Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat - resolve race condition during AER recovery<br /> <br /> During the PCI AER system&amp;#39;s error recovery process, the kernel driver<br /> may encounter a race condition with freeing the reset_data structure&amp;#39;s<br /> memory. If the device restart will take more than 10 seconds the function<br /> scheduling that restart will exit due to a timeout, and the reset_data<br /> structure will be freed. However, this data structure is used for<br /> completion notification after the restart is completed, which leads<br /> to a UAF bug.<br /> <br /> This results in a KFENCE bug notice.<br /> <br /> BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]<br /> Use-after-free read at 0x00000000bc56fddf (in kfence-#142):<br /> adf_device_reset_worker+0x38/0xa0 [intel_qat]<br /> process_one_work+0x173/0x340<br /> <br /> To resolve this race condition, the memory associated to the container<br /> of the work_struct is freed on the worker if the timeout expired,<br /> otherwise on the function that schedules the worker.<br /> The timeout detection can be done by checking if the caller is<br /> still waiting for completion or not by using completion_done() function.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powercap: intel_rapl: Fix a NULL pointer dereference<br /> <br /> A NULL pointer dereference is triggered when probing the MMIO RAPL<br /> driver on platforms with CPU ID not listed in intel_rapl_common CPU<br /> model list.<br /> <br /> This is because the intel_rapl_common module still probes on such<br /> platforms even if &amp;#39;defaults_msr&amp;#39; is not set after commit 1488ac990ac8<br /> ("powercap: intel_rapl: Allow probing without CPUID match"). Thus the<br /> MMIO RAPL rp-&gt;priv-&gt;defaults is NULL when registering to RAPL framework.<br /> <br /> Fix the problem by adding sanity check to ensure rp-&gt;priv-&gt;rapl_defaults<br /> is always valid.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: Always flush async #PF workqueue when vCPU is being destroyed<br /> <br /> Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its<br /> completion queue, e.g. when a VM and all its vCPUs is being destroyed.<br /> KVM must ensure that none of its workqueue callbacks is running when the<br /> last reference to the KVM _module_ is put. Gifting a reference to the<br /> associated VM prevents the workqueue callback from dereferencing freed<br /> vCPU/VM memory, but does not prevent the KVM module from being unloaded<br /> before the callback completes.<br /> <br /> Drop the misguided VM refcount gifting, as calling kvm_put_kvm() from<br /> async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will<br /> result in deadlock. async_pf_execute() can&amp;#39;t return until kvm_put_kvm()<br /> finishes, and kvm_put_kvm() can&amp;#39;t return until async_pf_execute() finishes:<br /> <br /> WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]<br /> Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass<br /> CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015<br /> Workqueue: events async_pf_execute [kvm]<br /> RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]<br /> Call Trace:<br /> <br /> async_pf_execute+0x198/0x260 [kvm]<br /> process_one_work+0x145/0x2d0<br /> worker_thread+0x27e/0x3a0<br /> kthread+0xba/0xe0<br /> ret_from_fork+0x2d/0x50<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> INFO: task kworker/8:1:251 blocked for more than 120 seconds.<br /> Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119<br /> "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000<br /> Workqueue: events async_pf_execute [kvm]<br /> Call Trace:<br /> <br /> __schedule+0x33f/0xa40<br /> schedule+0x53/0xc0<br /> schedule_timeout+0x12a/0x140<br /> __wait_for_common+0x8d/0x1d0<br /> __flush_work.isra.0+0x19f/0x2c0<br /> kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]<br /> kvm_arch_destroy_vm+0x78/0x1b0 [kvm]<br /> kvm_put_kvm+0x1c1/0x320 [kvm]<br /> async_pf_execute+0x198/0x260 [kvm]<br /> process_one_work+0x145/0x2d0<br /> worker_thread+0x27e/0x3a0<br /> kthread+0xba/0xe0<br /> ret_from_fork+0x2d/0x50<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> <br /> If kvm_clear_async_pf_completion_queue() actually flushes the workqueue,<br /> then there&amp;#39;s no need to gift async_pf_execute() a reference because all<br /> invocations of async_pf_execute() will be forced to complete before the<br /> vCPU and its VM are destroyed/freed. And that in turn fixes the module<br /> unloading bug as __fput() won&amp;#39;t do module_put() on the last vCPU reference<br /> until the vCPU has been freed, e.g. if closing the vCPU file also puts the<br /> last reference to the KVM module.<br /> <br /> Note that kvm_check_async_pf_completion() may also take the work item off<br /> the completion queue and so also needs to flush the work queue, as the<br /> work will not be seen by kvm_clear_async_pf_completion_queue(). Waiting<br /> on the workqueue could theoretically delay a vCPU due to waiting for the<br /> work to complete, but that&amp;#39;s a very, very small chance, and likely a very<br /> small delay. kvm_arch_async_page_present_queued() unconditionally makes a<br /> new request, i.e. will effectively delay entering the guest, so the<br /> remaining work is really just:<br /> <br /> trace_kvm_async_pf_completed(addr, cr2_or_gpa);<br /> <br /> __kvm_vcpu_wake_up(vcpu);<br /> <br /> mmput(mm);<br /> <br /> and mmput() can&amp;#39;t drop the last reference to the page tables if the vCPU is<br /> still alive, i.e. the vCPU won&amp;#39;t get stuck tearing down page tables.<br /> <br /> Add a helper to do the flushing, specifically to deal with "wakeup all"<br /> work items, as they aren&amp;#39;t actually work items, i.e. are never placed in a<br /> workqueue. Trying to flush a bogus workqueue entry rightly makes<br /> __flush_work() complain (kudos to whoever added that sanity check).<br /> <br /> Note, commit 5f6de5cbebee ("KVM: Prevent module exit until al<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pci_iounmap(): Fix MMIO mapping leak<br /> <br /> The #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),<br /> which means MMIO mappings are leaked.<br /> <br /> Move the guard so we call iounmap() for MMIO mappings.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: camcc-sc8280xp: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: gcc-ipq9574: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: gcc-ipq6018: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: gcc-ipq5018: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fat: fix uninitialized field in nostale filehandles<br /> <br /> When fat_encode_fh_nostale() encodes file handle without a parent it<br /> stores only first 10 bytes of the file handle. However the length of the<br /> file handle must be a multiple of 4 so the file handle is actually 12<br /> bytes long and the last two bytes remain uninitialized. This is not<br /> great at we potentially leak uninitialized information with the handle<br /> to userspace. Properly initialize the full handle length.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfs: fix UAF in direct writes<br /> <br /> In production we have been hitting the following warning consistently<br /> <br /> ------------[ cut here ]------------<br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0<br /> Workqueue: nfsiod nfs_direct_write_schedule_work [nfs]<br /> RIP: 0010:refcount_warn_saturate+0x9c/0xe0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __warn+0x9f/0x130<br /> ? refcount_warn_saturate+0x9c/0xe0<br /> ? report_bug+0xcc/0x150<br /> ? handle_bug+0x3d/0x70<br /> ? exc_invalid_op+0x16/0x40<br /> ? asm_exc_invalid_op+0x16/0x20<br /> ? refcount_warn_saturate+0x9c/0xe0<br /> nfs_direct_write_schedule_work+0x237/0x250 [nfs]<br /> process_one_work+0x12f/0x4a0<br /> worker_thread+0x14e/0x3b0<br /> ? ZSTD_getCParams_internal+0x220/0x220<br /> kthread+0xdc/0x120<br /> ? __btf_name_valid+0xa0/0xa0<br /> ret_from_fork+0x1f/0x30<br /> <br /> This is because we&amp;#39;re completing the nfs_direct_request twice in a row.<br /> <br /> The source of this is when we have our commit requests to submit, we<br /> process them and send them off, and then in the completion path for the<br /> commit requests we have<br /> <br /> if (nfs_commit_end(cinfo.mds))<br /> nfs_direct_write_complete(dreq);<br /> <br /> However since we&amp;#39;re submitting asynchronous requests we sometimes have<br /> one that completes before we submit the next one, so we end up calling<br /> complete on the nfs_direct_request twice.<br /> <br /> The only other place we use nfs_generic_commit_list() is in<br /> __nfs_commit_inode, which wraps this call in a<br /> <br /> nfs_commit_begin();<br /> nfs_commit_end();<br /> <br /> Which is a common pattern for this style of completion handling, one<br /> that is also repeated in the direct code with get_dreq()/put_dreq()<br /> calls around where we process events as well as in the completion paths.<br /> <br /> Fix this by using the same pattern for the commit requests.<br /> <br /> Before with my 200 node rocksdb stress running this warning would pop<br /> every 10ish minutes. With my patch the stress test has been running for<br /> several hours without popping.