CVE-2024-26874 – drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip
https://notcve.org/view.php?id=CVE-2024-26874
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip It's possible that mtk_crtc->event is NULL in mtk_drm_crtc_finish_page_flip(). pending_needs_vblank value is set by mtk_crtc->event, but in mtk_drm_crtc_atomic_flush(), it's is not guarded by the same lock in mtk_drm_finish_page_flip(), thus a race condition happens. Consider the following case: CPU1 CPU2 step 1: mtk_drm_crtc_atomic_begin() mtk_crtc->event is not null, step 1: mtk_drm_crtc_atomic_flush: mtk_drm_crtc_update_config( !!mtk_crtc->event) step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip: lock mtk_crtc->event set to null, pending_needs_vblank set to false unlock pending_needs_vblank set to true, step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip called again, pending_needs_vblank is still true //null pointer Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more efficient to just check if mtk_crtc->event is null before use. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/mediatek: corrige un fallo del puntero nulo en mtk_drm_crtc_finish_page_flip Es posible que mtk_crtc->event sea NULL en mtk_drm_crtc_finish_page_flip(). El valor pendiente_needs_vblank lo establece mtk_crtc->event, pero en mtk_drm_crtc_atomic_flush(), no está protegido por el mismo bloqueo en mtk_drm_finish_page_flip(), por lo que ocurre una condición de carrera. Considere el siguiente caso: CPU1 CPU2 paso 1: mtk_drm_crtc_atomic_begin() mtk_crtc->event is not null, paso 1: mtk_drm_crtc_atomic_flush: mtk_drm_crtc_update_config( !! • https://git.kernel.org/stable/c/119f5173628aa7a0c3cf9db83460d40709e8241d https://git.kernel.org/stable/c/accdac6b71d5a2b84040c3d2234f53a60edc398e https://git.kernel.org/stable/c/dfde84cc6c589f2a9f820f12426d97365670b731 https://git.kernel.org/stable/c/4688be96d20ffa49d2186523ee84f475f316fd49 https://git.kernel.org/stable/c/9beec711a17245b853d64488fd5b739031612340 https://git.kernel.org/stable/c/d2bd30c710475b2e29288827d2c91f9e6e2b91d7 https://git.kernel.org/stable/c/a3dd12b64ae8373a41a216a0b621df224210860a https://git.kernel.org/stable/c/9acee29a38b4d4b70f1f583e5ef9a245d •
CVE-2024-26873 – scsi: hisi_sas: Fix a deadlock issue related to automatic dump
https://notcve.org/view.php?id=CVE-2024-26873
In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix a deadlock issue related to automatic dump If we issue a disabling PHY command, the device attached with it will go offline, if a 2 bit ECC error occurs at the same time, a hung task may be found: [ 4613.652388] INFO: task kworker/u256:0:165233 blocked for more than 120 seconds. [ 4613.666297] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.674809] task:kworker/u256:0 state:D stack: 0 pid:165233 ppid: 2 flags:0x00000208 [ 4613.683959] Workqueue: 0000:74:02.0_disco_q sas_revalidate_domain [libsas] [ 4613.691518] Call trace: [ 4613.694678] __switch_to+0xf8/0x17c [ 4613.698872] __schedule+0x660/0xee0 [ 4613.703063] schedule+0xac/0x240 [ 4613.706994] schedule_timeout+0x500/0x610 [ 4613.711705] __down+0x128/0x36c [ 4613.715548] down+0x240/0x2d0 [ 4613.719221] hisi_sas_internal_abort_timeout+0x1bc/0x260 [hisi_sas_main] [ 4613.726618] sas_execute_internal_abort+0x144/0x310 [libsas] [ 4613.732976] sas_execute_internal_abort_dev+0x44/0x60 [libsas] [ 4613.739504] hisi_sas_internal_task_abort_dev.isra.0+0xbc/0x1b0 [hisi_sas_main] [ 4613.747499] hisi_sas_dev_gone+0x174/0x250 [hisi_sas_main] [ 4613.753682] sas_notify_lldd_dev_gone+0xec/0x2e0 [libsas] [ 4613.759781] sas_unregister_common_dev+0x4c/0x7a0 [libsas] [ 4613.765962] sas_destruct_devices+0xb8/0x120 [libsas] [ 4613.771709] sas_do_revalidate_domain.constprop.0+0x1b8/0x31c [libsas] [ 4613.778930] sas_revalidate_domain+0x60/0xa4 [libsas] [ 4613.784716] process_one_work+0x248/0x950 [ 4613.789424] worker_thread+0x318/0x934 [ 4613.793878] kthread+0x190/0x200 [ 4613.797810] ret_from_fork+0x10/0x18 [ 4613.802121] INFO: task kworker/u256:4:316722 blocked for more than 120 seconds. [ 4613.816026] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.824538] task:kworker/u256:4 state:D stack: 0 pid:316722 ppid: 2 flags:0x00000208 [ 4613.833670] Workqueue: 0000:74:02.0 hisi_sas_rst_work_handler [hisi_sas_main] [ 4613.841491] Call trace: [ 4613.844647] __switch_to+0xf8/0x17c [ 4613.848852] __schedule+0x660/0xee0 [ 4613.853052] schedule+0xac/0x240 [ 4613.856984] schedule_timeout+0x500/0x610 [ 4613.861695] __down+0x128/0x36c [ 4613.865542] down+0x240/0x2d0 [ 4613.869216] hisi_sas_controller_prereset+0x58/0x1fc [hisi_sas_main] [ 4613.876324] hisi_sas_rst_work_handler+0x40/0x8c [hisi_sas_main] [ 4613.883019] process_one_work+0x248/0x950 [ 4613.887732] worker_thread+0x318/0x934 [ 4613.892204] kthread+0x190/0x200 [ 4613.896118] ret_from_fork+0x10/0x18 [ 4613.900423] INFO: task kworker/u256:1:348985 blocked for more than 121 seconds. [ 4613.914341] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.922852] task:kworker/u256:1 state:D stack: 0 pid:348985 ppid: 2 flags:0x00000208 [ 4613.931984] Workqueue: 0000:74:02.0_event_q sas_port_event_worker [libsas] [ 4613.939549] Call trace: [ 4613.942702] __switch_to+0xf8/0x17c [ 4613.946892] __schedule+0x660/0xee0 [ 4613.951083] schedule+0xac/0x240 [ 4613.955015] schedule_timeout+0x500/0x610 [ 4613.959725] wait_for_common+0x200/0x610 [ 4613.964349] wait_for_completion+0x3c/0x5c [ 4613.969146] flush_workqueue+0x198/0x790 [ 4613.973776] sas_porte_broadcast_rcvd+0x1e8/0x320 [libsas] [ 4613.979960] sas_port_event_worker+0x54/0xa0 [libsas] [ 4613.985708] process_one_work+0x248/0x950 [ 4613.990420] worker_thread+0x318/0x934 [ 4613.994868] kthread+0x190/0x200 [ 4613.998800] ret_from_fork+0x10/0x18 This is because when the device goes offline, we obtain the hisi_hba semaphore and send the ABORT_DEV command to the device. However, the internal abort timed out due to the 2 bit ECC error and triggers automatic dump. In addition, since the hisi_hba semaphore has been obtained, the dump cannot be executed and the controller cannot be reset. Therefore, the deadlocks occur on the following circular dependencies ---truncated--- En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: hisi_sas: soluciona un problema de interbloqueo relacionado con el volcado automático. Si emitimos un comando de desactivación PHY, el dispositivo conectado se desconectará si se produce un error ECC de 2 bits en el Al mismo tiempo, se puede encontrar una tarea colgada: [ 4613.652388] INFORMACIÓN: tarea kworker/u256:0:165233 bloqueada durante más de 120 segundos. [4613.666297] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" desactiva este mensaje. [ 4613.674809] tarea:kworker/u256:0 estado:D pila: 0 pid:165233 ppid: 2 banderas:0x00000208 [ 4613.683959] Cola de trabajo: 0000:74:02.0_disco_q sas_revalidate_domain [libsas] [ 4613.691518] Rastreo de llamadas: [4613.694678] __switch_to +0xf8/0x17c [ 4613.698872] __programación+0x660/0xee0 [ 4613.703063] programación+0xac/0x240 [ 4613.706994] programación_timeout+0x500/0x610 [ 4613.711705] c [ 4613.715548] abajo+0x240/0x2d0 [ 4613.719221] hisi_sas_internal_abort_timeout+0x1bc /0x260 [hisi_sas_main] [ 4613.726618] sas_execute_internal_abort+0x144/0x310 [libsas] [ 4613.732976] sas_execute_internal_abort_dev+0x44/0x60 [libsas] [ 4613.739504] _dev.isra.0+0xbc/0x1b0 [hisi_sas_main] [ 4613.747499] hisi_sas_dev_gone+0x174/0x250 [hisi_sas_main] [ 4613.753682] sas_notify_lldd_dev_gone+0xec/0x2e0 [libsas] [ 4613.759781] sas_unregister_common_dev+0x4c/0x7a0 [libsas] [ 4613.765962] sas_destruct_devices+0xb8/0x120 [libsas] [ 4613.771709] sas_do_revalidate_domain.constprop.0+0x1b8/0x31c [libsas ] [ 4613.778930] sas_revalidate_domain+0x60/0xa4 [libsas] [ 4613.784716] Process_one_work+0x248/0x950 [ 4613.789424] trabajador_thread+0x318/0x934 [ 4613.793878] 0x200 [4613.797810] ret_from_fork+0x10/0x18 [4613.802121] INFORMACIÓN: tarea kworker/u256:4:316722 bloqueado durante más de 120 segundos. [4613.816026] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" desactiva este mensaje. [ 4613.824538] tarea:kworker/u256:4 estado:D pila: 0 pid:316722 ppid: 2 banderas:0x00000208 [ 4613.833670] Cola de trabajo: 0000:74:02.0 hisi_sas_rst_work_handler [hisi_sas_main] [ 4613.841491 ] Rastreo de llamadas: [4613.844647] __switch_to+ 0xf8/0x17c [ 4613.848852] __programación+0x660/0xee0 [ 4613.853052] programación+0xac/0x240 [ 4613.856984] programación_timeout+0x500/0x610 [ 4613.861695] c [ 4613.865542] abajo+0x240/0x2d0 [ 4613.869216] hisi_sas_controller_prereset+0x58/ 0x1fc [hisi_sas_main] [ 4613.876324] hisi_sas_rst_work_handler+0x40/0x8c [hisi_sas_main] [ 4613.883019] Process_one_work+0x248/0x950 [ 4613.887732] trabajador_thread+0x318/0x934 [ 461 3.892204] kthread+0x190/0x200 [ 4613.896118] ret_from_fork+0x10/0x18 [ 4613.900423] INFORMACIÓN: tarea kworker/u256:1:348985 bloqueada durante más de 121 segundos. [4613.914341] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" desactiva este mensaje. [ 4613.922852] tarea:kworker/u256:1 estado:D pila: 0 pid:348985 ppid: 2 banderas:0x00000208 [ 4613.931984] Cola de trabajo: 0000:74:02.0_event_q sas_port_event_worker [libsas] [ 4613.939549] Rastreo de llamadas: [4613.942702] __switch_to +0xf8/0x17c [ 4613.946892] __schedule+0x660/0xee0 [ 4613.951083] Schedule+0xac/0x240 [ 4613.955015] Schedule_timeout+0x500/0x610 [ 4613.959725] x610 [ 4613.964349] espera_para_compleción+0x3c/0x5c [ 4613.969146] descarga_cola de trabajo+0x198 /0x790 [ 4613.973776] sas_porte_broadcast_rcvd+0x1e8/0x320 [libsas] [ 4613.979960] sas_port_event_worker+0x54/0xa0 [libsas] [ 4613.985708] Process_one_work+0x248/0x950 [ 4613.9 90420] hilo_trabajador+0x318/0x934 [ 4613.994868] kthread+0x190/0x200 [ 4613.998800 ] ret_from_fork+0x10/0x18 Esto se debe a que cuando el dispositivo se desconecta, obtenemos el semáforo hisi_hba y enviamos el comando ABORT_DEV al dispositivo. Sin embargo, el aborto interno expiró debido al error ECC de 2 bits y activa el volcado automático. • https://git.kernel.org/stable/c/2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde https://git.kernel.org/stable/c/e022dd3b875315a2d2001a512e98d1dc8c991f4a https://git.kernel.org/stable/c/85c98073ffcfe9e46abfb9c66f3364467119d563 https://git.kernel.org/stable/c/3c4f53b2c341ec6428b98cb51a89a09b025d0953 •
CVE-2024-26872 – RDMA/srpt: Do not register event handler until srpt device is fully setup
https://notcve.org/view.php?id=CVE-2024-26872
In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Do not register event handler until srpt device is fully setup Upon rare occasions, KASAN reports a use-after-free Write in srpt_refresh_port(). This seems to be because an event handler is registered before the srpt device is fully setup and a race condition upon error may leave a partially setup event handler in place. Instead, only register the event handler after srpt device initialization is complete. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: RDMA/srpt: no registrar el controlador de eventos hasta que el dispositivo srpt esté completamente configurado. En raras ocasiones, KASAN informa una escritura de use-after-free en srpt_refresh_port(). Esto parece deberse a que se registra un controlador de eventos antes de que el dispositivo srpt esté completamente configurado y una condición de carrera en caso de error puede dejar en su lugar un controlador de eventos parcialmente configurado. En su lugar, registre el controlador de eventos solo después de que se complete la inicialización del dispositivo srpt. • https://git.kernel.org/stable/c/a42d985bd5b234da8b61347a78dc3057bf7bb94d https://git.kernel.org/stable/c/bdd895e0190c464f54f84579e7535d80276f0fc5 https://git.kernel.org/stable/c/6413e78086caf7bf15639923740da0d91fdfd090 https://git.kernel.org/stable/c/e362d007294955a4fb929e1c8978154a64efdcb6 https://git.kernel.org/stable/c/85570b91e4820a0db9d9432098778cafafa7d217 https://git.kernel.org/stable/c/7104a00fa37ae898a827381f1161fa3286c8b346 https://git.kernel.org/stable/c/ec77fa12da41260c6bf9e060b89234b980c5130f https://git.kernel.org/stable/c/c21a8870c98611e8f892511825c9607f1 • CWE-416: Use After Free •
CVE-2024-26871 – f2fs: fix NULL pointer dereference in f2fs_submit_page_write()
https://notcve.org/view.php?id=CVE-2024-26871
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix NULL pointer dereference in f2fs_submit_page_write() BUG: kernel NULL pointer dereference, address: 0000000000000014 RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs] Call Trace: <TASK> ? show_regs+0x6e/0x80 ? __die+0x29/0x70 ? page_fault_oops+0x154/0x4a0 ? prb_read_valid+0x20/0x30 ? • https://git.kernel.org/stable/c/e067dc3c6b9c419bac43c6a0be2d85f44681f863 https://git.kernel.org/stable/c/8e2ea8b04cb8d976110c4568509e67d6a39b2889 https://git.kernel.org/stable/c/4c122a32582b67bdd44ca8d25f894ee2dc54f566 https://git.kernel.org/stable/c/6d102382a11d5e6035f6c98f6e508a38541f7af3 https://git.kernel.org/stable/c/c2034ef6192a65a986a45c2aa2ed05824fdc0e9f •
CVE-2024-26870 – NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102
https://notcve.org/view.php?id=CVE-2024-26870
In the Linux kernel, the following vulnerability has been resolved: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 A call to listxattr() with a buffer size = 0 returns the actual size of the buffer needed for a subsequent call. When size > 0, nfs4_listxattr() does not return an error because either generic_listxattr() or nfs4_listxattr_nfs4_label() consumes exactly all the bytes then size is 0 when calling nfs4_listxattr_nfs4_user() which then triggers the following kernel BUG: [ 99.403778] kernel BUG at mm/usercopy.c:102! [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1 [ 99.415827] Call trace: [ 99.415985] usercopy_abort+0x70/0xa0 [ 99.416227] __check_heap_object+0x134/0x158 [ 99.416505] check_heap_object+0x150/0x188 [ 99.416696] __check_object_size.part.0+0x78/0x168 [ 99.416886] __check_object_size+0x28/0x40 [ 99.417078] listxattr+0x8c/0x120 [ 99.417252] path_listxattr+0x78/0xe0 [ 99.417476] __arm64_sys_listxattr+0x28/0x40 [ 99.417723] invoke_syscall+0x78/0x100 [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0 [ 99.418186] do_el0_svc+0x24/0x38 [ 99.418376] el0_svc+0x3c/0x110 [ 99.418554] el0t_64_sync_handler+0x120/0x130 [ 99.418788] el0t_64_sync+0x194/0x198 [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000) Issue is reproduced when generic_listxattr() returns 'system.nfs4_acl', thus calling lisxattr() with size = 16 will trigger the bug. Add check on nfs4_listxattr() to return ERANGE error when it is called with size > 0 and the return value is greater than size. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: NFSv4.2: corrige el ERROR del kernel nfs4_listxattr en mm/usercopy.c:102 Una llamada a listxattr() con un tamaño de búfer = 0 devuelve el tamaño real del búfer necesario para un convocatoria posterior. Cuando el tamaño > 0, nfs4_listxattr() no devuelve un error porque generic_listxattr() o nfs4_listxattr_nfs4_label() consume exactamente todos los bytes, entonces el tamaño es 0 al llamar a nfs4_listxattr_nfs4_user(), lo que luego activa el siguiente ERROR del kernel: [99.403778] ERROR del kernel en mm/usercopy.c:102! • https://git.kernel.org/stable/c/012a211abd5db098094ce429de5f046368391e68 https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768 https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7 • CWE-20: Improper Input Validation •