Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/qspinlock: Fix deadlock in MCS queue<br /> <br /> If an interrupt occurs in queued_spin_lock_slowpath() after we increment<br /> qnodesp-&gt;count and before node-&gt;lock is initialized, another CPU might<br /> see stale lock values in get_tail_qnode(). If the stale lock value happens<br /> to match the lock on that CPU, then we write to the "next" pointer of<br /> the wrong qnode. This causes a deadlock as the former CPU, once it becomes<br /> the head of the MCS queue, will spin indefinitely until it&amp;#39;s "next" pointer<br /> is set by its successor in the queue.<br /> <br /> Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in<br /> occasional lockups similar to the following:<br /> <br /> $ stress-ng --all 128 --vm-bytes 80% --aggressive \<br /> --maximize --oomable --verify --syslog \<br /> --metrics --times --timeout 5m<br /> <br /> watchdog: CPU 15 Hard LOCKUP<br /> ......<br /> NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490<br /> LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90<br /> Call Trace:<br /> 0xc000002cfffa3bf0 (unreliable)<br /> _raw_spin_lock+0x6c/0x90<br /> raw_spin_rq_lock_nested.part.135+0x4c/0xd0<br /> sched_ttwu_pending+0x60/0x1f0<br /> __flush_smp_call_function_queue+0x1dc/0x670<br /> smp_ipi_demux_relaxed+0xa4/0x100<br /> xive_muxed_ipi_action+0x20/0x40<br /> __handle_irq_event_percpu+0x80/0x240<br /> handle_irq_event_percpu+0x2c/0x80<br /> handle_percpu_irq+0x84/0xd0<br /> generic_handle_irq+0x54/0x80<br /> __do_irq+0xac/0x210<br /> __do_IRQ+0x74/0xd0<br /> 0x0<br /> do_IRQ+0x8c/0x170<br /> hardware_interrupt_common_virt+0x29c/0x2a0<br /> --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490<br /> ......<br /> NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490<br /> LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90<br /> --- interrupt: 500<br /> 0xc0000029c1a41d00 (unreliable)<br /> _raw_spin_lock+0x6c/0x90<br /> futex_wake+0x100/0x260<br /> do_futex+0x21c/0x2a0<br /> sys_futex+0x98/0x270<br /> system_call_exception+0x14c/0x2f0<br /> system_call_vectored_common+0x15c/0x2ec<br /> <br /> The following code flow illustrates how the deadlock occurs.<br /> For the sake of brevity, assume that both locks (A and B) are<br /> contended and we call the queued_spin_lock_slowpath() function.<br /> <br /> CPU0 CPU1<br /> ---- ----<br /> spin_lock_irqsave(A) |<br /> spin_unlock_irqrestore(A) |<br /> spin_lock(B) |<br /> | |<br /> ▼ |<br /> id = qnodesp-&gt;count++; |<br /> (Note that nodes[0].lock == A) |<br /> | |<br /> ▼ |<br /> Interrupt |<br /> (happens before "nodes[0].lock = B") |<br /> | |<br /> ▼ |<br /> spin_lock_irqsave(A) |<br /> | |<br /> ▼ |<br /> id = qnodesp-&gt;count++ |<br /> nodes[1].lock = A |<br /> | |<br /> ▼ |<br /> Tail of MCS queue |<br /> | spin_lock_irqsave(A)<br /> ▼ |<br /> Head of MCS queue ▼<br /> | CPU0 is previous tail<br /> ▼ |<br /> Spin indefinitely ▼<br /> (until "nodes[1].next != NULL") prev = get_tail_qnode(A, CPU0)<br /> |<br /> ▼<br /> prev == &amp;qnodes[CPU0].nodes[0]<br /> (as qnodes<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX<br /> <br /> If number of TX queues are set to 1 we get a NULL pointer<br /> dereference during XDP_TX.<br /> <br /> ~# ethtool -L eth0 tx 1<br /> ~# ./xdp-trafficgen udp -A -a eth0 -t 2<br /> Transmitting on eth0 (ifindex 2)<br /> [ 241.135257] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030<br /> <br /> Fix this by using actual TX queues instead of max TX queues<br /> when picking the TX channel in am65_cpsw_ndo_xdp_xmit().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libfs: fix get_stashed_dentry()<br /> <br /> get_stashed_dentry() tries to optimistically retrieve a stashed dentry<br /> from a provided location. It needs to ensure to hold rcu lock before it<br /> dereference the stashed location to prevent UAF issues. Use<br /> rcu_dereference() instead of READ_ONCE() it&amp;#39;s effectively equivalent<br /> with some lockdep bells and whistles and it communicates clearly that<br /> this expects rcu protection.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open<br /> <br /> The mcp251x_hw_wake() function is called with the mpc_lock mutex held and<br /> disables the interrupt handler so that no interrupts can be processed while<br /> waking the device. If an interrupt has already occurred then waiting for<br /> the interrupt handler to complete will deadlock because it will be trying<br /> to acquire the same mutex.<br /> <br /> CPU0 CPU1<br /> ---- ----<br /> mcp251x_open()<br /> mutex_lock(&amp;priv-&gt;mcp_lock)<br /> request_threaded_irq()<br /> <br /> mcp251x_can_ist()<br /> mutex_lock(&amp;priv-&gt;mcp_lock)<br /> mcp251x_hw_wake()<br /> disable_irq()

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/tdx: Fix data leak in mmio_read()<br /> <br /> The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an<br /> address from the VMM.<br /> <br /> Sean noticed that mmio_read() unintentionally exposes the value of an<br /> initialized variable (val) on the stack to the VMM.<br /> <br /> This variable is only needed as an output value. It did not need to be<br /> passed to the VMM in the first place.<br /> <br /> Do not send the original value of *val to the VMM.<br /> <br /> [ dhansen: clarify what &amp;#39;val&amp;#39; is used for. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: unset the binding mark of a reused connection<br /> <br /> Steve French reported null pointer dereference error from sha256 lib.<br /> cifs.ko can send session setup requests on reused connection.<br /> If reused connection is used for binding session, conn-&gt;binding can<br /> still remain true and generate_preauth_hash() will not set<br /> sess-&gt;Preauth_HashValue and it will be NULL.<br /> It is used as a material to create an encryption key in<br /> ksmbd_gen_smb311_encryptionkey. -&gt;Preauth_HashValue cause null pointer<br /> dereference error from crypto_shash_update().<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 8 PID: 429254 Comm: kworker/8:39<br /> Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )<br /> Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]<br /> RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]<br /> <br /> ? show_regs+0x6d/0x80<br /> ? __die+0x24/0x80<br /> ? page_fault_oops+0x99/0x1b0<br /> ? do_user_addr_fault+0x2ee/0x6b0<br /> ? exc_page_fault+0x83/0x1b0<br /> ? asm_exc_page_fault+0x27/0x30<br /> ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]<br /> ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]<br /> ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]<br /> ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]<br /> _sha256_update+0x77/0xa0 [sha256_ssse3]<br /> sha256_avx2_update+0x15/0x30 [sha256_ssse3]<br /> crypto_shash_update+0x1e/0x40<br /> hmac_update+0x12/0x20<br /> crypto_shash_update+0x1e/0x40<br /> generate_key+0x234/0x380 [ksmbd]<br /> generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]<br /> ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]<br /> ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]<br /> smb2_sess_setup+0x952/0xaa0 [ksmbd]<br /> __process_request+0xa3/0x1d0 [ksmbd]<br /> __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]<br /> handle_ksmbd_work+0x2d/0xa0 [ksmbd]<br /> process_one_work+0x16c/0x350<br /> worker_thread+0x306/0x440<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xef/0x120<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x44/0x70<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1b/0x30<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object<br /> <br /> When using kernel with the following extra config,<br /> <br /> - CONFIG_KASAN=y<br /> - CONFIG_KASAN_GENERIC=y<br /> - CONFIG_KASAN_INLINE=y<br /> - CONFIG_KASAN_VMALLOC=y<br /> - CONFIG_FRAME_WARN=4096<br /> <br /> kernel detects that snd_pcm_suspend_all() access a freed<br /> &amp;#39;snd_soc_pcm_runtime&amp;#39; object when the system is suspended, which<br /> leads to a use-after-free bug:<br /> <br /> [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270<br /> [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330<br /> <br /> [ 52.047785] Call trace:<br /> [ 52.047787] dump_backtrace+0x0/0x3c0<br /> [ 52.047794] show_stack+0x34/0x50<br /> [ 52.047797] dump_stack_lvl+0x68/0x8c<br /> [ 52.047802] print_address_description.constprop.0+0x74/0x2c0<br /> [ 52.047809] kasan_report+0x210/0x230<br /> [ 52.047815] __asan_report_load1_noabort+0x3c/0x50<br /> [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270<br /> [ 52.047824] snd_soc_suspend+0x19c/0x4e0<br /> <br /> The snd_pcm_sync_stop() has a NULL check on &amp;#39;substream-&gt;runtime&amp;#39; before<br /> making any access. So we need to always set &amp;#39;substream-&gt;runtime&amp;#39; to NULL<br /> everytime we kfree() it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sch/netem: fix use after free in netem_dequeue<br /> <br /> If netem_dequeue() enqueues packet to inner qdisc and that qdisc<br /> returns __NET_XMIT_STOLEN. The packet is dropped but<br /> qdisc_tree_reduce_backlog() is not called to update the parent&amp;#39;s<br /> q.qlen, leading to the similar use-after-free as Commit<br /> e04991a48dbaf382 ("netem: fix return value if duplicate enqueue<br /> fails")<br /> <br /> Commands to trigger KASAN UaF:<br /> <br /> ip link add type dummy<br /> ip link set lo up<br /> ip link set dummy0 up<br /> tc qdisc add dev lo parent root handle 1: drr<br /> tc filter add dev lo parent 1: basic classid 1:1<br /> tc class add dev lo classid 1:1 drr<br /> tc qdisc add dev lo parent 1:1 handle 2: netem<br /> tc qdisc add dev lo parent 2: handle 3: drr<br /> tc filter add dev lo parent 3: basic classid 3:1 action mirred egress<br /> redirect dev dummy0<br /> tc class add dev lo classid 3:1 drr<br /> ping -c1 -W0.01 localhost # Trigger bug<br /> tc class del dev lo classid 1:1<br /> tc class add dev lo classid 1:1 drr<br /> ping -c1 -W0.01 localhost # UaF

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Validate function returns<br /> <br /> [WHAT &amp; HOW]<br /> Function return values must be checked before data can be used<br /> in subsequent functions.<br /> <br /> This fixes 4 CHECKED_RETURN issues reported by Coverity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Run DC_LOG_DC after checking link-&gt;link_enc<br /> <br /> [WHAT]<br /> The DC_LOG_DC should be run after link-&gt;link_enc is checked, not before.<br /> <br /> This fixes 1 REVERSE_INULL issue reported by Coverity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Check UnboundedRequestEnabled&amp;#39;s value<br /> <br /> CalculateSwathAndDETConfiguration_params_st&amp;#39;s UnboundedRequestEnabled<br /> is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus<br /> if (p-&gt;UnboundedRequestEnabled) checks its address, not bool value.<br /> <br /> This fixes 1 REVERSE_INULL issue reported by Coverity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/imagination: Free pvr_vm_gpuva after unlink<br /> <br /> This caused a measurable memory leak. Although the individual<br /> allocations are small, the leaks occurs in a high-usage codepath<br /> (remapping or unmapping device memory) so they add up quickly.