CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47424 – i40e: Fix freeing of uninitialized misc IRQ vector
https://notcve.org/view.php?id=CVE-2021-47424
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix freeing of uninitialized misc IRQ vector When VSI set up failed in i40e_probe() as part of PF switch set up driver was trying to free misc IRQ vectors in i40e_clear_interrupt_scheme and produced a kernel Oops: Trying to free already-free IRQ 266 WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300 Workqueue: events work_for_cpu_fn RIP: 0010:__free_irq+0x9a/0x300 Call Trace: ? synchronize_irq+0x3a/0xa0 free_irq+0x2e/0x60 i40e_clear_interrupt_scheme+0x53/0x190 [i40e] i40e_probe.part.108+0x134b/0x1a40 [i40e] ? kmem_cache_alloc+0x158/0x1c0 ? acpi_ut_update_ref_count.part.1+0x8e/0x345 ? acpi_ut_update_object_reference+0x15e/0x1e2 ? • https://git.kernel.org/stable/c/c17401a1dd210a5f22ab1ec7c7366037c158a14c https://git.kernel.org/stable/c/60ad4cde0ad28921f9ea25b0201c774b95ffa4b4 https://git.kernel.org/stable/c/17063cac4088b8e2fc0f633abddca5426ed58312 https://git.kernel.org/stable/c/97aeed72af4f83ae51534f0a2473ff52f8d66236 https://git.kernel.org/stable/c/75099439209d3cda439a1d9b00d19a50f0066fef https://git.kernel.org/stable/c/2e5a20573a926302b233b0c2e1077f5debc7ab2e •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2021-47423 – drm/nouveau/debugfs: fix file release memory leak
https://notcve.org/view.php?id=CVE-2021-47423
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/debugfs: fix file release memory leak When using single_open() for opening, single_release() should be called, otherwise the 'op' allocated in single_open() will be leaked. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/nouveau/debugfs: corrige la pérdida de memoria de liberación de archivos. Cuando se usa single_open() para abrir, se debe llamar a single_release(); de lo contrario, se ejecutará la 'op' asignada en single_open(). filtrado. • https://git.kernel.org/stable/c/6e9fc177399f08446293fec7607913fdbc95e191 https://git.kernel.org/stable/c/df0c9418923679bc6d0060bdb1b5bf2c755159e0 https://git.kernel.org/stable/c/9f9d4c88b2edc7924e19c44909cfc3fa4e4d3d43 https://git.kernel.org/stable/c/1508b09945bde393326a9dab73b1fc35f672d771 https://git.kernel.org/stable/c/11cd944bb87d9e575b94c07c952105eda745b459 https://git.kernel.org/stable/c/f69556a42043b5444ca712ee889829ba89fdcba8 https://git.kernel.org/stable/c/88c3610045ca6e699331b6bb5c095c5565f30721 https://git.kernel.org/stable/c/f5a8703a9c418c6fc54eb772712dfe764 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47422 – drm/nouveau/kms/nv50-: fix file release memory leak
https://notcve.org/view.php?id=CVE-2021-47422
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/kms/nv50-: fix file release memory leak When using single_open() for opening, single_release() should be called, otherwise the 'op' allocated in single_open() will be leaked. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/nouveau/kms/nv50-: corrige la pérdida de memoria de liberación de archivos. Cuando se usa single_open() para abrir, se debe llamar a single_release(); de lo contrario, se debe llamar a la 'op' asignada en single_open( ) se filtrará. • https://git.kernel.org/stable/c/12885ecbfe62df4358d452080d3b8feef54ec8cb https://git.kernel.org/stable/c/65fff0a8efcdca8d84ffe3e23057c3b32403482d https://git.kernel.org/stable/c/0b4e9fc14973a94ac0520f19b3633493ae13c912 https://git.kernel.org/stable/c/0b3d4945cc7e7ea1acd52cb06dfa83bfe265b6d5 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47421 – drm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume
https://notcve.org/view.php?id=CVE-2021-47421
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume In current code, when a PCI error state pci_channel_io_normal is detectd, it will report PCI_ERS_RESULT_CAN_RECOVER status to PCI driver, and PCI driver will continue the execution of PCI resume callback report_resume by pci_walk_bridge, and the callback will go into amdgpu_pci_resume finally, where write lock is releasd unconditionally without acquiring such lock first. In this case, a deadlock will happen when other threads start to acquire the read lock. To fix this, add a member in amdgpu_device strucutre to cache pci_channel_state, and only continue the execution in amdgpu_pci_resume when it's pci_channel_io_frozen. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: maneja el caso de pci_channel_io_frozen solo en amdgpu_pci_resume. En el código actual, cuando se detecta un estado de error de PCI pci_channel_io_normal, informará el estado de PCI_ERS_RESULT_CAN_RECOVER al controlador PCI, y el controlador PCI continúe la ejecución de PCI resume callback report_resume mediante pci_walk_bridge, y la devolución de llamada finalmente irá a amdgpu_pci_resume, donde el bloqueo de escritura se libera incondicionalmente sin adquirir dicho bloqueo primero. En este caso, se producirá un punto muerto cuando otros subprocesos comiencen a adquirir el bloqueo de lectura. • https://git.kernel.org/stable/c/c9a6b82f45e261d247b980a7949aaa6a9bfffe01 https://git.kernel.org/stable/c/72e9a1bf9b722628c28092e0c2cd8717edd201dc https://git.kernel.org/stable/c/248b061689a40f4fed05252ee2c89f87cf26d7d8 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47419 – net/sched: sch_taprio: properly cancel timer from taprio_destroy()
https://notcve.org/view.php?id=CVE-2021-47419
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_taprio: properly cancel timer from taprio_destroy() There is a comment in qdisc_create() about us not calling ops->reset() in some cases. err_out4: /* * Any broken qdiscs that would require a ops->reset() here? * The qdisc was never in action so it shouldn't be necessary. */ As taprio sets a timer before actually receiving a packet, we need to cancel it from ops->destroy, just in case ops->reset has not been called. syzbot reported: ODEBUG: free active (active state 0) object type: hrtimer hint: advance_sched+0x0/0x9a0 arch/x86/include/asm/atomic64_64.h:22 WARNING: CPU: 0 PID: 8441 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Modules linked in: CPU: 0 PID: 8441 Comm: syz-executor813 Not tainted 5.14.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd e0 d3 e3 89 4c 89 ee 48 c7 c7 e0 c7 e3 89 e8 5b 86 11 05 <0f> 0b 83 05 85 03 92 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffc9000130f330 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: ffff88802baeb880 RSI: ffffffff815d87b5 RDI: fffff52000261e58 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815d25ee R11: 0000000000000000 R12: ffffffff898dd020 R13: ffffffff89e3ce20 R14: ffffffff81653630 R15: dffffc0000000000 FS: 0000000000f0d300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffb64b3e000 CR3: 0000000036557000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __debug_check_no_obj_freed lib/debugobjects.c:987 [inline] debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1018 slab_free_hook mm/slub.c:1603 [inline] slab_free_freelist_hook+0x171/0x240 mm/slub.c:1653 slab_free mm/slub.c:3213 [inline] kfree+0xe4/0x540 mm/slub.c:4267 qdisc_create+0xbcf/0x1320 net/sched/sch_api.c:1299 tc_modify_qdisc+0x4c8/0x1a60 net/sched/sch_api.c:1663 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2403 ___sys_sendmsg+0xf3/0x170 net/socket.c:2457 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2486 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: sch_taprio: cancelar correctamente el temporizador de taprio_destroy(). Hay un comentario en qdisc_create() acerca de que no llamamos a ops->reset() en algunos casos. err_out4: /* * ¿Alguna qdisc rota que requiera un ops->reset() aquí? * La qdisc nunca estuvo en acción por lo que no debería ser necesaria. */ Como taprio establece un temporizador antes de recibir un paquete, debemos cancelarlo desde ops->destroy, en caso de que no se haya llamado a ops->reset. syzbot informó: ODEBUG: libre activo (estado activo 0) tipo de objeto: hrtimer sugerencia: advanced_sched+0x0/0x9a0 arch/x86/include/asm/atomic64_64.h:22 ADVERTENCIA: CPU: 0 PID: 8441 en lib/debugobjects.c :505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Módulos vinculados en: CPU: 0 PID: 8441 Comm: syz-executor813 No contaminado 5.14.0-rc6-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Motor, BIOS Google 01/01/2011 RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Código: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd e0 d3 e3 89 4c 89 ee 48 c7 c7 e0 c7 e3 89 e8 5b 86 11 05 <0f> 0b 83 05 85 03 92 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP 0018:ffff c9000130f330 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 00000000000000003 RCX: 0000000000000000 RDX: ffff88802baeb880 RSI: ffffffff815d87b5 RDI: fffff52000261e58 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815d25ee R11: 00000000000000000 R12: ffffffff898dd020 R13: 3ce20 R14: ffffffff81653630 R15: dffffc0000000000 FS: 0000000000f0d300( 0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffb64b3e000 CR3: 557000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 7: 0000000000000400 Seguimiento de llamadas: __debug_check_no_obj_freed lib/debugobjects.c:987 [en línea] debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1018 slab_free_hook mm/slub.c:1603 [en línea] slab_free_freelist_hook+0x171/0x240 mm/ slub.c:1653 slab_libre mm/slub.c:3213 [en línea] kfree+0xe4/0x540 mm/slub.c:4267 qdisc_create+0xbcf/0x1320 net/sched/sch_api.c:1299 tc_modify_qdisc+0x4c8/0x1a60 net/sched/sch_api.c:1663 rtnetlink_rcv_msg+0x413/0xb80 nore/rtnetlink.c: 5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c: 2504 netlink_unicast_kernel net/netlink/af_netlink.c: 1314 [netlin /0x7d0 net/netlink/ af_netlink.c:1340 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:704 [en línea] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net /zócalo .c:2403 ___sys_sendmsg+0xf3/0x170 net/socket.c:2457 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2486 do_syscall_x64 arch/x86/entry/common.c:50 [en línea] arco/ x86/entrada/common.c:80 • https://git.kernel.org/stable/c/c71c512f4a65267e6a18163f4df729c489a51035 https://git.kernel.org/stable/c/a969a632cbe7165d448a5528806ad120c2599397 https://git.kernel.org/stable/c/44d4775ca51805b376a8db5b34f650434a08e556 https://git.kernel.org/stable/c/c951c08a5996365aecbc5f1a9bddec3905e1ddfc https://git.kernel.org/stable/c/3ec73ffeef54596c32aff0e73fe60971b9c8b866 https://git.kernel.org/stable/c/7a1c1af341041221b3acb9d7036cc2b43e0efa75 https://git.kernel.org/stable/c/a56d447f196fa9973c568f54c0d76d5391c3b0c0 •