CVE-2021-47492 – mm, thp: bail out early in collapse_file for writeback page
https://notcve.org/view.php?id=CVE-2021-47492
In the Linux kernel, the following vulnerability has been resolved: mm, thp: bail out early in collapse_file for writeback page Currently collapse_file does not explicitly check PG_writeback, instead, page_has_private and try_to_release_page are used to filter writeback pages. This does not work for xfs with blocksize equal to or larger than pagesize, because in such case xfs has no page->private. This makes collapse_file bail out early for writeback page. Otherwise, xfs end_page_writeback will panic as follows. page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32 aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so" flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback) raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8 raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000 page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u)) page->mem_cgroup:ffff0000c3e9a000 ------------[ cut here ]------------ kernel BUG at include/linux/mm.h:1212! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: BUG: Bad page state in process khugepaged pfn:84ef32 xfs(E) page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32 libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ... CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ... pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--) Call trace: end_page_writeback+0x1c0/0x214 iomap_finish_page_writeback+0x13c/0x204 iomap_finish_ioend+0xe8/0x19c iomap_writepage_end_bio+0x38/0x50 bio_endio+0x168/0x1ec blk_update_request+0x278/0x3f0 blk_mq_end_request+0x34/0x15c virtblk_request_done+0x38/0x74 [virtio_blk] blk_done_softirq+0xc4/0x110 __do_softirq+0x128/0x38c __irq_exit_rcu+0x118/0x150 irq_exit+0x1c/0x30 __handle_domain_irq+0x8c/0xf0 gic_handle_irq+0x84/0x108 el1_irq+0xcc/0x180 arch_cpu_idle+0x18/0x40 default_idle_call+0x4c/0x1a0 cpuidle_idle_call+0x168/0x1e0 do_idle+0xb4/0x104 cpu_startup_entry+0x30/0x9c secondary_start_kernel+0x104/0x180 Code: d4210000 b0006161 910c8021 94013f4d (d4210000) ---[ end trace 4a88c6a074082f8c ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm, thp: rescatar temprano en el colapso_archivo para la página de reescritura. Actualmente, colapso_archivo no verifica explícitamente PG_writeback; en su lugar, page_has_private y try_to_release_page se utilizan para filtrar las páginas de reescritura. • https://git.kernel.org/stable/c/99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 https://git.kernel.org/stable/c/69a7fa5cb0de06c8956b040f19a7248c8c8308ca https://git.kernel.org/stable/c/5e669d8ab30ab61dec3c36e27b4711f07611e6fc https://git.kernel.org/stable/c/74c42e1baacf206338b1dd6b6199ac964512b5bb https://access.redhat.com/security/cve/CVE-2021-47492 https://bugzilla.redhat.com/show_bug.cgi?id=2282924 • CWE-372: Incomplete Internal State Distinction •
CVE-2021-47491 – mm: khugepaged: skip huge page collapse for special files
https://notcve.org/view.php?id=CVE-2021-47491
In the Linux kernel, the following vulnerability has been resolved: mm: khugepaged: skip huge page collapse for special files The read-only THP for filesystems will collapse THP for files opened readonly and mapped with VM_EXEC. The intended usecase is to avoid TLB misses for large text segments. But it doesn't restrict the file types so a THP could be collapsed for a non-regular file, for example, block device, if it is opened readonly and mapped with EXEC permission. This may cause bugs, like [1] and [2]. This is definitely not the intended usecase, so just collapse THP for regular files in order to close the attack surface. [shy828301@gmail.com: fix vm_file check [3]] En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: khugepaged: omitir el colapso de página enorme para archivos especiales El THP de solo lectura para sistemas de archivos colapsará el THP para archivos abiertos de solo lectura y asignados con VM_EXEC. El caso de uso previsto es evitar errores de TLB en segmentos de texto grandes. • https://git.kernel.org/stable/c/99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 https://git.kernel.org/stable/c/6d67b2a73b8e3a079c355bab3c1aef7d85a044b8 https://git.kernel.org/stable/c/5fcb6fce74ffa614d964667110cf1a516c48c6d9 https://git.kernel.org/stable/c/a4aeaa06d45e90f9b279f0b09de84bd00006e733 https://access.redhat.com/security/cve/CVE-2021-47491 https://bugzilla.redhat.com/show_bug.cgi?id=2282925 • CWE-664: Improper Control of a Resource Through its Lifetime •
CVE-2021-47490 – drm/ttm: fix memleak in ttm_transfered_destroy
https://notcve.org/view.php?id=CVE-2021-47490
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix memleak in ttm_transfered_destroy We need to cleanup the fences for ghost objects as well. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214029 Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214447 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/ttm: corrige memleak en ttm_transfered_destroy También necesitamos limpiar las barreras para detectar objetos fantasma. Error: https://bugzilla.kernel.org/show_bug.cgi?id=214029 Error: https://bugzilla.kernel.org/show_bug.cgi? • https://git.kernel.org/stable/c/bd99782f3ca491879e8524c89b1c0f40071903bd https://git.kernel.org/stable/c/960b1fdfc39aba8f41e9e27b2de0c925c74182d9 https://git.kernel.org/stable/c/c21b4002214c1c7e7b627b9b53375612f7aab6db https://git.kernel.org/stable/c/bbc920fb320f1c241cc34ac85edaa0058922246a https://git.kernel.org/stable/c/132a3d998d6753047f22152731fba2b0d6b463dd https://git.kernel.org/stable/c/0db55f9a1bafbe3dac750ea669de9134922389b5 •
CVE-2021-47489 – drm/amdgpu: Fix even more out of bound writes from debugfs
https://notcve.org/view.php?id=CVE-2021-47489
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix even more out of bound writes from debugfs CVE-2021-42327 was fixed by: commit f23750b5b3d98653b31d4469592935ef6364ad67 Author: Thelford Williams <tdwilliamsiv@gmail.com> Date: Wed Oct 13 16:04:13 2021 -0400 drm/amdgpu: fix out of bounds write but amdgpu_dm_debugfs.c contains more of the same issue so fix the remaining ones. v2: * Add missing fix in dp_max_bpc_write (Harry Wentland) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: corrige aún más escrituras fuera de los límites desde debugfs CVE-2021-42327 fue solucionado por: commit f23750b5b3d98653b31d4469592935ef6364ad67 Autor: Thelford Williams Fecha: miércoles 13 de octubre 16:04:13 2021 -0400 drm/amdgpu: corrige la escritura fuera de los límites, pero amdgpu_dm_debugfs.c contiene más del mismo problema, así que solucione los restantes. v2: * Agregar corrección faltante en dp_max_bpc_write (Harry Wentland) • https://git.kernel.org/stable/c/918698d5c2b50433714d2042f55b55b090faa167 https://git.kernel.org/stable/c/9eb4bdd554fc31a5ef6bf645a20ff21618ce45a9 https://git.kernel.org/stable/c/3f4e54bd312d3dafb59daf2b97ffa08abebe60f5 •
CVE-2021-47486 – riscv, bpf: Fix potential NULL dereference
https://notcve.org/view.php?id=CVE-2021-47486
In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Fix potential NULL dereference The bpf_jit_binary_free() function requires a non-NULL argument. When the RISC-V BPF JIT fails to converge in NR_JIT_ITERATIONS steps, jit_data->header will be NULL, which triggers a NULL dereference. Avoid this by checking the argument, prior calling the function. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: riscv, bpf: corrige una posible desreferencia NULL La función bpf_jit_binary_free() requiere un argumento que no sea NULL. Cuando el JIT BPF de RISC-V no logra converger en los pasos NR_JIT_ITERATION, jit_data->header será NULL, lo que desencadena una desreferencia NULL. • https://git.kernel.org/stable/c/ca6cb5447ceca6a87d6b62c9e5d41042c34f7ffa https://git.kernel.org/stable/c/cac6b043cea3e120f4fccec16f7381747cbfdc0d https://git.kernel.org/stable/c/e1b80a5ebe5431caeb20f88c32d4a024777a2d41 https://git.kernel.org/stable/c/27de809a3d83a6199664479ebb19712533d6fd9b • CWE-476: NULL Pointer Dereference •