistics.<br /> <br /> To fix this issue, we can fallback to use the mem_cgroup_replace_folio()<br /> to replace the old shmem folio.<br /> <br /> [ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960<br /> [ 5241.100317] head: order:4 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> [ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff)<br /> [ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000<br /> [ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000<br /> [ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000<br /> [ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000<br /> [ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000<br /> [ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000<br /> [ 5241.100330] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg &amp;&amp; !mem_cgroup_disabled())<br /> [ 5241.100338] ------------[ cut here ]------------<br /> [ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 folio_lruvec_lock_irqsave+0x140/0x150<br /> [...]<br /> [ 5241.100374] pc : folio_lruvec_lock_irqsave+0x140/0x150<br /> [ 5241.100375] lr : folio_lruvec_lock_irqsave+0x138/0x150<br /> [ 5241.100376] sp : ffff80008b38b930<br /> [...]<br /> [ 5241.100398] Call trace:<br /> [ 5241.100399] folio_lruvec_lock_irqsave+0x140/0x150<br /> [ 5241.100401] __page_cache_release+0x90/0x300<br /> [ 5241.100404] __folio_put+0x50/0x108<br /> [ 5241.100406] shmem_replace_folio+0x1b4/0x240<br /> [ 5241.100409] shmem_swapin_folio+0x314/0x528<br /> [ 5241.100411] shmem_get_folio_gfp+0x3b4/0x930<br /> [ 5241.100412] shmem_fault+0x74/0x160<br /> [ 5241.100414] __do_fault+0x40/0x218<br /> [ 5241.100417] do_shared_fault+0x34/0x1b0<br /> [ 5241.100419] do_fault+0x40/0x168<br /> [ 5241.100420] handle_pte_fault+0x80/0x228<br /> [ 5241.100422] __handle_mm_fault+0x1c4/0x440<br /> [ 5241.100424] handle_mm_fault+0x60/0x1f0<br /> [ 5241.100426] do_page_fault+0x120/0x488<br /> [ 5241.100429] do_translation_fault+0x4c/0x68<br /> [ 5241.100431] do_mem_abort+0x48/0xa0<br /> [ 5241.100434] el0_da+0x38/0xc0<br /> [ 5241.100436] el0t_64_sync_handler+0x68/0xc0<br /> [ 5241.100437] el0t_64_sync+0x14c/0x150<br /> [ 5241.100439] ---[ end trace 0000000000000000 ]---<br /> <br /> [baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: huge_memory: fix misused mapping_large_folio_support() for anon folios<br /> <br /> When I did a large folios split test, a WARNING "[ 5059.122759][ T166]<br /> Cannot split file folio to non-0 order" was triggered. But the test cases<br /> are only for anonmous folios. while mapping_large_folio_support() is only<br /> reasonable for page cache folios.<br /> <br /> In split_huge_page_to_list_to_order(), the folio passed to<br /> mapping_large_folio_support() maybe anonmous folio. The folio_test_anon()<br /> check is missing. So the split of the anonmous THP is failed. This is<br /> also the same for shmem_mapping(). We&amp;#39;d better add a check for both. But<br /> the shmem_mapping() in __split_huge_page() is not involved, as for<br /> anonmous folios, the end parameter is set to -1, so (head[i].index &gt;= end)<br /> is always false. shmem_mapping() is not called.<br /> <br /> Also add a VM_WARN_ON_ONCE() in mapping_large_folio_support() for anon<br /> mapping, So we can detect the wrong use more easily.<br /> <br /> THP folios maybe exist in the pagecache even the file system doesn&amp;#39;t<br /> support large folio, it is because when CONFIG_TRANSPARENT_HUGEPAGE is<br /> enabled, khugepaged will try to collapse read-only file-backed pages to<br /> THP. But the mapping does not actually support multi order large folios<br /> properly.<br /> <br /> Using /sys/kernel/debug/split_huge_pages to verify this, with this patch,<br /> large anon THP is successfully split and the warning is ceased.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()<br /> <br /> bdev-&gt;bd_super has been removed and commit 8887b94d9322 change the usage<br /> from bdev-&gt;bd_super to b_assoc_map-&gt;host-&gt;i_sb. Since ocfs2 hasn&amp;#39;t set<br /> bh-&gt;b_assoc_map, it will trigger NULL pointer dereference when calling<br /> into ocfs2_abort_trigger().<br /> <br /> Actually this was pointed out in history, see commit 74e364ad1b13. But<br /> I&amp;#39;ve made a mistake when reviewing commit 8887b94d9322 and then<br /> re-introduce this regression.<br /> <br /> Since we cannot revive bdev in buffer head, so fix this issue by<br /> initializing all types of ocfs2 triggers when fill super, and then get the<br /> specific ocfs2 trigger from ocfs2_caching_info when access journal.<br /> <br /> [joseph.qi@linux.alibaba.com: v2]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()<br /> <br /> bdev-&gt;bd_super has been removed and commit 8887b94d9322 change the usage<br /> from bdev-&gt;bd_super to b_assoc_map-&gt;host-&gt;i_sb. This introduces the<br /> following NULL pointer dereference in ocfs2_journal_dirty() since<br /> b_assoc_map is still not initialized. This can be easily reproduced by<br /> running xfstests generic/186, which simulate no more credits.<br /> <br /> [ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> ...<br /> [ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]<br /> ...<br /> [ 134.365071] Call Trace:<br /> [ 134.365312] <br /> [ 134.365524] ? __die_body+0x1e/0x60<br /> [ 134.365868] ? page_fault_oops+0x13d/0x4f0<br /> [ 134.366265] ? __pfx_bit_wait_io+0x10/0x10<br /> [ 134.366659] ? schedule+0x27/0xb0<br /> [ 134.366981] ? exc_page_fault+0x6a/0x140<br /> [ 134.367356] ? asm_exc_page_fault+0x26/0x30<br /> [ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]<br /> [ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]<br /> [ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]<br /> [ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2]<br /> [ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]<br /> [ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2]<br /> [ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2]<br /> [ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]<br /> [ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]<br /> [ 134.372994] ? inode_update_timestamps+0x4a/0x120<br /> [ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]<br /> [ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]<br /> [ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]<br /> [ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2]<br /> [ 134.376971] ? security_file_permission+0x29/0x50<br /> [ 134.377644] vfs_clone_file_range+0xfe/0x320<br /> [ 134.378268] ioctl_file_clone+0x45/0xa0<br /> [ 134.378853] do_vfs_ioctl+0x457/0x990<br /> [ 134.379422] __x64_sys_ioctl+0x6e/0xd0<br /> [ 134.379987] do_syscall_64+0x5d/0x170<br /> [ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 134.381231] RIP: 0033:0x7fa4926397cb<br /> [ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48<br /> [ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> [ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb<br /> [ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003<br /> [ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000<br /> [ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> [ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000<br /> [ 134.389207] <br /> <br /> Fix it by only aborting transaction and journal in ocfs2_journal_dirty()<br /> now, and leave ocfs2_abort() later when detecting an aborted handle,<br /> e.g. start next transaction. Also log the handle details in this case.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()<br /> <br /> We can trigger a slab-out-of-bounds with the following commands:<br /> <br /> mkfs.ext4 -F /dev/$disk 10G<br /> mount /dev/$disk /tmp/test<br /> echo 2147483647 &gt; /sys/fs/ext4/$disk/mb_group_prealloc<br /> echo test &gt; /tmp/test/file &amp;&amp; sync<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]<br /> Read of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11<br /> CPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521<br /> Call Trace:<br /> dump_stack_lvl+0x2c/0x50<br /> kasan_report+0xb6/0xf0<br /> ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]<br /> ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]<br /> ext4_mb_new_blocks+0x88a/0x1370 [ext4]<br /> ext4_ext_map_blocks+0x14f7/0x2390 [ext4]<br /> ext4_map_blocks+0x569/0xea0 [ext4]<br /> ext4_do_writepages+0x10f6/0x1bc0 [ext4]<br /> [...]<br /> ==================================================================<br /> <br /> The flow of issue triggering is as follows:<br /> <br /> // Set s_mb_group_prealloc to 2147483647 via sysfs<br /> ext4_mb_new_blocks<br /> ext4_mb_normalize_request<br /> ext4_mb_normalize_group_request<br /> ac-&gt;ac_g_ex.fe_len = EXT4_SB(sb)-&gt;s_mb_group_prealloc<br /> ext4_mb_regular_allocator<br /> ext4_mb_choose_next_group<br /> ext4_mb_choose_next_group_best_avail<br /> mb_avg_fragment_size_order<br /> order = fls(len) - 2 = 29<br /> ext4_mb_find_good_group_avg_frag_lists<br /> frag_list = &amp;sbi-&gt;s_mb_avg_fragment_size[order]<br /> if (list_empty(frag_list)) // Trigger SOOB!<br /> <br /> At 4k block size, the length of the s_mb_avg_fragment_size list is 14,<br /> but an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds<br /> to be triggered by an attempt to access an element at index 29.<br /> <br /> Add a new attr_id attr_clusters_in_group with values in the range<br /> [0, sbi-&gt;s_clusters_per_group] and declare mb_group_prealloc as<br /> that type to fix the issue. In addition avoid returning an order<br /> from mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)<br /> and reduce some useless loops.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ima: Avoid blocking in RCU read-side critical section<br /> <br /> A panic happens in ima_match_policy:<br /> <br /> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010<br /> PGD 42f873067 P4D 0<br /> Oops: 0000 [#1] SMP NOPTI<br /> CPU: 5 PID: 1286325 Comm: kubeletmonit.sh<br /> Kdump: loaded Tainted: P<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),<br /> BIOS 0.0.0 02/06/2015<br /> RIP: 0010:ima_match_policy+0x84/0x450<br /> Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39<br /> 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d<br /> f2 b9 f4 00 0f 84 9c 01 00 00 85 73 10 74 ea<br /> 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f<br /> RSP: 0018:ff71570009e07a80 EFLAGS: 00010207<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200<br /> RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000<br /> RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739<br /> R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970<br /> R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001<br /> FS: 00007f5195b51740(0000)<br /> GS:ff3e278b12d40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> ima_get_action+0x22/0x30<br /> process_measurement+0xb0/0x830<br /> ? page_add_file_rmap+0x15/0x170<br /> ? alloc_set_pte+0x269/0x4c0<br /> ? prep_new_page+0x81/0x140<br /> ? simple_xattr_get+0x75/0xa0<br /> ? selinux_file_open+0x9d/0xf0<br /> ima_file_check+0x64/0x90<br /> path_openat+0x571/0x1720<br /> do_filp_open+0x9b/0x110<br /> ? page_counter_try_charge+0x57/0xc0<br /> ? files_cgroup_alloc_fd+0x38/0x60<br /> ? __alloc_fd+0xd4/0x250<br /> ? do_sys_open+0x1bd/0x250<br /> do_sys_open+0x1bd/0x250<br /> do_syscall_64+0x5d/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x65/0xca<br /> <br /> Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by<br /> ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a<br /> RCU read-side critical section which contains kmalloc with GFP_KERNEL.<br /> This implies a possible sleep and violates limitations of RCU read-side<br /> critical sections on non-PREEMPT systems.<br /> <br /> Sleeping within RCU read-side critical section might cause<br /> synchronize_rcu() returning early and break RCU protection, allowing a<br /> UAF to happen.<br /> <br /> The root cause of this issue could be described as follows:<br /> | Thread A | Thread B |<br /> | |ima_match_policy |<br /> | | rcu_read_lock |<br /> |ima_lsm_update_rule | |<br /> | synchronize_rcu | |<br /> | | kmalloc(GFP_KERNEL)|<br /> | | sleep |<br /> ==&gt; synchronize_rcu returns early<br /> | kfree(entry) | |<br /> | | entry = entry-&gt;next|<br /> ==&gt; UAF happens and entry now becomes NULL (or could be anything).<br /> | | entry-&gt;action |<br /> ==&gt; Accessing entry might cause panic.<br /> <br /> To fix this issue, we are converting all kmalloc that is called within<br /> RCU read-side critical section to use GFP_ATOMIC.<br /> <br /> [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]