CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46770 – ice: Add netif_device_attach/detach into PF reset flow
https://notcve.org/view.php?id=CVE-2024-46770
In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: # echo 1 > /sys/class/net/<interface>/device/reset when reset is in progress try to get coalesce settings using ethtool: # ethtool -c <interface> BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: <TASK> ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner. • https://git.kernel.org/stable/c/fcea6f3da546b93050f3534aadea7bd96c1d7349 https://git.kernel.org/stable/c/9e3ffb839249eca113062587659224f856fe14e5 https://git.kernel.org/stable/c/efe8effe138044a4747d1112ebb8c454d1663723 https://git.kernel.org/stable/c/36486c9e8e01b84faaee47203eac0b7e9cc7fa4a https://git.kernel.org/stable/c/d11a67634227f9f9da51938af085fb41a733848f •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46768 – hwmon: (hp-wmi-sensors) Check if WMI event data exists
https://notcve.org/view.php?id=CVE-2024-46768
In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can be NULL. Check for such a situation and ignore the event in such a case. • https://git.kernel.org/stable/c/23902f98f8d4811ab84dde6419569a5b374f8122 https://git.kernel.org/stable/c/217539e994e53206bbf3fb330261cc78c480d311 https://git.kernel.org/stable/c/4b19c83ba108aa66226da5b79810e4d19e005f12 https://git.kernel.org/stable/c/a54da9df75cd1b4b5028f6c60f9a211532680585 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46767 – net: phy: Fix missing of_node_put() for leds
https://notcve.org/view.php?id=CVE-2024-46767
In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it. • https://git.kernel.org/stable/c/01e5b728e9e43ae444e0369695a5f72209906464 https://git.kernel.org/stable/c/26928c8f00f6bb0e194f3957fe51c69d36838eb2 https://git.kernel.org/stable/c/d9c8dbbc236cdc6231ee91cdede2fc97b430cfff https://git.kernel.org/stable/c/2560db6ede1aaf162a73b2df43e0b6c5ed8819f7 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46766 – ice: move netif_queue_set_napi to rtnl-protected sections
https://notcve.org/view.php?id=CVE-2024-46766
In the Linux kernel, the following vulnerability has been resolved: ice: move netif_queue_set_napi to rtnl-protected sections Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnl_lock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point. Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked. Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below. [ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] <TASK> [ +0.000002] dump_stack_lvl+0x60/0x80 [ +0.000007] print_report+0xce/0x630 [ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000007] ? • https://git.kernel.org/stable/c/080b0c8d6d261b400f24bb1075fbab8c6daaf69e https://git.kernel.org/stable/c/2285c2faef19ee08a6bd6754f4c3ec07dceb2889 https://git.kernel.org/stable/c/2a5dc090b92cfa5270e20056074241c6db5c9cdd •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46765 – ice: protect XDP configuration with a mutex
https://notcve.org/view.php?id=CVE-2024-46765
In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] <TASK> [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? • https://git.kernel.org/stable/c/2d4238f5569722197612656163d824098208519c https://git.kernel.org/stable/c/2f057db2fb29bc209c103050647562e60554d3d3 https://git.kernel.org/stable/c/391f7dae3d836891fc6cfbde38add2d0e10c6b7f https://git.kernel.org/stable/c/2504b8405768a57a71e660dbfd5abd59f679a03f •