CVE-2022-48887 – drm/vmwgfx: Remove rcu locks from user resources
https://notcve.org/view.php?id=CVE-2022-48887
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Remove rcu locks from user resources User resource lookups used rcu to avoid two extra atomics. Unfortunately the rcu paths were buggy and it was easy to make the driver crash by submitting command buffers from two different threads. Because the lookups never show up in performance profiles replace them with a regular spin lock which fixes the races in accesses to those shared resources. Fixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and seen crashes with apps using shared resources. • https://git.kernel.org/stable/c/e14c02e6b6990e9f6ee18a214a22ac26bae1b25e https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a https://git.kernel.org/stable/c/a309c7194e8a2f8bd4539b9449917913f6c2cd50 •
CVE-2022-48880 – platform/surface: aggregator: Add missing call to ssam_request_sync_free()
https://notcve.org/view.php?id=CVE-2022-48880
In the Linux kernel, the following vulnerability has been resolved: platform/surface: aggregator: Add missing call to ssam_request_sync_free() Although rare, ssam_request_sync_init() can fail. In that case, the request should be freed via ssam_request_sync_free(). Currently it is leaked instead. Fix this. • https://git.kernel.org/stable/c/c167b9c7e3d6131b4a4865c112a3dbc86d2e997d https://git.kernel.org/stable/c/d2dc110deabe7142b60ebeed689e67f92795ee24 https://git.kernel.org/stable/c/50b3cdf8239b11545f311c4f7b89e0092e4feedb https://git.kernel.org/stable/c/c965daac370f08a9b71d573a71d13cda76f2a884 •
CVE-2022-48879 – efi: fix NULL-deref in init error path
https://notcve.org/view.php?id=CVE-2022-48879
In the Linux kernel, the following vulnerability has been resolved: efi: fix NULL-deref in init error path In cases where runtime services are not supported or have been disabled, the runtime services workqueue will never have been allocated. Do not try to destroy the workqueue unconditionally in the unlikely event that EFI initialisation fails to avoid dereferencing a NULL pointer. • https://git.kernel.org/stable/c/2ff3c97b47521d6700cc6485c7935908dcd2c27c https://git.kernel.org/stable/c/5167f194da6947e19a3e970485ee3ccb44f7958d https://git.kernel.org/stable/c/98086df8b70c06234a8f4290c46064e44dafa0ed https://git.kernel.org/stable/c/f591a42b8f9a9d20e01d0462f4f55d2176ac52ec https://git.kernel.org/stable/c/e6584124b9823151ef586d10dedf565ade50cea6 https://git.kernel.org/stable/c/585a0b2b3ae7903c6abee3087d09c69e955a7794 https://git.kernel.org/stable/c/5fcf75a8a4c3e7ee9122d143684083c9faf20452 https://git.kernel.org/stable/c/4ca71bc0e1995d15486cd7b60845602a2 •
CVE-2022-48878 – Bluetooth: hci_qca: Fix driver shutdown on closed serdev
https://notcve.org/view.php?id=CVE-2022-48878
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_qca: Fix driver shutdown on closed serdev The driver shutdown callback (which sends EDL_SOC_RESET to the device over serdev) should not be invoked when HCI device is not open (e.g. if hci_dev_open_sync() failed), because the serdev and its TTY are not open either. Also skip this step if device is powered off (qca_power_shutdown()). The shutdown callback causes use-after-free during system reboot with Qualcomm Atheros Bluetooth: Unable to handle kernel paging request at virtual address 0072662f67726fd7 ... CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W 6.1.0-rt5-00325-g8a5f56bcfcca #8 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: tty_driver_flush_buffer+0x4/0x30 serdev_device_write_flush+0x24/0x34 qca_serdev_shutdown+0x80/0x130 [hci_uart] device_shutdown+0x15c/0x260 kernel_restart+0x48/0xac KASAN report: BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50 Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1 CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xdc/0xf0 show_stack+0x18/0x30 dump_stack_lvl+0x68/0x84 print_report+0x188/0x488 kasan_report+0xa4/0xf0 __asan_load8+0x80/0xac tty_driver_flush_buffer+0x1c/0x50 ttyport_write_flush+0x34/0x44 serdev_device_write_flush+0x48/0x60 qca_serdev_shutdown+0x124/0x274 device_shutdown+0x1e8/0x350 kernel_restart+0x48/0xb0 __do_sys_reboot+0x244/0x2d0 __arm64_sys_reboot+0x54/0x70 invoke_syscall+0x60/0x190 el0_svc_common.constprop.0+0x7c/0x160 do_el0_svc+0x44/0xf0 el0_svc+0x2c/0x6c el0t_64_sync_handler+0xbc/0x140 el0t_64_sync+0x190/0x194 • https://git.kernel.org/stable/c/7e7bbddd029b644f00f0ffbfbc485ed71977d0d5 https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587 https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3 https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447 https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8 •
CVE-2022-48877 – f2fs: let's avoid panic if extent_tree is not created
https://notcve.org/view.php?id=CVE-2022-48877
In the Linux kernel, the following vulnerability has been resolved: f2fs: let's avoid panic if extent_tree is not created This patch avoids the below panic. pc : __lookup_extent_tree+0xd8/0x760 lr : f2fs_do_write_data_page+0x104/0x87c sp : ffffffc010cbb3c0 x29: ffffffc010cbb3e0 x28: 0000000000000000 x27: ffffff8803e7f020 x26: ffffff8803e7ed40 x25: ffffff8803e7f020 x24: ffffffc010cbb460 x23: ffffffc010cbb480 x22: 0000000000000000 x21: 0000000000000000 x20: ffffffff22e90900 x19: 0000000000000000 x18: ffffffc010c5d080 x17: 0000000000000000 x16: 0000000000000020 x15: ffffffdb1acdbb88 x14: ffffff888759e2b0 x13: 0000000000000000 x12: ffffff802da49000 x11: 000000000a001200 x10: ffffff8803e7ed40 x9 : ffffff8023195800 x8 : ffffff802da49078 x7 : 0000000000000001 x6 : 0000000000000000 x5 : 0000000000000006 x4 : ffffffc010cbba28 x3 : 0000000000000000 x2 : ffffffc010cbb480 x1 : 0000000000000000 x0 : ffffff8803e7ed40 Call trace: __lookup_extent_tree+0xd8/0x760 f2fs_do_write_data_page+0x104/0x87c f2fs_write_single_data_page+0x420/0xb60 f2fs_write_cache_pages+0x418/0xb1c __f2fs_write_data_pages+0x428/0x58c f2fs_write_data_pages+0x30/0x40 do_writepages+0x88/0x190 __writeback_single_inode+0x48/0x448 writeback_sb_inodes+0x468/0x9e8 __writeback_inodes_wb+0xb8/0x2a4 wb_writeback+0x33c/0x740 wb_do_writeback+0x2b4/0x400 wb_workfn+0xe4/0x34c process_one_work+0x24c/0x5bc worker_thread+0x3e8/0xa50 kthread+0x150/0x1b4 • https://git.kernel.org/stable/c/dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692 https://git.kernel.org/stable/c/ff85a1dbd90d29f73033177ff8d8de4a27d9721c https://git.kernel.org/stable/c/557e85ff9afef6d45020b6f09357111d38033c31 https://git.kernel.org/stable/c/72009139a661ade5cb1da4239734ed02fa1cfff0 https://git.kernel.org/stable/c/2c129e868992621a739bdd57a5bffa3985ef1b91 https://git.kernel.org/stable/c/1c38cdc747f00daf7394535eae5afc4c503c59bb https://git.kernel.org/stable/c/df9d44b645b83fffccfb4e28c1f93376585fdec8 •