CVE-2024-35960 – net/mlx5: Properly link new fs rules into the tree
https://notcve.org/view.php?id=CVE-2024-35960
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Properly link new fs rules into the tree Previously, add_rule_fg would only add newly created rules from the handle into the tree when they had a refcount of 1. On the other hand, create_flow_handle tries hard to find and reference already existing identical rules instead of creating new ones. These two behaviors can result in a situation where create_flow_handle 1) creates a new rule and references it, then 2) in a subsequent step during the same handle creation references it again, resulting in a rule with a refcount of 2 that is not linked into the tree, will have a NULL parent and root and will result in a crash when the flow group is deleted because del_sw_hw_rule, invoked on rule deletion, assumes node->parent is != NULL. This happened in the wild, due to another bug related to incorrect handling of duplicate pkt_reformat ids, which lead to the code in create_flow_handle incorrectly referencing a just-added rule in the same flow handle, resulting in the problem described above. Full details are at [1]. This patch changes add_rule_fg to add new rules without parents into the tree, properly initializing them and avoiding the crash. This makes it more consistent with how rules are added to an FTE in create_flow_handle. • https://git.kernel.org/stable/c/74491de937125d0c98c9b9c9208b4105717a3caa https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2 https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423 https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801 https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64 https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0 https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f • CWE-476: NULL Pointer Dereference •
CVE-2024-35959 – net/mlx5e: Fix mlx5e_priv_init() cleanup flow
https://notcve.org/view.php?id=CVE-2024-35959
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix mlx5e_priv_init() cleanup flow When mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which calls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using lockdep_is_held(). Acquire the state_lock in mlx5e_selq_cleanup(). Kernel log: ============================= WARNING: suspicious RCU usage 6.8.0-rc3_net_next_841a9b5 #1 Not tainted ----------------------------- drivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by systemd-modules/293: #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core] #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core] stack backtrace: CPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x8a/0xa0 lockdep_rcu_suspicious+0x154/0x1a0 mlx5e_selq_apply+0x94/0xa0 [mlx5_core] mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core] mlx5e_priv_init+0x2be/0x2f0 [mlx5_core] mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core] rdma_init_netdev+0x4e/0x80 [ib_core] ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core] ipoib_intf_init+0x64/0x550 [ib_ipoib] ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib] ipoib_add_one+0xb0/0x360 [ib_ipoib] add_client_context+0x112/0x1c0 [ib_core] ib_register_client+0x166/0x1b0 [ib_core] ? 0xffffffffa0573000 ipoib_init_module+0xeb/0x1a0 [ib_ipoib] do_one_initcall+0x61/0x250 do_init_module+0x8a/0x270 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x17d/0x230 __x64_sys_finit_module+0x61/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x46/0x4e </TASK> En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/mlx5e: corrige el flujo de limpieza de mlx5e_priv_init(). Cuando falla mlx5e_priv_init(), el flujo de limpieza llama a mlx5e_selq_cleanup, que llama a mlx5e_selq_apply() y garantiza que se mantenga `priv->state_lock`. usando lockdep_is_held(). • https://git.kernel.org/stable/c/8bf30be75069d6080659de9a28565c048f6cef9b https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76 https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3 https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7 https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519 https://access.redhat.com/security/cve/CVE-2024-35959 https://bugzilla.redhat.com/show_bug.cgi?id=2281923 •
CVE-2024-35958 – net: ena: Fix incorrect descriptor free behavior
https://notcve.org/view.php?id=CVE-2024-35958
In the Linux kernel, the following vulnerability has been resolved: net: ena: Fix incorrect descriptor free behavior ENA has two types of TX queues: - queues which only process TX packets arriving from the network stack - queues which only process TX packets forwarded to it by XDP_REDIRECT or XDP_TX instructions The ena_free_tx_bufs() cycles through all descriptors in a TX queue and unmaps + frees every descriptor that hasn't been acknowledged yet by the device (uncompleted TX transactions). The function assumes that the processed TX queue is necessarily from the first category listed above and ends up using napi_consume_skb() for descriptors belonging to an XDP specific queue. This patch solves a bug in which, in case of a VF reset, the descriptors aren't freed correctly, leading to crashes. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ena: soluciona el comportamiento incorrecto sin descriptor. ENA tiene dos tipos de colas TX: - colas que solo procesan paquetes TX que llegan desde la pila de red - colas que solo procesan paquetes TX reenviados a mediante instrucciones XDP_REDIRECT o XDP_TX. Ena_free_tx_bufs() recorre todos los descriptores en una cola de TX y desasigna + libera todos los descriptores que aún no han sido reconocidos por el dispositivo (transacciones de TX incompletas). La función supone que la cola TX procesada es necesariamente de la primera categoría enumerada anteriormente y termina usando napi_consume_skb() para los descriptores que pertenecen a una cola XDP específica. • https://git.kernel.org/stable/c/548c4940b9f1f527f81509468dd60b61418880b6 https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0 https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2 https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1 https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7 https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde https://lists.debian.org/debian-lts-announce/2024/06/ •
CVE-2024-35957 – iommu/vt-d: Fix WARN_ON in iommu probe path
https://notcve.org/view.php?id=CVE-2024-35957
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix WARN_ON in iommu probe path Commit 1a75cc710b95 ("iommu/vt-d: Use rbtree to track iommu probed devices") adds all devices probed by the iommu driver in a rbtree indexed by the source ID of each device. It assumes that each device has a unique source ID. This assumption is incorrect and the VT-d spec doesn't state this requirement either. The reason for using a rbtree to track devices is to look up the device with PCI bus and devfunc in the paths of handling ATS invalidation time out error and the PRI I/O page faults. Both are PCI ATS feature related. Only track the devices that have PCI ATS capabilities in the rbtree to avoid unnecessary WARN_ON in the iommu probe path. Otherwise, on some platforms below kernel splat will be displayed and the iommu probe results in failure. WARNING: CPU: 3 PID: 166 at drivers/iommu/intel/iommu.c:158 intel_iommu_probe_device+0x319/0xd90 Call Trace: <TASK> ? • https://git.kernel.org/stable/c/c618d446f1d64bdc9e426bab5e8619f224cde2ae https://git.kernel.org/stable/c/fba8ca3e6f608b92e54271fdbd3ce569361939fc https://git.kernel.org/stable/c/89436f4f54125b1297aec1f466efd8acb4ec613d https://access.redhat.com/security/cve/CVE-2024-35957 https://bugzilla.redhat.com/show_bug.cgi?id=2281927 •
CVE-2024-35956 – btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations
https://notcve.org/view.php?id=CVE-2024-35956
In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Create subvolume, create snapshot and delete subvolume all use btrfs_subvolume_reserve_metadata() to reserve metadata for the changes done to the parent subvolume's fs tree, which cannot be mediated in the normal way via start_transaction. When quota groups (squota or qgroups) are enabled, this reserves qgroup metadata of type PREALLOC. Once the operation is associated to a transaction, we convert PREALLOC to PERTRANS, which gets cleared in bulk at the end of the transaction. However, the error paths of these three operations were not implementing this lifecycle correctly. They unconditionally converted the PREALLOC to PERTRANS in a generic cleanup step regardless of errors or whether the operation was fully associated to a transaction or not. This resulted in error paths occasionally converting this rsv to PERTRANS without calling record_root_in_trans successfully, which meant that unless that root got recorded in the transaction by some other thread, the end of the transaction would not free that root's PERTRANS, leaking it. • https://git.kernel.org/stable/c/e85fde5162bf1b242cbd6daf7dba0f9b457d592b https://git.kernel.org/stable/c/2978cb474745b2d93c263008d265e89985706094 https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9 https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd •