CVE-2024-26787 – mmc: mmci: stm32: fix DMA API overlapping mappings warning
https://notcve.org/view.php?id=CVE-2024-26787
In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mmc: mmci: stm32: corregir la advertencia de asignaciones superpuestas de la API DMA Al activar CONFIG_DMA_API_DEBUG_SG se genera la siguiente advertencia: DMA-API: mmci-pl18x 48220000.mmc: seguimiento de línea de caché EEXIST, asignaciones superpuestas no son compatibles ADVERTENCIA: CPU: 1 PID: 51 en kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Módulos vinculados en: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 # 1 Nombre del hardware: STMicroelectronics STM32MP257F-EV1 Placa de evaluación (DT) Cola de trabajo: events_freezable mmc_rescan Rastreo de llamadas: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x1 0/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x 14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card +0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 La depuración de la API de DMA saca a la luz asignaciones de dma con fugas, ya que dma_map_sg y dma_unmap_sg no están correctamente equilibrados. Si se produce un error en la función mmci_cmd_irq, solo se llama a la función mmci_dma_error y como esta API no se administra en la variante stm32, nunca se llama a dma_unmap_sg en esta ruta de error. • https://git.kernel.org/stable/c/46b723dd867d599420fb640c0eaf2a866ef721d4 https://git.kernel.org/stable/c/0224cbc53ba82b84affa7619b6d1b1a254bc2c53 https://git.kernel.org/stable/c/5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c https://git.kernel.org/stable/c/70af82bb9c897faa25a44e4181f36c60312b71ef https://git.kernel.org/stable/c/176e66269f0de327375fc0ea51c12c2f5a97e4c4 https://git.kernel.org/stable/c/d610a307225951929b9dff807788439454476f85 https://git.kernel.org/stable/c/6b1ba3f9040be5efc4396d86c9752cdc564730be https://lists.debian.org/debian-lts-announce/2024/06/ •
CVE-2024-26786 – iommufd: Fix iopt_access_list_id overwrite bug
https://notcve.org/view.php?id=CVE-2024-26786
In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix iopt_access_list_id overwrite bug Syzkaller reported the following WARN_ON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360 Call Trace: iommufd_access_change_ioas+0x2fe/0x4e0 iommufd_access_destroy_object+0x50/0xb0 iommufd_object_remove+0x2a3/0x490 iommufd_object_destroy_user iommufd_access_destroy+0x71/0xb0 iommufd_test_staccess_release+0x89/0xd0 __fput+0x272/0xb50 __fput_sync+0x4b/0x60 __do_sys_close __se_sys_close __x64_sys_close+0x8b/0x110 do_syscall_x64 The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->iopt_access_list_id, in iopt_add_access(). Called from iommufd_access_change_ioas() when xa_alloc() succeeds but iopt_calculate_iova_alignment() fails. Add a new_id in iopt_add_access() and only update iopt_access_list_id when returning successfully. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: iommufd: corrige el error de sobrescritura de iopt_access_list_id Syzkaller informó lo siguiente WARN_ON: ADVERTENCIA: CPU: 1 PID: 4738 en drivers/iommu/iommufd/io_pagetable.c:1360 Seguimiento de llamadas: iommufd_access_change_ioas+0x2fe /0x4e0 iommufd_access_destroy_object+0x50/0xb0 iommufd_object_remove+0x2a3/0x490 iommufd_object_destroy_user iommufd_access_destroy+0x71/0xb0 iommufd_test_staccess_release+0x89/0xd0 __fput+0x272/0x b50 __fput_sync+0x4b/0x60 __do_sys_close __se_sys_close __x64_sys_close+0x8b/0x110 do_syscall_x64 La falta de coincidencia entre el puntero de acceso en la lista y el puntero pasado resulta de una sobrescritura de acceso->iopt_access_list_id, en iopt_add_access(). Llamado desde iommufd_access_change_ioas() cuando xa_alloc() tiene éxito pero iopt_calculate_iova_alignment() falla. Agregue un new_id en iopt_add_access() y actualice solo iopt_access_list_id cuando regrese exitosamente. • https://git.kernel.org/stable/c/9227da7816dd1a42e20d41e2244cb63c205477ca https://git.kernel.org/stable/c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9 https://git.kernel.org/stable/c/9526a46cc0c378d381560279bea9aa34c84298a0 https://git.kernel.org/stable/c/aeb004c0cd6958e910123a1607634401009c9539 •
CVE-2024-26785 – iommufd: Fix protection fault in iommufd_test_syz_conv_iova
https://notcve.org/view.php?id=CVE-2024-26785
In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix protection fault in iommufd_test_syz_conv_iova Syzkaller reported the following bug: general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7] Call Trace: lock_acquire lock_acquire+0x1ce/0x4f0 down_read+0x93/0x4a0 iommufd_test_syz_conv_iova+0x56/0x1f0 iommufd_test_access_rw.isra.0+0x2ec/0x390 iommufd_test+0x1058/0x1e30 iommufd_fops_ioctl+0x381/0x510 vfs_ioctl __do_sys_ioctl __se_sys_ioctl __x64_sys_ioctl+0x170/0x1e0 do_syscall_x64 do_syscall_64+0x71/0x140 This is because the new iommufd_access_change_ioas() sets access->ioas to NULL during its process, so the lock might be gone in a concurrent racing context. Fix this by doing the same access->ioas sanity as iommufd_access_rw() and iommufd_access_pin_pages() functions do. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: iommufd: Se corrigió falla de protección en iommufd_test_syz_conv_iova Syzkaller informó el siguiente error: falla de protección general, probablemente para dirección no canónica 0xdffffc0000000038: 0000 [#1] SMP KASAN KASAN: null-ptr- deref en el rango [0x00000000000001c0-0x00000000000001c7] Seguimiento de llamadas: lock_acquire lock_acquire+0x1ce/0x4f0 down_read+0x93/0x4a0 iommufd_test_syz_conv_iova+0x56/0x1f0 iommufd_test_access_rw.isra. 0+0x2ec/0x390 iommufd_test+0x1058/0x1e30 iommufd_fops_ioctl+0x381/0x510 vfs_ioctl __do_sys_ioctl __se_sys_ioctl __x64_sys_ioctl +0x170/0x1e0 do_syscall_x64 do_syscall_64+0x71/0x140 Esto se debe a que el nuevo iommufd_access_change_ioas() establece access->ioas en NULL durante su proceso, por lo que el bloqueo podría desaparecer en un contexto de ejecución concurrente. Solucione este problema haciendo el mismo acceso->ioas cordura que hacen las funciones iommufd_access_rw() y iommufd_access_pin_pages(). • https://git.kernel.org/stable/c/9227da7816dd1a42e20d41e2244cb63c205477ca https://git.kernel.org/stable/c/fd4d5cd7a2e8f08357c9bfc0905957cffe8ce568 https://git.kernel.org/stable/c/fc719ecbca45c9c046640d72baddba3d83e0bc0b https://git.kernel.org/stable/c/cf7c2789822db8b5efa34f5ebcf1621bc0008d48 •
CVE-2024-26784 – pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal
https://notcve.org/view.php?id=CVE-2024-26784
In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal On unloading of the scmi_perf_domain module got the below splat, when in the DT provided to the system under test the '#power-domain-cells' property was missing. Indeed, this particular setup causes the probe to bail out early without giving any error, which leads to the ->remove() callback gets to run too, but without all the expected initialized structures in place. Add a check and bail out early on remove too. Call trace: scmi_perf_domain_remove+0x28/0x70 [scmi_perf_domain] scmi_dev_remove+0x28/0x40 [scmi_core] device_remove+0x54/0x90 device_release_driver_internal+0x1dc/0x240 driver_detach+0x58/0xa8 bus_remove_driver+0x78/0x108 driver_unregister+0x38/0x70 scmi_driver_unregister+0x28/0x180 [scmi_core] scmi_perf_domain_driver_exit+0x18/0xb78 [scmi_perf_domain] __arm64_sys_delete_module+0x1a8/0x2c0 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0xb8 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x190/0x198 Code: a90153f3 f9403c14 f9414800 955f8a05 (b9400a80) ---[ end trace 0000000000000000 ]--- En el kernel de Linux, se resolvió la siguiente vulnerabilidad: pmdomain: arm: corrigió la desreferencia NULL en la eliminación de scmi_perf_domain Al descargar el módulo scmi_perf_domain obtuvo el siguiente símbolo, cuando en el DT se proporcionó al SYSTEM bajo prueba el '#power-domain- Faltaba la propiedad de las células. De hecho, esta configuración particular hace que la sonda se retire antes de tiempo sin dar ningún error, lo que lleva a que la devolución de llamada ->remove() también se ejecute, pero sin todas las estructuras inicializadas esperadas en su lugar. Agregue un cheque y salve anticipadamente la eliminación también. Seguimiento de llamadas: scmi_perf_domain_remove+0x28/0x70 [scmi_perf_domain] scmi_dev_remove+0x28/0x40 [scmi_core] device_remove+0x54/0x90 device_release_driver_internal+0x1dc/0x240 driver_detach+0x58/0xa8 bus_remove_driver+0x78 /0x108 controlador_unregister+0x38/0x70 scmi_driver_unregister+0x28/0x180 [ scmi_core] scmi_perf_domain_driver_exit+0x18/0xb78 [scmi_perf_domain] __arm64_sys_delete_module+0x1a8/0x2c0 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x2 4/0x38 el0_svc+0x34/0xb8 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x190/0x198 Código : a90153f3 f9403c14 f9414800 955f8a05 (b9400a80) ---[ final de seguimiento 00000000000000000 ]--- • https://git.kernel.org/stable/c/2af23ceb8624a419eaf40295c11fcb86ec9ee303 https://git.kernel.org/stable/c/f6aaf131e4d4a9a26040ecc018eb70ab8b3d355d https://git.kernel.org/stable/c/eb5555d422d0fc325e1574a7353d3c616f82d8b5 •
CVE-2024-26783 – mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index
https://notcve.org/view.php?id=CVE-2024-26783
In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index With numa balancing on, when a numa system is running where a numa node doesn't have its local memory so it has no managed zones, the following oops has been observed. It's because wakeup_kswapd() is called with a wrong zone index, -1. Fixed it by checking the index before calling wakeup_kswapd(). > BUG: unable to handle page fault for address: 00000000000033f3 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP NOPTI > CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 > RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812) > Code: (omitted) > RSP: 0000:ffffc90004257d58 EFLAGS: 00010286 > RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480 > RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff > R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003 > R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940 > FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Call Trace: > <TASK> > ? __die > ? • https://git.kernel.org/stable/c/c574bbe917036c8968b984c82c7b13194fe5ce98 https://git.kernel.org/stable/c/d6159bd4c00594249e305bfe02304c67c506264e https://git.kernel.org/stable/c/bdd21eed8b72f9e28d6c279f6db258e090c79080 https://git.kernel.org/stable/c/2774f256e7c0219e2b0a0894af1c76bdabc4f974 https://access.redhat.com/security/cve/CVE-2024-26783 https://bugzilla.redhat.com/show_bug.cgi?id=2273466 • CWE-762: Mismatched Memory Management Routines •