CVE-2024-26762 – cxl/pci: Skip to handle RAS errors if CXL.mem device is detached
https://notcve.org/view.php?id=CVE-2024-26762
In the Linux kernel, the following vulnerability has been resolved: cxl/pci: Skip to handle RAS errors if CXL.mem device is detached The PCI AER model is an awkward fit for CXL error handling. While the expectation is that a PCI device can escalate to link reset to recover from an AER event, the same reset on CXL amounts to a surprise memory hotplug of massive amounts of memory. At present, the CXL error handler attempts some optimistic error handling to unbind the device from the cxl_mem driver after reaping some RAS register values. This results in a "hopeful" attempt to unplug the memory, but there is no guarantee that will succeed. A subsequent AER notification after the memdev unbind event can no longer assume the registers are mapped. Check for memdev bind before reaping status register values to avoid crashes of the form: BUG: unable to handle page fault for address: ffa00000195e9100 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page [...] RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core] [...] Call Trace: <TASK> ? __die+0x24/0x70 ? • https://git.kernel.org/stable/c/6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab https://git.kernel.org/stable/c/21e5e84f3f63fdf44e49642a6e45cd895e921a84 https://git.kernel.org/stable/c/eef5c7b28dbecd6b141987a96db6c54e49828102 •
CVE-2024-26761 – cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window
https://notcve.org/view.php?id=CVE-2024-26761
In the Linux kernel, the following vulnerability has been resolved: cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window The Linux CXL subsystem is built on the assumption that HPA == SPA. That is, the host physical address (HPA) the HDM decoder registers are programmed with are system physical addresses (SPA). During HDM decoder setup, the DVSEC CXL range registers (cxl-3.1, 8.1.3.8) are checked if the memory is enabled and the CXL range is in a HPA window that is described in a CFMWS structure of the CXL host bridge (cxl-3.1, 9.18.1.3). Now, if the HPA is not an SPA, the CXL range does not match a CFMWS window and the CXL memory range will be disabled then. The HDM decoder stops working which causes system memory being disabled and further a system hang during HDM decoder initialization, typically when a CXL enabled kernel boots. Prevent a system hang and do not disable the HDM decoder if the decoder's CXL range is not found in a CFMWS window. Note the change only fixes a hardware hang, but does not implement HPA/SPA translation. Support for this can be added in a follow on patch series. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cxl/pci: corrige la desactivación de la memoria si el rango DVSEC CXL no coincide con una ventana CFMWS. El subSYSTEM Linux CXL se basa en el supuesto de que HPA == SPA. • https://git.kernel.org/stable/c/34e37b4c432cd0f1842b352fde4b8878b4166888 https://git.kernel.org/stable/c/031217128990d7f0ab8c46db1afb3cf1e075fd29 https://git.kernel.org/stable/c/2cc1a530ab31c65b52daf3cb5d0883c8b614ea69 https://git.kernel.org/stable/c/3a3181a71935774bda2398451256d7441426420b https://git.kernel.org/stable/c/0cab687205986491302cd2e440ef1d253031c221 https://access.redhat.com/security/cve/CVE-2024-26761 https://bugzilla.redhat.com/show_bug.cgi?id=2273200 • CWE-20: Improper Input Validation •
CVE-2024-26760 – scsi: target: pscsi: Fix bio_put() for error case
https://notcve.org/view.php?id=CVE-2024-26760
In the Linux kernel, the following vulnerability has been resolved: scsi: target: pscsi: Fix bio_put() for error case As of commit 066ff571011d ("block: turn bio_kmalloc into a simple kmalloc wrapper"), a bio allocated by bio_kmalloc() must be freed by bio_uninit() and kfree(). That is not done properly for the error case, hitting WARN and NULL pointer dereference in bio_free(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: scsi: target: pscsi: corrige bio_put() para el caso de error A partir del commit 066ff571011d ("bloque: convierte bio_kmalloc en un contenedor kmalloc simple"), una biografía asignada por bio_kmalloc() debe ser liberado por bio_uninit() y kfree(). Esto no se hace correctamente en el caso de error, al presionar WARN y desreferenciar el puntero NULL en bio_free(). • https://git.kernel.org/stable/c/066ff571011d8416e903d3d4f1f41e0b5eb91e1d https://git.kernel.org/stable/c/f49b20fd0134da84a6bd8108f9e73c077b7d6231 https://git.kernel.org/stable/c/4ebc079f0c7dcda1270843ab0f38ab4edb8f7921 https://git.kernel.org/stable/c/1cfe9489fb563e9a0c9cdc5ca68257a44428c2ec https://git.kernel.org/stable/c/de959094eb2197636f7c803af0943cb9d3b35804 •
CVE-2024-26759 – mm/swap: fix race when skipping swapcache
https://notcve.org/view.php?id=CVE-2024-26759
In the Linux kernel, the following vulnerability has been resolved: mm/swap: fix race when skipping swapcache When skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads swapin the same entry at the same time, they get different pages (A, B). Before one thread (T0) finishes the swapin and installs page (A) to the PTE, another thread (T1) could finish swapin of page (B), swap_free the entry, then swap out the possibly modified page reusing the same entry. It breaks the pte_same check in (T0) because PTE value is unchanged, causing ABA problem. Thread (T0) will install a stalled page (A) into the PTE and cause data corruption. One possible callstack is like this: CPU0 CPU1 ---- ---- do_swap_page() do_swap_page() with same entry <direct swapin path> <direct swapin path> <alloc page A> <alloc page B> swap_read_folio() <- read to page A swap_read_folio() <- read to page B <slow on later locks or interrupt> <finished swapin first> ... set_pte_at() swap_free() <- entry is free <write to page B, now page A stalled> <swap out page B to same swap entry> pte_same() <- Check pass, PTE seems unchanged, but page A is stalled! swap_free() <- page B content lost! set_pte_at() <- staled page A installed! • https://git.kernel.org/stable/c/0bcac06f27d7528591c27ac2b093ccd71c5d0168 https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95 https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458 https://access.redhat.com/security/cve/CVE-2024-26759 https://bugzilla.redhat.com/show_bug.cgi?id=2273204 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2024-26758 – md: Don't ignore suspended array in md_check_recovery()
https://notcve.org/view.php?id=CVE-2024-26758
In the Linux kernel, the following vulnerability has been resolved: md: Don't ignore suspended array in md_check_recovery() mddev_suspend() never stop sync_thread, hence it doesn't make sense to ignore suspended array in md_check_recovery(), which might cause sync_thread can't be unregistered. After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following hang can be triggered by test shell/integrity-caching.sh: 1) suspend the array: raid_postsuspend mddev_suspend 2) stop the array: raid_dtr md_stop __md_stop_writes stop_sync_thread set_bit(MD_RECOVERY_INTR, &mddev->recovery); md_wakeup_thread_directly(mddev->sync_thread); wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) 3) sync thread done: md_do_sync set_bit(MD_RECOVERY_DONE, &mddev->recovery); md_wakeup_thread(mddev->thread); 4) daemon thread can't unregister sync thread: md_check_recovery if (mddev->suspended) return; -> return directly md_read_sync_thread clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery); -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang; This problem is not just related to dm-raid, fix it by ignoring suspended array in md_check_recovery(). And follow up patches will improve dm-raid better to frozen sync thread during suspend. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: md: No ignorar la matriz suspendida en md_check_recovery() mddev_suspend() nunca detiene sync_thread, por lo tanto, no tiene sentido ignorar la matriz suspendida en md_check_recovery(), lo que podría causar sync_thread no se puede cancelar el registro. Después de commit f52f5c71f3d4 ("md: arreglar la detención del hilo de sincronización"), el siguiente bloqueo se puede activar mediante test shell/integrity-caching.sh: 1) suspender la matriz: raid_postsuspend mddev_suspend 2) detener la matriz: raid_dtr md_stop __md_stop_writes stop_sync_thread set_bit(MD_RECOVERY_INTR , &mddev->recuperación); md_wakeup_thread_directly(mddev->sync_thread); wait_event(..., ! • https://git.kernel.org/stable/c/68866e425be2ef2664aa5c691bb3ab789736acf5 https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0 https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757 https://access.redhat.com/security/cve/CVE-2024-26758 https://bugzilla.redhat.com/show_bug.cgi?id=2273206 • CWE-20: Improper Input Validation CWE-129: Improper Validation of Array Index •