CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50095 – RDMA/mad: Improve handling of timed out WRs of mad agent
https://notcve.org/view.php?id=CVE-2024-50095
In the Linux kernel, the following vulnerability has been resolved: RDMA/mad: Improve handling of timed out WRs of mad agent Current timeout handler of mad agent acquires/releases mad_agent_priv lock for every timed out WRs. This causes heavy locking contention when higher no. of WRs are to be handled inside timeout handler. This leads to softlockup with below trace in some use cases where rdma-cm path is used to establish connection between peer nodes Trace: ----- BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767] CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE ------- --- 5.14.0-427.13.1.el9_4.x86_64 #1 Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019 Workqueue: ib_mad1 timeout_sends [ib_core] RIP: 0010:__do_softirq+0x78/0x2ac RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246 RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000 R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? show_trace_log_lvl+0x1c4/0x2df ? • https://git.kernel.org/stable/c/713adaf0ecfc49405f6e5d9e409d984f628de818 https://git.kernel.org/stable/c/7022a517bf1ca37ef5a474365bcc5eafd345a13a https://git.kernel.org/stable/c/e80eadb3604a92d2d086e956b8b2692b699d4d0a https://git.kernel.org/stable/c/a195a42dd25ca4f12489687065d00be64939409f https://git.kernel.org/stable/c/3e799fa463508abe7a738ce5d0f62a8dfd05262a https://git.kernel.org/stable/c/2a777679b8ccd09a9a65ea0716ef10365179caac •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50091 – dm vdo: don't refer to dedupe_context after releasing it
https://notcve.org/view.php?id=CVE-2024-50091
In the Linux kernel, the following vulnerability has been resolved: dm vdo: don't refer to dedupe_context after releasing it Clear the dedupe_context pointer in a data_vio whenever ownership of the context is lost, so that vdo can't examine it accidentally. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dm vdo: no hacer referencia a dedupe_context después de liberarlo. Borre el puntero dedupe_context en un data_vio siempre que se pierda la propiedad del contexto, de modo que vdo no pueda examinarlo accidentalmente. • https://git.kernel.org/stable/c/63ef073084c67878d7a92e15ad055172da3f05a3 https://git.kernel.org/stable/c/0808ebf2f80b962e75741a41ced372a7116f1e26 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50090 – drm/xe/oa: Fix overflow in oa batch buffer
https://notcve.org/view.php?id=CVE-2024-50090
In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix overflow in oa batch buffer By default xe_bb_create_job() appends a MI_BATCH_BUFFER_END to batch buffer, this is not a problem if batch buffer is only used once but oa reuses the batch buffer for the same metric and at each call it appends a MI_BATCH_BUFFER_END, printing the warning below and then overflowing. [ 381.072016] ------------[ cut here ]------------ [ 381.072019] xe 0000:00:02.0: [drm] Assertion `bb->len * 4 + bb_prefetch(q->gt) <= size` failed! platform: LUNARLAKE subplatform: 1 graphics: Xe2_LPG / Xe2_HPG 20.04 step B0 media: Xe2_LPM / Xe2_HPM 20.00 step B0 tile: 0 VRAM 0 B GT: 0 type 1 So here checking if batch buffer already have MI_BATCH_BUFFER_END if not append it. v2: - simply fix, suggestion from Ashutosh (cherry picked from commit 9ba0e0f30ca42a98af3689460063edfb6315718a) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/xe/oa: Corregir desbordamiento en el búfer por lotes de oa. De manera predeterminada, xe_bb_create_job() agrega un MI_BATCH_BUFFER_END al buffer por lotes, esto no es un problema si el buffer por lotes solo se usa una vez, pero oa reutiliza el búfer por lotes para la misma métrica y en cada llamada agrega un MI_BATCH_BUFFER_END, imprimiendo la advertencia a continuación y luego desbordándose. [ 381.072016] ------------[ cortar aquí ]------------ [ 381.072019] xe 0000:00:02.0: [drm] ¡La afirmación `bb->len * 4 + bb_prefetch(q->gt) <= size` falló! Plataforma: LUNARLAKE Subplataforma: 1 Gráficos: Xe2_LPG / Xe2_HPG 20.04 Paso B0 Medios: Xe2_LPM / Xe2_HPM 20.00 Paso B0 Mosaico: 0 VRAM 0 B GT: 0 Tipo 1 Aquí se verifica si el buffer de lote ya tiene MI_BATCH_BUFFER_END si no, se agrega. v2: - simplemente se arregla, sugerencia de Ashutosh (seleccionada del commit 9ba0e0f30ca42a98af3689460063edfb6315718a) • https://git.kernel.org/stable/c/bcb5be3421705e682b0b32073ad627056d6bc2a2 https://git.kernel.org/stable/c/6c10ba06bb1b48acce6d4d9c1e33beb9954f1788 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50089 – unicode: Don't special case ignorable code points
https://notcve.org/view.php?id=CVE-2024-50089
In the Linux kernel, the following vulnerability has been resolved: unicode: Don't special case ignorable code points We don't need to handle them separately. Instead, just let them decompose/casefold to themselves. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: unicode: No aplicar mayúsculas y minúsculas especiales a los puntos de código que se puedan ignorar. No necesitamos manejarlos por separado. En su lugar, simplemente dejamos que se descompongan o se conviertan en mayúsculas y minúsculas por sí mismos. • https://git.kernel.org/stable/c/39fffca572844d733b137a0ff9eacd67b9b0c8e3 https://git.kernel.org/stable/c/651b954cd8d5b0a358ceb47c93876bb6201224e4 https://git.kernel.org/stable/c/21526498d25e54bda3c650f756493d63fd9131b7 https://git.kernel.org/stable/c/ac20736861f3c9c8e0a78273a4c57e9bcb0d8cc6 https://git.kernel.org/stable/c/876d3577a5b353e482d9228d45fa0d82bf1af53a https://git.kernel.org/stable/c/5c26d2f1d3f5e4be3e196526bead29ecb139cf91 •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52920 – bpf: support non-r10 register spill/fill to/from stack in precision tracking
https://notcve.org/view.php?id=CVE-2023-52920
In the Linux kernel, the following vulnerability has been resolved: bpf: support non-r10 register spill/fill to/from stack in precision tracking Use instruction (jump) history to record instructions that performed register spill/fill to/from stack, regardless if this was done through read-only r10 register, or any other register after copying r10 into it *and* potentially adjusting offset. To make this work reliably, we push extra per-instruction flags into instruction history, encoding stack slot index (spi) and stack frame number in extra 10 bit flags we take away from prev_idx in instruction history. We don't touch idx field for maximum performance, as it's checked most frequently during backtracking. This change removes basically the last remaining practical limitation of precision backtracking logic in BPF verifier. It fixes known deficiencies, but also opens up new opportunities to reduce number of verified states, explored in the subsequent patches. There are only three differences in selftests' BPF object files according to veristat, all in the positive direction (less states). File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) -------------------------------------- ------------- --------- --------- ------------- ---------- ---------- ------------- test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%) xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%) xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%) Note, I avoided renaming jmp_history to more generic insn_hist to minimize number of lines changed and potential merge conflicts between bpf and bpf-next trees. Notice also cur_hist_entry pointer reset to NULL at the beginning of instruction verification loop. This pointer avoids the problem of relying on last jump history entry's insn_idx to determine whether we already have entry for current instruction or not. It can happen that we added jump history entry because current instruction is_jmp_point(), but also we need to add instruction flags for stack access. • https://git.kernel.org/stable/c/41f6f64e6999a837048b1bd13a2f8742964eca6b •