CVE-2021-47493 – ocfs2: fix race between searching chunks and release journal_head from buffer_head
https://notcve.org/view.php?id=CVE-2021-47493
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix race between searching chunks and release journal_head from buffer_head Encountered a race between ocfs2_test_bg_bit_allocatable() and jbd2_journal_put_journal_head() resulting in the below vmcore. PID: 106879 TASK: ffff880244ba9c00 CPU: 2 COMMAND: "loop3" Call trace: panic oops_end no_context __bad_area_nosemaphore bad_area_nosemaphore __do_page_fault do_page_fault page_fault [exception RIP: ocfs2_block_group_find_clear_bits+316] ocfs2_block_group_find_clear_bits [ocfs2] ocfs2_cluster_group_search [ocfs2] ocfs2_search_chain [ocfs2] ocfs2_claim_suballoc_bits [ocfs2] __ocfs2_claim_clusters [ocfs2] ocfs2_claim_clusters [ocfs2] ocfs2_local_alloc_slide_window [ocfs2] ocfs2_reserve_local_alloc_bits [ocfs2] ocfs2_reserve_clusters_with_limit [ocfs2] ocfs2_reserve_clusters [ocfs2] ocfs2_lock_refcount_allocators [ocfs2] ocfs2_make_clusters_writable [ocfs2] ocfs2_replace_cow [ocfs2] ocfs2_refcount_cow [ocfs2] ocfs2_file_write_iter [ocfs2] lo_rw_aio loop_queue_work kthread_worker_fn kthread ret_from_fork When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the bg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and released the jounal head from the buffer head. Needed to take bit lock for the bit 'BH_JournalHead' to fix this race. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ocfs2: corrige la ejecución entre fragmentos de búsqueda y libera journal_head de buffer_head Se encontró una ejecución entre ocfs2_test_bg_bit_allocatable() y jbd2_journal_put_journal_head() que resultó en el siguiente vmcore. PID: 106879 TAREA: ffff880244ba9c00 CPU: 2 COMANDO: "loop3" Rastreo de llamadas: pánico oops_end no_context __bad_area_nosemaphore bad_area_nosemaphore __do_page_fault do_page_fault page_fault [excepción RIP: ocfs2_block_group_find_clear_bits+316] 2_block_group_find_clear_bits [ocfs2] ocfs2_cluster_group_search [ocfs2] ocfs2_search_chain [ocfs2] ocfs2_claim_suballoc_bits [ocfs2] __ocfs2_claim_clusters [ocfs2] ocfs2_claim_clusters [ocfs2] ocfs2_local_alloc_slide_window [ocfs2] ocfs2_reserve_local_alloc_bits [ocfs2] ocfs2_reserve_clusters_with_limit [ocfs2] ocfs2_reserve_clusters [ocfs2] ocfs2_lock_refcount_allocators [ocfs2] 2_make_clusters_writable [ocfs2] ocfs2_replace_cow [ocfs2] ocfs2_refcount_cow [ocfs2] ocfs2_file_write_iter [ocfs2] lo_rw_aio loop_queue_work kthread_worker_fn kthread ret_from_fork Cuando ocfs2_test_bg_bit_allocatable () llamado bh2jh(bg_bh), el bg_bh->b_private NULL como jbd2_journal_put_journal_head() corrió y liberó el encabezado del diario del encabezado del búfer. Era necesario bloquear el bit 'BH_JournalHead' para solucionar esta ejecución. • https://git.kernel.org/stable/c/5043fbd294f5909a080ade0f04b70a4da9e122b7 https://git.kernel.org/stable/c/2e382600e8856ea654677b5134ee66e03ea72bc2 https://git.kernel.org/stable/c/6f1b228529ae49b0f85ab89bcdb6c365df401558 •
CVE-2021-47492 – mm, thp: bail out early in collapse_file for writeback page
https://notcve.org/view.php?id=CVE-2021-47492
In the Linux kernel, the following vulnerability has been resolved: mm, thp: bail out early in collapse_file for writeback page Currently collapse_file does not explicitly check PG_writeback, instead, page_has_private and try_to_release_page are used to filter writeback pages. This does not work for xfs with blocksize equal to or larger than pagesize, because in such case xfs has no page->private. This makes collapse_file bail out early for writeback page. Otherwise, xfs end_page_writeback will panic as follows. page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32 aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so" flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback) raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8 raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000 page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u)) page->mem_cgroup:ffff0000c3e9a000 ------------[ cut here ]------------ kernel BUG at include/linux/mm.h:1212! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: BUG: Bad page state in process khugepaged pfn:84ef32 xfs(E) page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32 libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ... CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ... pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--) Call trace: end_page_writeback+0x1c0/0x214 iomap_finish_page_writeback+0x13c/0x204 iomap_finish_ioend+0xe8/0x19c iomap_writepage_end_bio+0x38/0x50 bio_endio+0x168/0x1ec blk_update_request+0x278/0x3f0 blk_mq_end_request+0x34/0x15c virtblk_request_done+0x38/0x74 [virtio_blk] blk_done_softirq+0xc4/0x110 __do_softirq+0x128/0x38c __irq_exit_rcu+0x118/0x150 irq_exit+0x1c/0x30 __handle_domain_irq+0x8c/0xf0 gic_handle_irq+0x84/0x108 el1_irq+0xcc/0x180 arch_cpu_idle+0x18/0x40 default_idle_call+0x4c/0x1a0 cpuidle_idle_call+0x168/0x1e0 do_idle+0xb4/0x104 cpu_startup_entry+0x30/0x9c secondary_start_kernel+0x104/0x180 Code: d4210000 b0006161 910c8021 94013f4d (d4210000) ---[ end trace 4a88c6a074082f8c ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm, thp: rescatar temprano en el colapso_archivo para la página de reescritura. Actualmente, colapso_archivo no verifica explícitamente PG_writeback; en su lugar, page_has_private y try_to_release_page se utilizan para filtrar las páginas de reescritura. • https://git.kernel.org/stable/c/99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 https://git.kernel.org/stable/c/69a7fa5cb0de06c8956b040f19a7248c8c8308ca https://git.kernel.org/stable/c/5e669d8ab30ab61dec3c36e27b4711f07611e6fc https://git.kernel.org/stable/c/74c42e1baacf206338b1dd6b6199ac964512b5bb https://access.redhat.com/security/cve/CVE-2021-47492 https://bugzilla.redhat.com/show_bug.cgi?id=2282924 • CWE-372: Incomplete Internal State Distinction •
CVE-2021-47491 – mm: khugepaged: skip huge page collapse for special files
https://notcve.org/view.php?id=CVE-2021-47491
In the Linux kernel, the following vulnerability has been resolved: mm: khugepaged: skip huge page collapse for special files The read-only THP for filesystems will collapse THP for files opened readonly and mapped with VM_EXEC. The intended usecase is to avoid TLB misses for large text segments. But it doesn't restrict the file types so a THP could be collapsed for a non-regular file, for example, block device, if it is opened readonly and mapped with EXEC permission. This may cause bugs, like [1] and [2]. This is definitely not the intended usecase, so just collapse THP for regular files in order to close the attack surface. [shy828301@gmail.com: fix vm_file check [3]] En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: khugepaged: omitir el colapso de página enorme para archivos especiales El THP de solo lectura para sistemas de archivos colapsará el THP para archivos abiertos de solo lectura y asignados con VM_EXEC. El caso de uso previsto es evitar errores de TLB en segmentos de texto grandes. • https://git.kernel.org/stable/c/99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 https://git.kernel.org/stable/c/6d67b2a73b8e3a079c355bab3c1aef7d85a044b8 https://git.kernel.org/stable/c/5fcb6fce74ffa614d964667110cf1a516c48c6d9 https://git.kernel.org/stable/c/a4aeaa06d45e90f9b279f0b09de84bd00006e733 https://access.redhat.com/security/cve/CVE-2021-47491 https://bugzilla.redhat.com/show_bug.cgi?id=2282925 • CWE-664: Improper Control of a Resource Through its Lifetime •
CVE-2021-47490 – drm/ttm: fix memleak in ttm_transfered_destroy
https://notcve.org/view.php?id=CVE-2021-47490
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix memleak in ttm_transfered_destroy We need to cleanup the fences for ghost objects as well. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214029 Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214447 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/ttm: corrige memleak en ttm_transfered_destroy También necesitamos limpiar las barreras para detectar objetos fantasma. Error: https://bugzilla.kernel.org/show_bug.cgi?id=214029 Error: https://bugzilla.kernel.org/show_bug.cgi? • https://git.kernel.org/stable/c/bd99782f3ca491879e8524c89b1c0f40071903bd https://git.kernel.org/stable/c/960b1fdfc39aba8f41e9e27b2de0c925c74182d9 https://git.kernel.org/stable/c/c21b4002214c1c7e7b627b9b53375612f7aab6db https://git.kernel.org/stable/c/bbc920fb320f1c241cc34ac85edaa0058922246a https://git.kernel.org/stable/c/132a3d998d6753047f22152731fba2b0d6b463dd https://git.kernel.org/stable/c/0db55f9a1bafbe3dac750ea669de9134922389b5 •
CVE-2021-47488 – cgroup: Fix memory leak caused by missing cgroup_bpf_offline
https://notcve.org/view.php?id=CVE-2021-47488
In the Linux kernel, the following vulnerability has been resolved: cgroup: Fix memory leak caused by missing cgroup_bpf_offline When enabling CONFIG_CGROUP_BPF, kmemleak can be observed by running the command as below: $mount -t cgroup -o none,name=foo cgroup cgroup/ $umount cgroup/ unreferenced object 0xc3585c40 (size 64): comm "mount", pid 425, jiffies 4294959825 (age 31.990s) hex dump (first 32 bytes): 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(......... 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC...... backtrace: [<e95a2f9e>] cgroup_bpf_inherit+0x44/0x24c [<1f03679c>] cgroup_setup_root+0x174/0x37c [<ed4b0ac5>] cgroup1_get_tree+0x2c0/0x4a0 [<f85b12fd>] vfs_get_tree+0x24/0x108 [<f55aec5c>] path_mount+0x384/0x988 [<e2d5e9cd>] do_mount+0x64/0x9c [<208c9cfe>] sys_mount+0xfc/0x1f4 [<06dd06e0>] ret_fast_syscall+0x0/0x48 [<a8308cb3>] 0xbeb4daa8 This is because that since the commit 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path") root_cgrp->bpf.refcnt.data is allocated by the function percpu_ref_init in cgroup_bpf_inherit which is called by cgroup_setup_root when mounting, but not freed along with root_cgrp when umounting. Adding cgroup_bpf_offline which calls percpu_ref_kill to cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in umount path. This patch also fixes the commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself"). A cgroup_bpf_offline is needed to do a cleanup that frees the resources which are allocated by cgroup_bpf_inherit in cgroup_setup_root. And inside cgroup_bpf_offline, cgroup_get() is at the beginning and cgroup_put is at the end of cgroup_bpf_release which is called by cgroup_bpf_offline. So cgroup_bpf_offline can keep the balance of cgroup's refcount. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cgroup: corrige la pérdida de memoria causada por la falta de cgroup_bpf_offline Al habilitar CONFIG_CGROUP_BPF, se puede observar kmemleak ejecutando el siguiente comando: $mount -t cgroup -o none,name=foo cgroup cgroup / $umount cgroup/ objeto sin referencia 0xc3585c40 (tamaño 64): comm "mount", pid 425, sjiffies 4294959825 (edad 31.990s) volcado hexadecimal (primeros 32 bytes): 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(....... 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC...... retroceso : [] cgroup_bpf_inherit+0x44/0x24c [<1f03679c>] cgroup_setup_root+0x174/0x37c [] cgroup1_get_tree+0x2c0/0x4a0 [] 8 [] ruta_montaje+0x384/ 0x988 [] do_mount+0x64/0x9c [<208c9cfe>] sys_mount+0xfc/0x1f4 [<06dd06e0>] ret_fast_syscall+0x0/0x48 [] 0xbeb4daa8 Esto se debe a que desde El commit 2b0d3d3e4f cf ("percpu_ref: reducir huella de memoria de percpu_ref en la ruta rápida") root_cgrp->bpf.refcnt.data es asignada por la función percpu_ref_init en cgroup_bpf_inherit, que es llamada por cgroup_setup_root al montar, pero no se libera junto con root_cgrp al desmontar. • https://git.kernel.org/stable/c/4bfc0bb2c60e2f4cc8eb60f03cf8dfa72336272a https://git.kernel.org/stable/c/01599bf7cc2b49c3d2be886cb438647dc25446ed https://git.kernel.org/stable/c/b529f88d93884cf8ccafda793ee3d27b82fa578d https://git.kernel.org/stable/c/04f8ef5643bcd8bcde25dfdebef998aea480b2ba •