CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47063 – drm: bridge/panel: Cleanup connector on bridge detach
https://notcve.org/view.php?id=CVE-2021-47063
In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm: bridge/panel: Limpiar conector en bridge detach Si no llamamos a drm_connector_cleanup() manualmente en panel_bridge_detach(), el conector se limpiará con los demás objetos DRM en la llamada a drm_mode_config_cleanup(). Sin embargo, dado que nuestro drm_connector está asignado por devm, para cuando se llame a drm_mode_config_cleanup(), nuestro conector ya no existirá. Por lo tanto, el conector debe limpiarse cuando se retira el puente para evitar condiciones de uso después de su liberación. v2: Limpiar el conector solo si fue creado v3: Agregar FIXME v4: (Usar conector->dev) directamente en el bloque if() • https://git.kernel.org/stable/c/13dfc0540a575b47b2d640b093ac16e9e09474f6 https://git.kernel.org/stable/c/ce450934a00cf896e648fde08d0bd1426653d7a2 https://git.kernel.org/stable/c/18149b420c9bd93c443e8d1f48a063d71d9f6aa1 https://git.kernel.org/stable/c/98d7d76a74e48ec3ddf2e23950adff7edcab9327 https://git.kernel.org/stable/c/4d906839d321c2efbf3fed4bc31ffd9ff55b75c0 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2021-47061 – KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU
https://notcve.org/view.php?id=CVE-2021-47061
In the Linux kernel, the following vulnerability has been resolved: KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU If allocating a new instance of an I/O bus fails when unregistering a device, wait to destroy the device until after all readers are guaranteed to see the new null bus. Destroying devices before the bus is nullified could lead to use-after-free since readers expect the devices on their reference of the bus to remain valid. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: Destruye los dispositivos del bus de E/S al cancelar el registro _después_ de sincronizar SRCU Si falla la asignación de una nueva instancia de un bus de E/S al cancelar el registro de un dispositivo, espere para destruir el dispositivo hasta que todos los lectores tengan la garantía de ver el nuevo bus nulo. Destruir dispositivos antes de que se anule el bus podría dar lugar a un uso posterior a la liberación, ya que los lectores esperan que los dispositivos en su referencia del bus sigan siendo válidos. • https://git.kernel.org/stable/c/f65886606c2d3b562716de030706dfe1bea4ed5e https://git.kernel.org/stable/c/f0dfffce3f4ffd5f822568a4a6fb34c010e939d1 https://git.kernel.org/stable/c/840e124f89a5127e7eb97ebf377f4b8ca745c070 https://git.kernel.org/stable/c/40a023f681befd9b2862a3c16fb306a38b359ae5 https://git.kernel.org/stable/c/19184bd06f488af62924ff1747614a8cb284ad63 https://git.kernel.org/stable/c/41b2ea7a6a11e2b1a7f2c29e1675a709a6b2b98d https://git.kernel.org/stable/c/68c125324b5e1d1d22805653735442923d896a1d https://git.kernel.org/stable/c/03c6cccedd3913006744faa252a4da514 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2021-47060 – KVM: Stop looking for coalesced MMIO zones if the bus is destroyed
https://notcve.org/view.php?id=CVE-2021-47060
In the Linux kernel, the following vulnerability has been resolved: KVM: Stop looking for coalesced MMIO zones if the bus is destroyed Abort the walk of coalesced MMIO zones if kvm_io_bus_unregister_dev() fails to allocate memory for the new instance of the bus. If it can't instantiate a new bus, unregister_dev() destroys all devices _except_ the target device. But, it doesn't tell the caller that it obliterated the bus and invoked the destructor for all devices that were on the bus. In the coalesced MMIO case, this can result in a deleted list entry dereference due to attempting to continue iterating on coalesced_zones after future entries (in the walk) have been deleted. Opportunistically add curly braces to the for-loop, which encompasses many lines but sneaks by without braces due to the guts being a single if statement. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: deja de buscar zonas MMIO fusionadas si el bus se destruye. • https://git.kernel.org/stable/c/41b2ea7a6a11e2b1a7f2c29e1675a709a6b2b98d https://git.kernel.org/stable/c/f65886606c2d3b562716de030706dfe1bea4ed5e https://git.kernel.org/stable/c/f0dfffce3f4ffd5f822568a4a6fb34c010e939d1 https://git.kernel.org/stable/c/840e124f89a5127e7eb97ebf377f4b8ca745c070 https://git.kernel.org/stable/c/40a023f681befd9b2862a3c16fb306a38b359ae5 https://git.kernel.org/stable/c/19184bd06f488af62924ff1747614a8cb284ad63 https://git.kernel.org/stable/c/68c125324b5e1d1d22805653735442923d896a1d https://git.kernel.org/stable/c/7d1bc32d6477ff96a32695ea4be8144e4 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2021-47058 – regmap: set debugfs_name to NULL after it is freed
https://notcve.org/view.php?id=CVE-2021-47058
In the Linux kernel, the following vulnerability has been resolved: regmap: set debugfs_name to NULL after it is freed There is a upstream commit cffa4b2122f5("regmap:debugfs: Fix a memory leak when calling regmap_attach_dev") that adds a if condition when create name for debugfs_name. With below function invoking logical, debugfs_name is freed in regmap_debugfs_exit(), but it is not created again because of the if condition introduced by above commit. regmap_reinit_cache() regmap_debugfs_exit() ... regmap_debugfs_init() So, set debugfs_name to NULL after it is freed. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: regmap: establece debugfs_name en NULL después de liberarlo. Hay una confirmación ascendente cffa4b2122f5("regmap:debugfs: corrige una pérdida de memoria al llamar a regmap_attach_dev") que agrega una condición if al crear nombre para debugfs_name. Con la siguiente función que invoca lógica, debugfs_name se libera en regmap_debugfs_exit(), pero no se vuelve a crear debido a la condición if introducida por la confirmación anterior. regmap_reinit_cache() regmap_debugfs_exit() ... regmap_debugfs_init() Entonces, establezca debugfs_name en NULL después de liberarlo. • https://git.kernel.org/stable/c/5b654b03007917f3f1015b2a5c288c1ea6ae8f65 https://git.kernel.org/stable/c/480c5e9c7e4c76c01d5f1f7b73832d7b77e6b427 https://git.kernel.org/stable/c/c9698380b01aed3281160d3ab25749b57d6913b8 https://git.kernel.org/stable/c/cffa4b2122f5f3e53cf3d529bbc74651f95856d5 https://git.kernel.org/stable/c/2dc1554d5f0fdaf47cc5bea442b84b9226fea867 https://git.kernel.org/stable/c/d8897f7b2283a500666c85ef06e820df38ed7b52 https://git.kernel.org/stable/c/eb949f891226c012138ffd9df90d1e509f428ae6 https://git.kernel.org/stable/c/c764e375ae647832de1ee73d43a4bb3ef •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47056 – crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init
https://notcve.org/view.php?id=CVE-2021-47056
In the Linux kernel, the following vulnerability has been resolved: crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown() before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the vf2pf_lock is initialized in adf_dev_init(), which can fail and when it fail, the vf2pf_lock is either not initialized or destroyed, a subsequent use of vf2pf_lock will cause issue. To fix this issue, only set this flag if adf_dev_init() returns 0. [ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0 [ 7.180345] Call Trace: [ 7.182576] mutex_lock+0xc9/0xd0 [ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat] [ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat] [ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat] [ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf] En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: crypto: qat - ADF_STATUS_PF_RUNNING debe configurarse después de adf_dev_init ADF_STATUS_PF_RUNNING es (solo) usado y verificado por adf_vf2pf_shutdown() antes de llamar a adf_iov_putmsg()->mutex_lock(vf2pf_lock), sin embargo, vf2pf_lock es inicializado en adf_dev_init(), que puede fallar y cuando falla, vf2pf_lock no se inicializa o se destruye, un uso posterior de vf2pf_lock causará problemas. Para solucionar este problema, establezca este indicador solo si adf_dev_init() devuelve 0. [7.178404] ERROR: KASAN: acceso a memoria de usuario en __mutex_lock.isra.0+0x1ac/0x7c0 [7.180345] Seguimiento de llamadas: [7.182576] mutex_lock+0xc9 /0xd0 [ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat] [ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat] [ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat] [7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf] • https://git.kernel.org/stable/c/25c6ffb249f612c56a48ce48a3887adf57b8f4bd https://git.kernel.org/stable/c/f4c4e07140687f42bfa40e091bb4a55d7960ce4d https://git.kernel.org/stable/c/446045cf682af12d9294765f6c46084b374b5654 https://git.kernel.org/stable/c/09d16cee6285d37cc76311c29add6d97a7e4acda https://git.kernel.org/stable/c/05ec8192ee4bfdf2a8894a68350dac9f1a155fa6 https://git.kernel.org/stable/c/1f50392650ae794a1aea41c213c6a3e1c824413c https://git.kernel.org/stable/c/20fd40fc6f2c2b41dc6f637f88d494b14e9c21f1 https://git.kernel.org/stable/c/1ea500ce6f7c9106e4a561d28e69215f3 •