CVE-2021-46945 – ext4: always panic when errors=panic is specified
https://notcve.org/view.php?id=CVE-2021-46945
In the Linux kernel, the following vulnerability has been resolved: ext4: always panic when errors=panic is specified Before commit 014c9caa29d3 ("ext4: make ext4_abort() use __ext4_error()"), the following series of commands would trigger a panic: 1. mount /dev/sda -o ro,errors=panic test 2. mount /dev/sda -o remount,abort test After commit 014c9caa29d3, remounting a file system using the test mount option "abort" will no longer trigger a panic. This commit will restore the behaviour immediately before commit 014c9caa29d3. (However, note that the Linux kernel's behavior has not been consistent; some previous kernel versions, including 5.4 and 4.19 similarly did not panic after using the mount option "abort".) This also makes a change to long-standing behaviour; namely, the following series commands will now cause a panic, when previously it did not: 1. mount /dev/sda -o ro,errors=panic test 2. echo test > /sys/fs/ext4/sda/trigger_fs_error However, this makes ext4's behaviour much more consistent, so this is a good thing. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: siempre entra en pánico cuando se especifica errores=panic Antes del commit 014c9caa29d3 ("ext4: make ext4_abort() use __ext4_error()"), la siguiente serie de comandos desencadenaría un pánico: 1. mount /dev/sda -o ro,errors=panic test 2. mount /dev/sda -o remount,abort test Después de el commit 014c9caa29d3, volver a montar un sistema de archivos utilizando la opción de montaje de prueba "abort" ya no provocará pánico . Esta confirmación restaurará el comportamiento inmediatamente anterior a el commit 014c9caa29d3. (Sin embargo, tenga en cuenta que el comportamiento del kernel de Linux no ha sido consistente; algunas versiones anteriores del kernel, incluidas 5.4 y 4.19, tampoco entraron en pánico después de usar la opción de montaje "abortar".) • https://git.kernel.org/stable/c/014c9caa29d3a44e0de695c99ef18bec3e887d52 https://git.kernel.org/stable/c/64e1eebe2131183174f4fbb6b1491355f96c6cde https://git.kernel.org/stable/c/1e9ea8f4637026b8e965128953f2da061ccae9c4 https://git.kernel.org/stable/c/ac2f7ca51b0929461ea49918f27c11b680f28995 •
CVE-2021-46944 – media: staging/intel-ipu3: Fix memory leak in imu_fmt
https://notcve.org/view.php?id=CVE-2021-46944
In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix memory leak in imu_fmt We are losing the reference to an allocated memory if try. Change the order of the check to avoid that. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medios: staging/intel-ipu3: Reparar pérdida de memoria en imu_fmt Estamos perdiendo la referencia a una memoria asignada si lo intentamos. Cambie el orden del cheque para evitarlo. • https://git.kernel.org/stable/c/6d5f26f2e045f2377b524516194657c00efbbce8 https://git.kernel.org/stable/c/ff792ae52005c85a2d829c153e08d99a356e007d https://git.kernel.org/stable/c/517f6f570566a863c2422b843c8b7d099474f6a9 https://git.kernel.org/stable/c/14d0e99c3ef6b0648535a31bf2eaabb4eff97b9e https://git.kernel.org/stable/c/74ba0adb5e983503b18a96121d965cad34ac7ce3 https://git.kernel.org/stable/c/3630901933afba1d16c462b04d569b7576339223 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2021-46943 – media: staging/intel-ipu3: Fix set_fmt error handling
https://notcve.org/view.php?id=CVE-2021-46943
In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix set_fmt error handling If there in an error during a set_fmt, do not overwrite the previous sizes with the invalid config. Without this patch, v4l2-compliance ends up allocating 4GiB of RAM and causing the following OOPs [ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes) [ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0 [ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medios: staging/intel-ipu3: Corrija el manejo de errores set_fmt Si ocurre un error durante un set_fmt, no sobrescriba los tamaños anteriores con la configuración no válida. Sin este parche, el cumplimiento de v4l2 termina asignando 4 GiB de RAM y provocando los siguientes OOP [38.662975] ipu3-imgu 0000:00:05.0: el búfer swiotlb está lleno (sz: 4096 bytes) [38.662980] DMA: Fuera de SW-IOMMU espacio para 4096 bytes en el dispositivo 0000:00:05.0 [38.663010] falla de protección general: 0000 [#1] PREEMPT SMP • https://git.kernel.org/stable/c/6d5f26f2e045f2377b524516194657c00efbbce8 https://git.kernel.org/stable/c/a03fb1e8a110658215a4cefc3e2ad53279e496a6 https://git.kernel.org/stable/c/c6b81b897f6f9445d57f8d47c4e060ec21556137 https://git.kernel.org/stable/c/34892ea938387d83ffcfb7775ec55f0f80767916 https://git.kernel.org/stable/c/6fb617e37a39db0a3eca4489431359d0bdf3b9bc https://git.kernel.org/stable/c/ad91849996f9dd79741a961fd03585a683b08356 • CWE-131: Incorrect Calculation of Buffer Size •
CVE-2021-46942 – io_uring: fix shared sqpoll cancellation hangs
https://notcve.org/view.php?id=CVE-2021-46942
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix shared sqpoll cancellation hangs [ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds. [ 736.982897] Call Trace: [ 736.982901] schedule+0x68/0xe0 [ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110 [ 736.982908] io_sqpoll_cancel_cb+0x24/0x30 [ 736.982911] io_run_task_work_head+0x28/0x50 [ 736.982913] io_sq_thread+0x4e3/0x720 We call io_uring_cancel_sqpoll() one by one for each ctx either in sq_thread() itself or via task works, and it's intended to cancel all requests of a specified context. However the function uses per-task counters to track the number of inflight requests, so it counts more requests than available via currect io_uring ctx and goes to sleep for them to appear (e.g. from IRQ), that will never happen. Cancel a bit more than before, i.e. all ctxs that share sqpoll and continue to use shared counters. Don't forget that we should not remove ctx from the list before running that task_work sqpoll-cancel, otherwise the function wouldn't be able to find the context and will hang. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: corrige bloqueos de cancelación de sqpoll compartido [736.982891] INFORMACIÓN: tarea iou-sqp-4294:4295 bloqueada durante más de 122 segundos. [ 736.982897] Seguimiento de llamadas: [ 736.982901] agenda+0x68/0xe0 [ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110 [ 736.982908] io_sqpoll_cancel_cb+0x24/0x30 [ 736.982911] io_run_task_work_head+0x28/0x50 [ 736.982913] io_sq_thread+0x4e3/0x720 Llamamos a io_uring_cancel_sqpoll( ) uno por uno para cada ctx, ya sea en sq_thread() o mediante tareas, y está destinado a cancelar todas las solicitudes de un contexto específico. Sin embargo, la función utiliza contadores por tarea para rastrear la cantidad de solicitudes en curso, por lo que cuenta más solicitudes de las disponibles a través de currect io_uring ctx y se pone en suspensión para que aparezcan (por ejemplo, desde IRQ), eso nunca sucederá. • https://git.kernel.org/stable/c/37d1e2e3642e2380750d7f35279180826f29660e https://git.kernel.org/stable/c/cb5e0b3d0f993a6268c1a2c7ede2f9aa0c17ef68 https://git.kernel.org/stable/c/734551df6f9bedfbefcd113ede665945e9de0b99 •
CVE-2021-46941 – usb: dwc3: core: Do core softreset when switch mode
https://notcve.org/view.php?id=CVE-2021-46941
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Do core softreset when switch mode According to the programming guide, to switch mode for DRD controller, the driver needs to do the following. To switch from device to host: 1. Reset controller with GCTL.CoreSoftReset 2. Set GCTL.PrtCapDir(host mode) 3. Reset the host with USBCMD.HCRESET 4. Then follow up with the initializing host registers sequence To switch from host to device: 1. • https://git.kernel.org/stable/c/41ce1456e1dbbc7355d0fcc10cf7c337c13def24 https://git.kernel.org/stable/c/fce7bbcd07d59ac30dba8ce225316b3b4c1c7b50 https://git.kernel.org/stable/c/800f58217626c8b147aa40660e572ed8a0d56e3b https://git.kernel.org/stable/c/1c10fd60c8595ea7ff7e29d3cf1fa88069941da3 https://git.kernel.org/stable/c/f88359e1588b85cf0e8209ab7d6620085f3441d9 •