Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()<br /> <br /> The bnx2fc_destroy() functions are removing the interface before calling<br /> destroy_work. This results multiple WARNings from sysfs_remove_group() as<br /> the controller rport device attributes are removed too early.<br /> <br /> Replace the fcoe_port&amp;#39;s destroy_work queue. It&amp;#39;s not needed.<br /> <br /> The problem is easily reproducible with the following steps.<br /> <br /> Example:<br /> <br /> $ dmesg -w &amp;<br /> $ systemctl enable --now fcoe<br /> $ fipvlan -s -c ens2f1<br /> $ fcoeadm -d ens2f1.802<br /> [ 583.464488] host2: libfc: Link down on port (7500a1)<br /> [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!!<br /> [ 583.490468] ------------[ cut here ]------------<br /> [ 583.538725] sysfs group &amp;#39;power&amp;#39; not found for kobject &amp;#39;rport-2:0-0&amp;#39;<br /> [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80<br /> [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ...<br /> [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1<br /> [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013<br /> [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc]<br /> [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80<br /> [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ...<br /> [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282<br /> [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000<br /> [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0<br /> [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00<br /> [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400<br /> [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004<br /> [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000<br /> [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0<br /> [ 584.454888] Call Trace:<br /> [ 584.466108] device_del+0xb2/0x3e0<br /> [ 584.481701] device_unregister+0x13/0x60<br /> [ 584.501306] bsg_unregister_queue+0x5b/0x80<br /> [ 584.522029] bsg_remove_queue+0x1c/0x40<br /> [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc]<br /> [ 584.573823] process_one_work+0x1e3/0x3b0<br /> [ 584.592396] worker_thread+0x50/0x3b0<br /> [ 584.609256] ? rescuer_thread+0x370/0x370<br /> [ 584.628877] kthread+0x149/0x170<br /> [ 584.643673] ? set_kthread_struct+0x40/0x40<br /> [ 584.662909] ret_from_fork+0x22/0x30<br /> [ 584.680002] ---[ end trace 53575ecefa942ece ]---

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()<br /> <br /> We don&amp;#39;t currently validate that the values being set are within the range<br /> we advertised to userspace as being valid, do so and reject any values<br /> that are out of range.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: hdmi-codec: Fix OOB memory accesses<br /> <br /> Correct size of iec_status array by changing it to the size of status<br /> array of the struct snd_aes_iec958. This fixes out-of-bounds slab<br /> read accesses made by memcpy() of the hdmi-codec driver. This problem<br /> is reported by KASAN.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> selinux: fix double free of cond_list on error paths<br /> <br /> On error path from cond_read_list() and duplicate_policydb_cond_list()<br /> the cond_list_destroy() gets called a second time in caller functions,<br /> resulting in NULL pointer deref. Fix this by resetting the<br /> cond_list_len to 0 in cond_list_destroy(), making subsequent calls a<br /> noop.<br /> <br /> Also consistently reset the cond_list pointer to NULL after freeing.<br /> <br /> [PM: fix line lengths in the description]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ovl: fix NULL pointer dereference in copy up warning<br /> <br /> This patch is fixing a NULL pointer dereference to get a recently<br /> introduced warning message working.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink()<br /> <br /> While looking at one unrelated syzbot bug, I found the replay logic<br /> in __rtnl_newlink() to potentially trigger use-after-free.<br /> <br /> It is better to clear master_dev and m_ops inside the loop,<br /> in case we have to replay it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: amd-xgbe: Fix skb data length underflow<br /> <br /> There will be BUG_ON() triggered in include/linux/skbuff.h leading to<br /> intermittent kernel panic, when the skb length underflow is detected.<br /> <br /> Fix this by dropping the packet if such length underflows are seen<br /> because of inconsistencies in the hardware descriptors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Use del_timer_sync in fw reset flow of halting poll<br /> <br /> Substitute del_timer() with del_timer_sync() in fw reset polling<br /> deactivation flow, in order to prevent a race condition which occurs<br /> when del_timer() is called and timer is deactivated while another<br /> process is handling the timer interrupt. A situation that led to<br /> the following call trace:<br /> RIP: 0010:run_timer_softirq+0x137/0x420<br /> <br /> recalibrate_cpu_khz+0x10/0x10<br /> ktime_get+0x3e/0xa0<br /> ? sched_clock_cpu+0xb/0xc0<br /> __do_softirq+0xf5/0x2ea<br /> irq_exit_rcu+0xc1/0xf0<br /> sysvec_apic_timer_interrupt+0x9e/0xc0<br /> asm_sysvec_apic_timer_interrupt+0x12/0x20<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix handling of wrong devices during bond netevent<br /> <br /> Current implementation of bond netevent handler only check if<br /> the handled netdev is VF representor and it missing a check if<br /> the VF representor is on the same phys device of the bond handling<br /> the netevent.<br /> <br /> Fix by adding the missing check and optimizing the check if<br /> the netdev is VF representor so it will not access uninitialized<br /> private data and crashes.<br /> <br /> BUG: kernel NULL pointer dereference, address: 000000000000036c<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] SMP NOPTI<br /> Workqueue: eth3bond0 bond_mii_monitor [bonding]<br /> RIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core]<br /> RSP: 0018:ffff88812d69fd60 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000<br /> RDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880<br /> RBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008<br /> R10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10<br /> R13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core]<br /> mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core]<br /> mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core]<br /> raw_notifier_call_chain+0x41/0x60<br /> call_netdevice_notifiers_info+0x34/0x80<br /> netdev_lower_state_changed+0x4e/0xa0<br /> bond_mii_monitor+0x56b/0x640 [bonding]<br /> process_one_work+0x1b9/0x390<br /> worker_thread+0x4d/0x3d0<br /> ? rescuer_thread+0x350/0x350<br /> kthread+0x124/0x150<br /> ? set_kthread_struct+0x40/0x40<br /> ret_from_fork+0x1f/0x30

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: Fix wrong offset in bio_truncate()<br /> <br /> bio_truncate() clears the buffer outside of last block of bdev, however<br /> current bio_truncate() is using the wrong offset of page. So it can<br /> return the uninitialized data.<br /> <br /> This happened when both of truncated/corrupted FS and userspace (via<br /> bdev) are trying to read the last of bdev.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Avoid field-overflowing memcpy()<br /> <br /> In preparation for FORTIFY_SOURCE performing compile-time and run-time<br /> field bounds checking for memcpy(), memmove(), and memset(), avoid<br /> intentionally writing across neighboring fields.<br /> <br /> Use flexible arrays instead of zero-element arrays (which look like they<br /> are always overflowing) and split the cross-field memcpy() into two halves<br /> that can be appropriately bounds-checked by the compiler.<br /> <br /> We were doing:<br /> <br /> #define ETH_HLEN 14<br /> #define VLAN_HLEN 4<br /> ...<br /> #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)<br /> ...<br /> struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);<br /> ...<br /> struct mlx5_wqe_eth_seg *eseg = &amp;wqe-&gt;eth;<br /> struct mlx5_wqe_data_seg *dseg = wqe-&gt;data;<br /> ...<br /> memcpy(eseg-&gt;inline_hdr.start, xdptxd-&gt;data, MLX5E_XDP_MIN_INLINE);<br /> <br /> target is wqe-&gt;eth.inline_hdr.start (which the compiler sees as being<br /> 2 bytes in size), but copying 18, intending to write across start<br /> (really vlan_tci, 2 bytes). The remaining 16 bytes get written into<br /> wqe-&gt;data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr<br /> (8 bytes).<br /> <br /> struct mlx5e_tx_wqe {<br /> struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */<br /> struct mlx5_wqe_eth_seg eth; /* 16 16 */<br /> struct mlx5_wqe_data_seg data[]; /* 32 0 */<br /> <br /> /* size: 32, cachelines: 1, members: 3 */<br /> /* last cacheline: 32 bytes */<br /> };<br /> <br /> struct mlx5_wqe_eth_seg {<br /> u8 swp_outer_l4_offset; /* 0 1 */<br /> u8 swp_outer_l3_offset; /* 1 1 */<br /> u8 swp_inner_l4_offset; /* 2 1 */<br /> u8 swp_inner_l3_offset; /* 3 1 */<br /> u8 cs_flags; /* 4 1 */<br /> u8 swp_flags; /* 5 1 */<br /> __be16 mss; /* 6 2 */<br /> __be32 flow_table_metadata; /* 8 4 */<br /> union {<br /> struct {<br /> __be16 sz; /* 12 2 */<br /> u8 start[2]; /* 14 2 */<br /> } inline_hdr; /* 12 4 */<br /> struct {<br /> __be16 type; /* 12 2 */<br /> __be16 vlan_tci; /* 14 2 */<br /> } insert; /* 12 4 */<br /> __be32 trailer; /* 12 4 */<br /> }; /* 12 4 */<br /> <br /> /* size: 16, cachelines: 1, members: 9 */<br /> /* last cacheline: 16 bytes */<br /> };<br /> <br /> struct mlx5_wqe_data_seg {<br /> __be32 byte_count; /* 0 4 */<br /> __be32 lkey; /* 4 4 */<br /> __be64 addr; /* 8 8 */<br /> <br /> /* size: 16, cachelines: 1, members: 3 */<br /> /* last cacheline: 16 bytes */<br /> };<br /> <br /> So, split the memcpy() so the compiler can reason about the buffer<br /> sizes.<br /> <br /> "pahole" shows no size nor member offset changes to struct mlx5e_tx_wqe<br /> nor struct mlx5e_umr_wqe. "objdump -d" shows no meaningful object<br /> code changes (i.e. only source line number induced differences and<br /> optimizations).