CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53218 – f2fs: fix race in concurrent f2fs_stop_gc_thread
https://notcve.org/view.php?id=CVE-2024-53218
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix race in concurrent f2fs_stop_gc_thread In my test case, concurrent calls to f2fs shutdown report the following stack trace: Oops: general protection fault, probably for non-canonical address 0xc6cfff63bb5513fc: 0000 [#1] PREEMPT SMP PTI CPU: 0 UID: 0 PID: 678 Comm: f2fs_rep_shutdo Not tainted 6.12.0-rc5-next-20241029-g6fb2fa9805c5-dirty #85 Call Trace: <TASK> ? show_regs+0x8b/0xa0 ? __die_body+0x26/0xa0 ? die_addr+0x54/0x90 ? exc_general_protection+0x24b/0x5c0 ? • https://git.kernel.org/stable/c/7950e9ac638e84518fbdd5c930939ad46a1068c5 https://git.kernel.org/stable/c/794fa8792d4eacac191f1cbcc2e81b7369e4662a https://git.kernel.org/stable/c/60457ed6c67625c87861f96912b4179dc2293896 https://git.kernel.org/stable/c/c631207897a9b3d41167ceca58e07f8f94720e42 https://git.kernel.org/stable/c/7b0033dbc48340a1c1c3f12448ba17d6587ca092 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53217 – NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
https://notcve.org/view.php?id=CVE-2024-53217
In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses is initialized to NULL. If __nfsd4_find_backchannel() finds no available backchannel session, setup_callback_client() will try to dereference @ses and segfault. • https://git.kernel.org/stable/c/dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 https://git.kernel.org/stable/c/d9a0d1f6e15859ea7a86a327f28491e23deaaa62 https://git.kernel.org/stable/c/cac1405e3ff6685a438e910ad719e0cf06af90ee https://git.kernel.org/stable/c/752a75811f27300fe8131b0a1efc91960f6f88e7 https://git.kernel.org/stable/c/c5d90f9302742985a5078e42ac38de42c364c44a https://git.kernel.org/stable/c/0c3b0e326f838787d229314d4de83af9c53347e8 https://git.kernel.org/stable/c/eb51733ae5fc73d95bd857d5da26f9f65b202a79 https://git.kernel.org/stable/c/03178cd8f67227015debb700123987fe9 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53216 – nfsd: release svc_expkey/svc_export with rcu_work
https://notcve.org/view.php?id=CVE-2024-53216
In the Linux kernel, the following vulnerability has been resolved: nfsd: release svc_expkey/svc_export with rcu_work The last reference for `cache_head` can be reduced to zero in `c_show` and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently, `svc_export_put` and `expkey_put` will be invoked, leading to two issues: 1. The `svc_export_put` will directly free ex_uuid. However, `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can trigger a use-after-free issue, shown below. ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`. However, `svc_export_put`/`expkey_put` will call path_put, which subsequently triggers a sleeping operation due to the following `dput`. ============================= WARNING: suspicious RCU usage 5.10.0-dirty #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Fix these issues by using `rcu_work` to help release `svc_expkey`/`svc_export`. • https://git.kernel.org/stable/c/9ceddd9da13434a5906255c0fc528c385aded283 https://git.kernel.org/stable/c/bd8524148dd8c123334b066faa90590ba2ef8e6f https://git.kernel.org/stable/c/2e4854599200f4d021df8ae17e69221d7c149f3e https://git.kernel.org/stable/c/ad4363a24a5746b257c0beb5d8cc68f9b62c173f https://git.kernel.org/stable/c/f8c989a0c89a75d30f899a7cabdc14d72522bb8d •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-53215 – svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init()
https://notcve.org/view.php?id=CVE-2024-53215
In the Linux kernel, the following vulnerability has been resolved: svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init() There's issue as follows: RPC: Registered rdma transport module. RPC: Registered rdma backchannel transport module. RPC: Unregistered rdma transport module. RPC: Unregistered rdma backchannel transport module. BUG: unable to handle page fault for address: fffffbfff80c609a PGD 123fee067 P4D 123fee067 PUD 123fea067 PMD 10c624067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI RIP: 0010:percpu_counter_destroy_many+0xf7/0x2a0 Call Trace: <TASK> __die+0x1f/0x70 page_fault_oops+0x2cd/0x860 spurious_kernel_fault+0x36/0x450 do_kern_addr_fault+0xca/0x100 exc_page_fault+0x128/0x150 asm_exc_page_fault+0x26/0x30 percpu_counter_destroy_many+0xf7/0x2a0 mmdrop+0x209/0x350 finish_task_switch.isra.0+0x481/0x840 schedule_tail+0xe/0xd0 ret_from_fork+0x23/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> If register_sysctl() return NULL, then svc_rdma_proc_cleanup() will not destroy the percpu counters which init in svc_rdma_proc_init(). If CONFIG_HOTPLUG_CPU is enabled, residual nodes may be in the 'percpu_counters' list. The above issue may occur once the module is removed. If the CONFIG_HOTPLUG_CPU configuration is not enabled, memory leakage occurs. To solve above issue just destroy all percpu counters when register_sysctl() return NULL. • https://git.kernel.org/stable/c/1e7e55731628c90d8c701c45f9c3a3b8718840d6 https://git.kernel.org/stable/c/a12c897adf40b6e2b4a56e6912380c31bd7b2479 https://git.kernel.org/stable/c/94d2d6d398706ab7218a26d61e12919c4b498e09 https://git.kernel.org/stable/c/1c9a99c89e45b22eb556fd2f3f729f2683f247d5 https://git.kernel.org/stable/c/ebf47215d46992caea660ec01cd618005d9e687a https://git.kernel.org/stable/c/20322edcbad82a60321a8615a99ca73a9611115f https://git.kernel.org/stable/c/ce89e742a4c12b20f09a43fec1b21db33f2166cd •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53214 – vfio/pci: Properly hide first-in-list PCIe extended capability
https://notcve.org/view.php?id=CVE-2024-53214
In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Properly hide first-in-list PCIe extended capability There are cases where a PCIe extended capability should be hidden from the user. For example, an unknown capability (i.e., capability with ID greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally chosen to be hidden from the user. Hiding a capability is done by virtualizing and modifying the 'Next Capability Offset' field of the previous capability so it points to the capability after the one that should be hidden. The special case where the first capability in the list should be hidden is handled differently because there is no previous capability that can be modified. In this case, the capability ID and version are zeroed while leaving the next pointer intact. This hides the capability and leaves an anchor for the rest of the capability list. However, today, hiding the first capability in the list is not done properly if the capability is unknown, as struct vfio_pci_core_device->pci_config_map is set to the capability ID during initialization but the capability ID is not properly checked later when used in vfio_config_do_rw(). This leads to the following warning [1] and to an out-of-bounds access to ecap_perms array. Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct read only access instead of the ecap_perms array. Note that this is safe since the above is the only case where cap_id can exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which are already checked before). [1] WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1 (snip) Call Trace: <TASK> ? • https://git.kernel.org/stable/c/89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 https://git.kernel.org/stable/c/4464e5aa3aa4574063640f1082f7d7e323af8eb4 https://git.kernel.org/stable/c/7d121f66b67921fb3b95e0ea9856bfba53733e91 https://git.kernel.org/stable/c/0918f5643fc6c3f7801f4a22397d2cc09ba99207 https://git.kernel.org/stable/c/9567bd34aa3b986736c290c5bcba47e0182ac47a https://git.kernel.org/stable/c/6c6502d944168cbd7e03a4a08ad6488f78d73485 https://git.kernel.org/stable/c/06f2fcf49854ad05a09d09e0dbee6544fff04695 https://git.kernel.org/stable/c/949bee8065a85a5c6607c624dc05b5bc1 •