CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48989 – fscache: Fix oops due to race with cookie_lru and use_cookie
https://notcve.org/view.php?id=CVE-2022-48989
In the Linux kernel, the following vulnerability has been resolved: fscache: Fix oops due to race with cookie_lru and use_cookie If a cookie expires from the LRU and the LRU_DISCARD flag is set, but the state machine has not run yet, it's possible another thread can call fscache_use_cookie and begin to use it. When the cookie_worker finally runs, it will see the LRU_DISCARD flag set, transition the cookie->state to LRU_DISCARDING, which will then withdraw the cookie. Once the cookie is withdrawn the object is removed the below oops will occur because the object associated with the cookie is now NULL. Fix the oops by clearing the LRU_DISCARD bit if another thread uses the cookie before the cookie_worker runs. BUG: kernel NULL pointer dereference, address: 0000000000000008 ... CPU: 31 PID: 44773 Comm: kworker/u130:1 Tainted: G E 6.0.0-5.dneg.x86_64 #1 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Workqueue: events_unbound netfs_rreq_write_to_cache_work [netfs] RIP: 0010:cachefiles_prepare_write+0x28/0x90 [cachefiles] ... Call Trace: netfs_rreq_write_to_cache_work+0x11c/0x320 [netfs] process_one_work+0x217/0x3e0 worker_thread+0x4a/0x3b0 kthread+0xd6/0x100 • https://git.kernel.org/stable/c/12bb21a29c19aae50cfad4e2bb5c943108f34a7d https://git.kernel.org/stable/c/37f0b459c9b67e14fe4dcc3a15d286c4436ed01d https://git.kernel.org/stable/c/b5b52de3214a29911f949459a79f6640969b5487 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48988 – memcg: fix possible use-after-free in memcg_write_event_control()
https://notcve.org/view.php?id=CVE-2022-48988
In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). • https://git.kernel.org/stable/c/347c4a8747104a945ecced358944e42879176ca5 https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125 https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8 https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917 https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13 https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48986 – mm/gup: fix gup_pud_range() for dax
https://notcve.org/view.php?id=CVE-2022-48986
In the Linux kernel, the following vulnerability has been resolved: mm/gup: fix gup_pud_range() for dax For dax pud, pud_huge() returns true on x86. So the function works as long as hugetlb is configured. However, dax doesn't depend on hugetlb. Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as well. This fixes the below kernel panic: general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP < snip > Call Trace: <TASK> get_user_pages_fast+0x1f/0x40 iov_iter_get_pages+0xc6/0x3b0 ? mempool_alloc+0x5d/0x170 bio_iov_iter_get_pages+0x82/0x4e0 ? • https://git.kernel.org/stable/c/414fd080d125408cb15d04ff4907e1dd8145c8c7 https://git.kernel.org/stable/c/c133d8eb894cb280f331608c6f1962ba9fbfe6b0 https://git.kernel.org/stable/c/538162d21ac877b060dc057c89f13718f5caffc5 https://git.kernel.org/stable/c/8b1a7762e0dac5db42a003009fdcb425f10baa07 https://git.kernel.org/stable/c/04edfa3dc06ecfc6133a33bc7271298782dee875 https://git.kernel.org/stable/c/f1cf856123ceb766c49967ec79b841030fa1741f https://git.kernel.org/stable/c/3ac29732a2ffa64c7de13a072b0f2848b9c11037 https://git.kernel.org/stable/c/e06d13c36ded750c72521b600293befeb •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48985 – net: mana: Fix race on per-CQ variable napi work_done
https://notcve.org/view.php?id=CVE-2022-48985
In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix race on per-CQ variable napi work_done After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be cleared, and another CPU can start napi thread and access per-CQ variable, cq->work_done. If the other thread (for example, from busy_poll) sets it to a value >= budget, this thread will continue to run when it should stop, and cause memory corruption and panic. To fix this issue, save the per-CQ work_done variable in a local variable before napi_complete_done(), so it won't be corrupted by a possible concurrent thread after napi_complete_done(). Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done variable race is fixed, so the driver is able to reliably support features like busy_poll. • https://git.kernel.org/stable/c/e1b5683ff62e7b328317aec08869495992053e9d https://git.kernel.org/stable/c/fe50a9bbeb1f042e756c5cfa7708112c944368de https://git.kernel.org/stable/c/6740d8572ccd1bca50d8a1ca2bedc333f50ed5f3 https://git.kernel.org/stable/c/18010ff776fa42340efc428b3ea6d19b3e7c7b21 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48984 – can: slcan: fix freed work crash
https://notcve.org/view.php?id=CVE-2022-48984
In the Linux kernel, the following vulnerability has been resolved: can: slcan: fix freed work crash The LTP test pty03 is causing a crash in slcan: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 Workqueue: 0x0 (events) RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185) Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968 RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0 RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734 R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000 R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0 FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0 Call Trace: <TASK> worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436) kthread (/home/rich/kernel/linux/kernel/kthread.c:376) ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312) Apparently, the slcan's tx_work is freed while being scheduled. While slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work), slcan_close() (tty side) does not. So when the netdev is never set UP, but the tty is stuffed with bytes and forced to wakeup write, the work is scheduled, but never flushed. So add an additional flush_work() to slcan_close() to be sure the work is flushed under all circumstances. The Fixes commit below moved flush_work() from slcan_close() to slcan_netdev_close(). What was the rationale behind it? Maybe we can drop the one in slcan_netdev_close()? • https://git.kernel.org/stable/c/cfcb4465e9923bb9ac168abcea84e880633f9cef https://git.kernel.org/stable/c/9e2709d58a14a10eb00d919acd7dec071c33f8c8 https://git.kernel.org/stable/c/fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb •