CVE-2024-41092 – drm/i915/gt: Fix potential UAF by revoke of fence registers
https://notcve.org/view.php?id=CVE-2024-41092
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix potential UAF by revoke of fence registers CI has been sporadically reporting the following issue triggered by igt@i915_selftest@live@hangcheck on ADL-P and similar machines: <6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence ... <6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled <6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled <3> [414.070354] Unable to pin Y-tiled fence; err:-4 <3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active)) ... <4>[ 609.603992] ------------[ cut here ]------------ <2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301! <4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1 <4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 <4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915] <4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915] ... <4>[ 609.604271] Call Trace: <4>[ 609.604273] <TASK> ... <4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915] <4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915] <4>[ 609.604977] force_unbind+0x24/0xa0 [i915] <4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915] <4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915] <4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915] <4>[ 609.605440] process_scheduled_works+0x351/0x690 ... In the past, there were similar failures reported by CI from other IGT tests, observed on other platforms. Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for idleness of vma->active via fence_update(). That commit introduced vma->fence->active in order for the fence_update() to be able to wait selectively on that one instead of vma->active since only idleness of fence registers was needed. But then, another commit 0d86ee35097a ("drm/i915/gt: Make fence revocation unequivocal") replaced the call to fence_update() in i915_vma_revoke_fence() with only fence_write(), and also added that GEM_BUG_ON(! • https://git.kernel.org/stable/c/0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535 https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6 https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7 https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50 https://access.redhat.com/security/cve/CVE-2024-41092 • CWE-416: Use After Free •
CVE-2024-41089 – drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
https://notcve.org/view.php?id=CVE-2024-41089
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode(). Add a check to avoid null pointer dereference. • https://git.kernel.org/stable/c/ffabad4aa91e33ced3c6ae793fb37771b3e9cb51 https://git.kernel.org/stable/c/1c9f2e60150b4f13789064370e37f39e6e060f50 https://git.kernel.org/stable/c/56fc4d3b0bdef691831cd95715a7ca3ebea98b2d https://git.kernel.org/stable/c/5eecb49a6c268dc229005bf6e8167d4001dc09a0 https://git.kernel.org/stable/c/30cbf6ffafbbdd8a6e4e5f0a2e9a9827ee83f3ad https://git.kernel.org/stable/c/7ece609b0ce7a7ea8acdf512a77d1fee26621637 https://git.kernel.org/stable/c/6e49a157d541e7e97b815a56f4bdfcbc89844a59 https://git.kernel.org/stable/c/6d411c8ccc0137a612e0044489030a194 • CWE-476: NULL Pointer Dereference •
CVE-2024-41088 – can: mcp251xfd: fix infinite loop when xmit fails
https://notcve.org/view.php?id=CVE-2024-41088
In the Linux kernel, the following vulnerability has been resolved: can: mcp251xfd: fix infinite loop when xmit fails When the mcp251xfd_start_xmit() function fails, the driver stops processing messages, and the interrupt routine does not return, running indefinitely even after killing the running application. Error messages: [ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16 [ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3). ... and repeat forever. The issue can be triggered when multiple devices share the same SPI interface. And there is concurrent access to the bus. The problem occurs because tx_ring->head increments even if mcp251xfd_start_xmit() fails. Consequently, the driver skips one TX package while still expecting a response in mcp251xfd_handle_tefif_one(). Resolve the issue by starting a workqueue to write the tx obj synchronously if err = -EBUSY. In case of another error, decrement tx_ring->head, remove skb from the echo stack, and drop the message. [mkl: use more imperative wording in patch description] • https://git.kernel.org/stable/c/55e5b97f003e85e66babb55f357627d52081a264 https://git.kernel.org/stable/c/f926c022ebaabf7963bebf89a97201d66978a025 https://git.kernel.org/stable/c/3e72558c1711d524e3150103739ddd06650e291b https://git.kernel.org/stable/c/6c6b4afa59c2fb4d1759235f866d8caed2aa4729 https://git.kernel.org/stable/c/d8fb63e46c884c898a38f061c2330f7729e75510 •
CVE-2024-41087 – ata: libata-core: Fix double free on error
https://notcve.org/view.php?id=CVE-2024-41087
In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780 R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006 FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? • https://git.kernel.org/stable/c/dafd6c496381c1cd1f5ba9ad953e810bdcc931bc https://git.kernel.org/stable/c/290073b2b557e4dc21ee74a1e403d9ae79e393a2 https://git.kernel.org/stable/c/56f1c7e290cd6c69c948fcd2e2a49e6a637ec38f https://git.kernel.org/stable/c/010de9acbea58fbcbda08e3793d6262086a493fe https://git.kernel.org/stable/c/5dde5f8b790274723640d29a07c5a97d57d62047 https://git.kernel.org/stable/c/702c1edbafb2e6f9d20f6d391273b5be09d366a5 https://git.kernel.org/stable/c/062e256516d7db5e7dcdef117f52025cd5c456e3 https://git.kernel.org/stable/c/8106da4d88bbaed809e023cc8014b7662 •
CVE-2024-41082 – nvme-fabrics: use reserved tag for reg read/write command
https://notcve.org/view.php?id=CVE-2024-41082
In the Linux kernel, the following vulnerability has been resolved: nvme-fabrics: use reserved tag for reg read/write command In some scenarios, if too many commands are issued by nvme command in the same time by user tasks, this may exhaust all tags of admin_q. If a reset (nvme reset or IO timeout) occurs before these commands finish, reconnect routine may fail to update nvme regs due to insufficient tags, which will cause kernel hang forever. In order to workaround this issue, maybe we can let reg_read32()/reg_read64()/reg_write32() use reserved tags. This maybe safe for nvmf: 1. For the disable ctrl path, we will not issue connect command 2. • https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa https://access.redhat.com/security/cve/CVE-2024-41082 https://bugzilla.redhat.com/show_bug.cgi?id=2300459 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •