CVE-2024-46689 – soc: qcom: cmd-db: Map shared memory as WC, not WB
https://notcve.org/view.php?id=CVE-2024-46689
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: cmd-db: Map shared memory as WC, not WB Linux does not write into cmd-db region. This region of memory is write protected by XPU. XPU may sometime falsely detect clean cache eviction as "write" into the write protected region leading to secure interrupt which causes an endless loop somewhere in Trust Zone. The only reason it is working right now is because Qualcomm Hypervisor maps the same region as Non-Cacheable memory in Stage 2 translation tables. The issue manifests if we want to use another hypervisor (like Xen or KVM), which does not know anything about those specific mappings. Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC removes dependency on correct mappings in Stage 2 tables. This patch fixes the issue by updating the mapping to MEMREMAP_WC. I tested this on SA8155P with Xen. • https://git.kernel.org/stable/c/312416d9171a1460b7ed8d182b5b540c910ce80d https://git.kernel.org/stable/c/0ee9594c974368a17e85a431e9fe1c14fb65c278 https://git.kernel.org/stable/c/f5a5a5a0e95f36e2792d48e6e4b64e665eb01374 https://git.kernel.org/stable/c/eaff392c1e34fb77cc61505a31b0191e5e46e271 https://git.kernel.org/stable/c/d9d48d70e922b272875cda60d2ada89291c840cf https://git.kernel.org/stable/c/ef80520be0ff78ae5ed44cb6eee1525e65bebe70 https://git.kernel.org/stable/c/62c2d63605ca25b5db78a347ed303c0a0a77d5b4 https://git.kernel.org/stable/c/f9bb896eab221618927ae6a2f1d566567 •
CVE-2024-46687 – btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()
https://notcve.org/view.php?id=CVE-2024-46687
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() [BUG] There is an internal report that KASAN is reporting use-after-free, with the following backtrace: BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs] Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45 CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x5e/0x2f0 print_report+0x118/0x216 kasan_report+0x11d/0x1f0 btrfs_check_read_bio+0xa68/0xb70 [btrfs] process_one_work+0xce0/0x12a0 worker_thread+0x717/0x1250 kthread+0x2e3/0x3c0 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 Allocated by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x7d/0x80 kmem_cache_alloc_noprof+0x16e/0x3e0 mempool_alloc_noprof+0x12e/0x310 bio_alloc_bioset+0x3f0/0x7a0 btrfs_bio_alloc+0x2e/0x50 [btrfs] submit_extent_page+0x4d1/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x4b/0x60 kmem_cache_free+0x214/0x5d0 bio_free+0xed/0x180 end_bbio_data_read+0x1cc/0x580 [btrfs] btrfs_submit_chunk+0x98d/0x1880 [btrfs] btrfs_submit_bio+0x33/0x70 [btrfs] submit_one_bio+0xd4/0x130 [btrfs] submit_extent_page+0x3ea/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [CAUSE] Although I cannot reproduce the error, the report itself is good enough to pin down the cause. The call trace is the regular endio workqueue context, but the free-by-task trace is showing that during btrfs_submit_chunk() we already hit a critical error, and is calling btrfs_bio_end_io() to error out. And the original endio function called bio_put() to free the whole bio. This means a double freeing thus causing use-after-free, e.g.: 1. Enter btrfs_submit_bio() with a read bio The read bio length is 128K, crossing two 64K stripes. 2. The first run of btrfs_submit_chunk() 2.1 Call btrfs_map_block(), which returns 64K 2.2 Call btrfs_split_bio() Now there are two bios, one referring to the first 64K, the other referring to the second 64K. 2.3 The first half is submitted. 3. • https://git.kernel.org/stable/c/852eee62d31abd695cd43e1b875d664ed292a8ca https://git.kernel.org/stable/c/51722b99f41f5e722ffa10b8f61e802a0e70b331 https://git.kernel.org/stable/c/4a3b9e1a8e6cd1a8d427a905e159de58d38941cc https://git.kernel.org/stable/c/10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 •
CVE-2024-46686 – smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()
https://notcve.org/view.php?id=CVE-2024-46686
In the Linux kernel, the following vulnerability has been resolved: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() This happens when called from SMB2_read() while using rdma and reaching the rdma_readwrite_threshold. • https://git.kernel.org/stable/c/edf38e9f4269591d26b3783c0b348c9345580c3c https://git.kernel.org/stable/c/a6559cc1d35d3eeafb0296aca347b2f745a28a74 https://git.kernel.org/stable/c/74ab77137c99438626f4eb8134d8e26204bb5b64 https://git.kernel.org/stable/c/6df57c63c200cd05e085c3b695128260e21959b7 https://git.kernel.org/stable/c/a01859dd6aebf826576513850a3b05992809e9d2 https://git.kernel.org/stable/c/b902fb78ab21299e4dd1775e7e8d251d5c0735bc https://git.kernel.org/stable/c/c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf •
CVE-2024-46685 – pinctrl: single: fix potential NULL dereference in pcs_get_function()
https://notcve.org/view.php?id=CVE-2024-46685
In the Linux kernel, the following vulnerability has been resolved: pinctrl: single: fix potential NULL dereference in pcs_get_function() pinmux_generic_get_function() can return NULL and the pointer 'function' was dereferenced without checking against NULL. Add checking of pointer 'function' in pcs_get_function(). Found by code review. • https://git.kernel.org/stable/c/571aec4df5b72a80f80d1e524da8fbd7ff525c98 https://git.kernel.org/stable/c/0a2bab5ed161318f57134716accba0a30f3af191 https://git.kernel.org/stable/c/2cea369a5c2e85ab14ae716da1d1cc6d25c85e11 https://git.kernel.org/stable/c/4e9436375fcc9bd2a60ee96aba6ed53f7a377d10 https://git.kernel.org/stable/c/6341c2856785dca7006820b127278058a180c075 https://git.kernel.org/stable/c/8f0bd526921b6867c2f10a83cd4fd14139adcd92 https://git.kernel.org/stable/c/4ed45fe99ec9e3c9478bd634624cd05a57d002f7 https://git.kernel.org/stable/c/292151af6add3e5ab11b2e9916cffa5f5 •
CVE-2024-46681 – pktgen: use cpus_read_lock() in pg_net_init()
https://notcve.org/view.php?id=CVE-2024-46681
In the Linux kernel, the following vulnerability has been resolved: pktgen: use cpus_read_lock() in pg_net_init() I have seen the WARN_ON(smp_processor_id() != cpu) firing in pktgen_thread_worker() during tests. We must use cpus_read_lock()/cpus_read_unlock() around the for_each_online_cpu(cpu) loop. While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 https://git.kernel.org/stable/c/5f5f7366dda8ae870e8305d6e7b3c0c2686cd2cf https://git.kernel.org/stable/c/979b581e4c69257acab1af415ddad6b2d78a2fa5 •