SB2019112521 - Out-of-bounds read in Linux kernel
Published: November 25, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds read (CVE-ID: CVE-2019-19252)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to out-of-bounds read error within the remove_tests() function in tools/testing/selftests/net/mptcp/mptcp_join.sh, within the __ksft_status_merge(), loopy_wait(), cleanup_ns() and setup_ns() functions in tools/testing/selftests/net/lib.sh, within the main() function in tools/testing/selftests/futex/functional/futex_requeue_pi.c, within the $() function in tools/testing/selftests/futex/functional/makefile, within the find_dot_func() function in tools/testing/selftests/ftrace/test.d/kprobe/kprobe_eventname.tc, within the fail() function in tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc, within the bpf_prog() function in tools/testing/selftests/bpf/progs/test_sk_storage_tracing.c, within the $() function in tools/testing/selftests/alsa/makefile, within the get_did() function in tools/power/cpupower/utils/helpers/amd.c, within the define_strarray() function in tools/perf/builtin-trace.c, within the record__read_lost_samples() function in tools/perf/builtin-record.c, within the probe_uprobe_multi_link() function in tools/lib/bpf/features.c, within the tomoyo_check_profile() function in security/tomoyo/common.c, within the read_symbols() function in scripts/mod/modpost.c, within the kallsyms_step() function in scripts/link-vmlinux.sh, within the _menu_finalize() function in scripts/kconfig/menu.c, within the main() function in scripts/kconfig/gconf.c, within the expr_eliminate_yn() function in scripts/kconfig/expr.c, within the conf_read() function in scripts/kconfig/confdata.c, within the ${class}${atomicname}() function in scripts/atomic/kerneldoc/sub_and_test, within the xsk_is_bound() function in net/xdp/xsk.c, within the cfg80211_get_station() function in net/wireless/util.c, within the wiphy_resume() function in net/wireless/sysfs.c, within the cfg80211_scan_6ghz() and cfg80211_6ghz_power_type_valid() functions in net/wireless/scan.c, within the pmsr_parse_ftm() function in net/wireless/pmsr.c, within the cfg80211_wiphy_work() function in net/wireless/core.c, within the sk_diag_dump_icons(), sk_diag_show_rqlen(), sk_diag_fill() and unix_diag_dump() functions in net/unix/diag.c, within the unix_may_send(), unix_dgram_peer_wake_me(), unix_write_space(), unix_dgram_disconnected(), unix_release_sock(), unix_listen(), unix_create1(), unix_peer(), unix_stream_connect(), unix_state_lock_nested(), copy_peercred(), unix_accept(), unix_dgram_sendmsg(), unix_stream_sendmsg(), unix_seqpacket_sendmsg(), unix_seqpacket_recvmsg(), manage_oob(), unix_stream_read_generic(), unix_inq_len(), unix_compat_ioctl(), unix_poll() and unix_dgram_poll() functions in net/unix/af_unix.c, within the gss_read_proxy_verf() function in net/sunrpc/auth_gss/svcauth_gss.c, within the gss_wrap_req_priv() function in net/sunrpc/auth_gss/auth_gss.c, within the smc_adjust_sock_bufsizes() function in net/smc/af_smc.c, within the taprio_parse_mqprio_opt() function in net/sched/sch_taprio.c, within the multiq_tune() function in net/sched/sch_multiq.c, within the __spin_lock_unlocked() function in net/sched/sch_generic.c, within the nft_payload_inner_init() function in net/netfilter/nft_payload.c, within the nft_meta_inner_init() function in net/netfilter/nft_meta.c, within the list_set_kadd(), list_set_kdel(), list_set_utest(), list_set_uadd(), list_set_udel() and list_set_destroy() functions in net/netfilter/ipset/ip_set_list_set.c, within the call_rcu(), ip_set_destroy() and ip_set_net_init() functions in net/netfilter/ipset/ip_set_core.c, within the ncsi_rsp_handler_gc() function in net/ncsi/ncsi-rsp.c, within the ncsi_suspend_channel(), ncsi_probe_channel(), ncsi_register_dev() and ncsi_start_dev() functions in net/ncsi/ncsi-manage.c, within the mptcp_set_state() and mptcp_connect() functions in net/mptcp/protocol.c, within the mptcp_pm_nl_add_addr_received() and mptcp_pm_nl_rm_addr_or_subflow() functions in net/mptcp/pm_netlink.c, within the ieee80211_sta_get_rates() function in net/mac80211/util.c, within the ieee80211_sta_ps_deliver_wakeup() function in net/mac80211/sta_info.c, within the __ieee80211_start_scan() function in net/mac80211/scan.c, within the ieee80211_parse_extension_element() function in net/mac80211/parse.c, within the mesh_path_discard_frame() function in net/mac80211/mesh_pathtbl.c, within the ieee80211_mesh_init_sdata() function in net/mac80211/mesh.c, within the ieee80211_reset_erp_info() and ieee80211_tasklet_handler() functions in net/mac80211/main.c, within the ieee80211_he_spr_ie_to_bss_conf() function in net/mac80211/he.c, within the ieee80211_set_mcast_rate() and __ieee80211_channel_switch() functions in net/mac80211/cfg.c, within the tcp_v6_syn_recv_sock() function in net/ipv6/tcp_ipv6.c, within the seg6_input_core() and seg6_output_core() functions in net/ipv6/seg6_iptunnel.c, within the rpl_output() and rpl_input() functions in net/ipv6/rpl_iptunnel.c, within the rt6_get_pcpu_route() and ipv6_sysctl_rtcache_flush() functions in net/ipv6/route.c, within the ip6_route_me_harder() function in net/ipv6/netfilter.c, within the __fib6_drop_pcpu_from() function in net/ipv6/ip6_fib.c, within the ila_output() function in net/ipv6/ila/ila_lwt.c, within the tcp_rtx_probe0_timed_out() function in net/ipv4/tcp_timer.c, within the tcp_inbound_ao_hash() function in net/ipv4/tcp_ao.c, within the !!() and tcp_set_state() functions in net/ipv4/tcp.c, within the recv() and ip_fib_init() functions in net/ipv4/fib_frontend.c, within the devinet_init() function in net/ipv4/devinet.c, within the tsinfo_prepare_data() function in net/ethtool/tsinfo.c, within the ethtool_get_phy_stats_ethtool() function in net/ethtool/ioctl.c, within the rtnl_mdb_del(), rtnetlink_rcv_msg() and rtnetlink_init() functions in net/core/rtnetlink.c, within the dst_cache_per_cpu_dst_set() and dst_cache_per_cpu_get() functions in net/core/dst_cache.c, within the set_rps_cpu() function in net/core/dev.c, within the br_mst_get_state(), br_mst_set_state() and br_mst_vlan_sync_state() functions in net/bridge/br_mst.c, within the __bpf_prog_test_run_raw_tp() function in net/bpf/test_run.c, within the l2cap_connect() and l2cap_conn_param_update_req() functions in net/bluetooth/l2cap_core.c, within the hci_setup_ext_adv_instance_sync() function in net/bluetooth/hci_sync.c, within the ax25_dev_free() function in net/ax25/ax25_dev.c, within the ax25_accept() function in net/ax25/af_ax25.c, within the count_vm_event() function in mm/vmscan.c, within the is_vmalloc_or_module_addr() function in mm/vmalloc.c, within the kvrealloc_noprof(), __vmalloc_array_noprof() and export_symbol() functions in mm/util.c, within the alloc_slab_obj_exts() function in mm/slub.c, within the count_swpout_vm_event() function in mm/page_io.c, within the find_suitable_fallback(), reserve_highatomic_pageblock() and unreserve_highatomic_pageblock() functions in mm/page_alloc.c, within the mempool_create_node_noprof() function in mm/mempool.c, within the __mod_objcg_mlstate() function in mm/memcontrol.c, within the memblock_set_node() function in mm/memblock.c, within the atomic_long_init(), replace_page(), ksm_do_scan(), wait_while_offlining(), ksm_attr_ro() and general_profit_show() functions in mm/ksm.c, within the kmsan_internal_set_shadow_origin() function in mm/kmsan/core.c, within the __unmap_hugepage_range() function in mm/hugetlb.c, within the __attr_ro() function in mm/huge_memory.c, within the filemap_alloc_folio_noprof() function in mm/filemap.c, within the test_rht_exit() function in lib/test_rhashtable.c, within the bpf_uprobe_multi_entry_ip() and bpf_kprobe_multi_kfuncs_init() functions in kernel/trace/bpf_trace.c, within the tick_setup_periodic() and tick_setup_device() functions in kernel/time/tick-common.c, within the perf_event_release_kernel() and put_event() functions in kernel/events/core.c, within the btf_id() function in kernel/bpf/verifier.c, within the bpf_obj_get(), bpf_link_defer_dealloc_mult_rcu_gp() and bpf_link_free() functions in kernel/bpf/syscall.c, within the dev_map_redirect_multi() function in kernel/bpf/devmap.c, within the io_rsrc_ref_quiesce() function in io_uring/rsrc.c, within the io_register_iowq_max_workers() function in io_uring/register.c, within the io_unregister_napi() and __io_napi_adjust_timeout() functions in io_uring/napi.c, within the io_init_req() function in io_uring/io_uring.c, within the io_wq_enqueue() function in io_uring/io-wq.c, within the xfs_log_sb() function in fs/xfs/libxfs/xfs_sb.c, within the __ksmbd_inode_close() function in fs/smb/server/vfs_cache.c, within the ksmbd_vfs_fqar_lseek() and ksmbd_vfs_remove_sd_xattrs() functions in fs/smb/server/vfs.c, within the smb2_get_name(), smb2_set_ea(), smb2_remove_smb_xattrs() and smb2_open() functions in fs/smb/server/smb2pdu.c, within the smb2_find_smb_tcon() function in fs/smb/client/smb2transport.c, within the smb2_readv_callback() and smb2_writev_callback() functions in fs/smb/client/smb2pdu.c, within the proc_pid_ksm_stat() function in fs/proc/base.c, within the nilfs_segctor_prepare_write() function in fs/nilfs2/segment.c, within the nilfs_empty_dir() function in fs/nilfs2/dir.c, within the nfs_symlink_filler() function in fs/nfs/symlink.c, within the nfs_pageio_cond_complete() function in fs/nfs/pagelist.c, within the test_fs_location_for_trunking(), _nfs4_discover_trunking() and nfs4_set_security_label() functions in fs/nfs/nfs4proc.c, within the nfs_lookup_revalidate_done(), nfs_lookup_revalidate_dentry(), nfs_do_lookup_revalidate(), __nfs_lookup_revalidate(), nfs_lookup_revalidate(), nfs_atomic_open_v23(), nfs_unlink(), nfs_unblock_rename() and nfs_rename() functions in fs/nfs/dir.c, within the ea_get() function in fs/jfs/xattr.c, within the iomap_adjust_read_range(), iomap_write_end(), iomap_write_iter(), iomap_unshare_iter() and iomap_zero_iter() functions in fs/iomap/buffered-io.c, within the find_next_fd() function in fs/file.c, within the debugfs_parse_param() function in fs/debugfs/inode.c, within the cachefiles_req_put(), cachefiles_ondemand_fd_llseek(), cachefiles_ondemand_fd_ioctl(), cachefiles_ondemand_copen(), cachefiles_ondemand_restore(), cachefiles_ondemand_get_fd(), cachefiles_ondemand_select_req(), cachefiles_ondemand_daemon_read(), cachefiles_ondemand_send_req() and cachefiles_ondemand_init_obj_info() functions in fs/cachefiles/ondemand.c, within the cachefiles_daemon_open() and cachefiles_flush_reqs() functions in fs/cachefiles/daemon.c, within the btrfs_log_prealloc_extents() function in fs/btrfs/tree-log.c, within the btrfs_finish_ordered_extent() function in fs/btrfs/ordered-data.c, within the btrfs_sync_file() function in fs/btrfs/file.c, within the grab_extent_buffer(), check_eb_alignment(), filemap_add_folio(), __free_page(), alloc_extent_buffer() and folio_size() functions in fs/btrfs/extent_io.c, within the btrfs_destroy_delayed_refs() function in fs/btrfs/disk-io.c, within the __bch2_fs_free() and bch2_fs_alloc() functions in fs/bcachefs/super.c, within the bch2_sb_to_text() function in fs/bcachefs/super-io.c, within the offsetof() function in fs/bcachefs/movinggc.c, within the bch2_move_data_btree() and rereplicate_pred() functions in fs/bcachefs/move.c, within the bch2_nocow_write() and rcu_read_lock() functions in fs/bcachefs/io_write.c, within the offsetof() and read_from_stale_dirty_pointer() functions in fs/bcachefs/io_read.c, within the check_subdir_count(), check_dirent_target() and check_dirent_to_subvol() functions in fs/bcachefs/fsck.c, within the __bch2_new_inode() and div_s64() functions in fs/bcachefs/fs.c, within the bch2_ioc_goingdown(), inode_inum() and bch2_ioctl_subvolume_create() functions in fs/bcachefs/fs-ioctl.c, within the bch2_bkey_pick_read_device(), bch2_extent_normalize() and bch2_extent_ptr_to_text() functions in fs/bcachefs/extents.c, within the mark_stripe_bucket(), ec_block_endio() and ec_block_io() functions in fs/bcachefs/ec.c, within the bch2_bkey_durability() function in fs/bcachefs/data_update.c, within the bch2_update_cached_sectors_list(), bch2_btree_node_update_key_early(), bch2_trigger_pointer(), bch2_mark_metadata_bucket() and bch2_dev_buckets_resize() functions in fs/bcachefs/buckets.c, within the found_btree_node_is_readable() function in fs/bcachefs/btree_node_scan.c, within the break_cycle() function in fs/bcachefs/btree_locking.c, within the bch2_btree_key_cache_cmp_fn(), bch2_btree_key_cache_scan(), bch2_btree_key_cache_count() and bch2_fs_btree_key_cache_init() functions in fs/bcachefs/btree_key_cache.c, within the bch2_btree_path_verify(), bch2_btree_iter_verify() and bch2_fs_btree_iter_exit() functions in fs/bcachefs/btree_iter.c, within the btree_node_read_endio(), btree_node_read_all_replicas(), bch2_btree_node_read() and atomic64_add() functions in fs/bcachefs/btree_io.c, within the bch2_alloc_write_key() and bch2_gc_alloc_start() functions in fs/bcachefs/btree_gc.c, within the bch2_btree_cache_cmp_fn() function in fs/bcachefs/btree_cache.c, within the bch2_trigger_alloc() function in fs/bcachefs/alloc_background.c, within the vfio_device_release(), export_symbol_gpl() and vfio_init_device() functions in drivers/vfio/vfio_main.c, within the vfio_pci_core_write(), vfio_pci_memory_unlock_and_restore(), vfio_pci_core_mmap(), vfio_pci_core_init_dev(), vfio_pci_core_release_dev() and vfio_pci_dev_set_hot_reset() functions in drivers/vfio/pci/vfio_pci_core.c, within the vfio_device_open_file() function in drivers/vfio/group.c, within the vfio_device_fops_cdev_open() function in drivers/vfio/device_cdev.c, within the ucsi_exec_command() function in drivers/usb/typec/ucsi/ucsi.c, within the tcpm_register_source_caps() and _tcpm_pd_hard_reset() functions in drivers/usb/typec/tcpm/tcpm.c, within the short_pack() and alauda_check_media() functions in drivers/usb/storage/alauda.c, within the xhci_invalidate_cancelled_tds(), xhci_handle_cmd_set_deq() and process_bulk_intr_td() functions in drivers/usb/host/xhci-ring.c, within the xhci_pci_quirks() function in drivers/usb/host/xhci-pci.c, within the __usb_hcd_giveback_urb() function in drivers/usb/core/hcd.c, within the wdm_int_callback() function in drivers/usb/class/cdc-wdm.c, within the ci_ulpi_init() function in drivers/usb/chipidea/ulpi.c, within the ci_hdrc_probe() function in drivers/usb/chipidea/core.c, within the obj-$() function in drivers/usb/makefile, within the ufshcd_clock_scaling_prepare() and ufshcd_clock_scaling_unprepare() functions in drivers/ufs/core/ufshcd.c, within the ufshcd_mcq_abort() function in drivers/ufs/core/ufs-mcq.c, within the serial_port_runtime_suspend() function in drivers/tty/serial/serial_port.c, within the uart_write() function in drivers/tty/serial/serial_core.c, within the obj-$() function in drivers/tty/serial/makefile, within the serial_pxa_probe() function in drivers/tty/serial/8250/8250_pxa.c, within the dw8250_setup_port() function in drivers/tty/serial/8250/8250_dwlib.c, within the dw_uart_quirk_skip_set_rate bit() and dw8250_prepare_rx_dma() functions in drivers/tty/serial/8250/8250_dw.c, within the __receive_buf() function in drivers/tty/n_tty.c, within the margining_port_init() function in drivers/thunderbolt/debugfs.c, within the thermal_zone_set_trip_temp() function in drivers/thermal/thermal_trip.c, within the thermal_debug_tz_trip_up() and tze_seq_show() functions in drivers/thermal/thermal_debugfs.c, within the thermal_governor_trip_crossed(), __thermal_zone_device_update(), thermal_zone_device_update() and __thermal_cooling_device_register() functions in drivers/thermal/thermal_core.c, within the thermal_zone_trip_update() function in drivers/thermal/gov_step_wise.c, within the debugfs_trace_show() and vchiq_debugfs_remove_instance() functions in drivers/staging/vc04_services/interface/vchiq_arm/vchiq_debugfs.c, within the vchiq_probe() function in drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c, within the sr_reset() function in drivers/scsi/sr_ioctl.c, within the sd_validate_opt_xfer_size() function in drivers/scsi/sd.c, within the sas_is_tlr_enabled() function in drivers/scsi/scsi_transport_sas.c, within the scsi_get_vpd_size() and scsi_cdl_check() functions in drivers/scsi/scsi.c, within the qedf_elsct_send(), qedf_ctx_soft_reset(), memset(), __qedf_remove() and qedf_stag_change_work() functions in drivers/scsi/qedf/qedf_main.c, within the scsih_pci_mmio_enabled() function in drivers/scsi/mpt3sas/mpt3sas_scsih.c, within the sas_ncq_prio_supported_show() and sas_ncq_prio_enable_store() functions in drivers/scsi/mpt3sas/mpt3sas_ctl.c, within the mpt3sas_base_attach() and _base_check_ioc_facts_changes() functions in drivers/scsi/mpt3sas/mpt3sas_base.c, within the mpi3mr_sas_port_add() function in drivers/scsi/mpi3mr/mpi3mr_transport.c, within the persistent_id_show() function in drivers/scsi/mpi3mr/mpi3mr_app.c, within the print_alua_state() and alua_tur() functions in drivers/scsi/device_handler/scsi_dh_alua.c, within the mi300_addr_cfg(), addr_hash_row_xor genmask(), get_addr_hash_mi300() and convert_dram_to_norm_addr_mi300() functions in drivers/ras/amd/atl/umc.c, within the df4_determine_df_rev() function in drivers/ras/amd/atl/system.c, within the ptp_set_pinfunc() function in drivers/ptp/ptp_chardev.c, within the dev_is_pnp() function in drivers/pnp/driver.c, within the property_entry_u32(), property_entry_bool() and ts_parse_props() functions in drivers/platform/x86/touchscreen_dmi.c, within the pr_fmt(), define_mutex(), find_tokens(), build_tokens_sysfs() and free_group() functions in drivers/platform/x86/dell/dell-smbios-base.c, within the hsmp_plat_dev_register() and hsmp_plt_init() functions in drivers/platform/x86/amd/hsmp.c, within the pci_device_add() function in drivers/pci/probe.c, within the pcibios_reset_secondary_bus() function in drivers/pci/pci.c, within the pci_cfg_access_lock() and pci_cfg_access_unlock() functions in drivers/pci/access.c, within the amiga_parallel_remove() function in drivers/parport/parport_amiga.c, within the parse_interrupts() and parse_interrupt_map() functions in drivers/of/property.c, within the kunit_test_suites() function in drivers/of/of_test.c, within the of_irq_parse_imap_parent() and of_irq_parse_raw() functions in drivers/of/irq.c, within the nvmet_passthru_execute_cmd_work() function in drivers/nvme/target/passthru.c, within the nvmet_execute_admin_connect() and nvmet_execute_io_connect() functions in drivers/nvme/target/fabrics-cmd.c, within the pr_debug() and nvmet_execute_auth_receive() functions in drivers/nvme/target/fabrics-cmd-auth.c, within the nvmet_req_init() function in drivers/nvme/target/core.c, within the nvme_sc_to_pr_err() function in drivers/nvme/host/pr.c, within the nvme_alloc_user_request(), nvme_map_user_request(), nvme_submit_user_cmd(), nvme_uring_task_cb() and nvme_uring_cmd_end_io() functions in drivers/nvme/host/ioctl.c, within the nvmf_reg_read32(), nvmf_reg_read64() and nvmf_reg_write32() functions in drivers/nvme/host/fabrics.c, within the nvme_cleanup_cmd() and nvme_remove_invalid_namespaces() functions in drivers/nvme/host/core.c, within the ipc_devlink_create_region() function in drivers/net/wwan/iosm/iosm_ipc_devlink.c, within the rtl_op_config() function in drivers/net/wireless/realtek/rtlwifi/core.c, within the wilc_wlan_handle_txq() function in drivers/net/wireless/microchip/wilc1000/wlan.c, within the wilc_wlan_set_bssid(), wilc_set_mac_addr(), wilc_mac_xmit(), wilc_frmw_to_host(), wilc_wfi_mgmt_rx(), wilc_netdev_cleanup(), wilc_get_available_idx() and wilc_netdev_ifc_init() functions in drivers/net/wireless/microchip/wilc1000/netdev.c, within the wilc_network_info_received(), wilc_gnrl_async_info_received() and wilc_scan_complete_received() functions in drivers/net/wireless/microchip/wilc1000/hif.c, within the set_channel(), set_wiphy_params(), add_virtual_intf(), del_virtual_intf(), wilc_set_wakeup(), set_tx_power(), wlan_init_locks() and wlan_deinit_locks() functions in drivers/net/wireless/microchip/wilc1000/cfg80211.c, within the mt7615_set_rekey_data() function in drivers/net/wireless/mediatek/mt76/mt7615/main.c, within the iwl_mvm_fw_baid_op_cmd() function in drivers/net/wireless/intel/iwlwifi/mvm/sta.c, within the iwl_mvm_scan_umac_dwell(), iwl_mvm_scan_umac_dwell_v11(), iwl_mvm_umac_scan_fill_6g_chan_list() and iwl_mvm_umac_scan_abort() functions in drivers/net/wireless/intel/iwlwifi/mvm/scan.c, within the iwl_mvm_rx_monitor_no_data() function in drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c, within the iwl_mvm_mld_cfg_sta() and iwl_mvm_mld_update_sta_baids() functions in drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c, within the iwl_mvm_mld_mac_add_interface() function in drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c, within the iwl_mvm_cleanup_iterator(), iwl_mvm_restart_cleanup() and iwl_mvm_sync_rx_queues_internal() functions in drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c, within the iwl_mvm_mac_ctxt_set_tim() function in drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c, within the iwl_mvm_mfu_assert_dump_notif() and iwl_mvm_sar_select_profile() functions in drivers/net/wireless/intel/iwlwifi/mvm/fw.c, within the _iwl_dbgfs_inject_beacon_ie() function in drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c, within the iwl_mvm_wowlan_gtk_type_iter() and iwl_mvm_setup_connection_keep() functions in drivers/net/wireless/intel/iwlwifi/mvm/d3.c, within the iwl_drv_start() function in drivers/net/wireless/intel/iwlwifi/iwl-drv.c, within the ath11k_pcic_ext_irq_config() function in drivers/net/wireless/ath/ath11k/pcic.c, within the ath11k_mac_op_assign_vif_chanctx() and ath11k_mac_op_sta_state() functions in drivers/net/wireless/ath/ath11k/mac.c, within the sizeof() function in drivers/net/wireless/ath/ath11k/core.c, within the vxlan_snoop() and vxlan_set_mac() functions in drivers/net/vxlan/vxlan_core.c, within the vmxnet3_rq_destroy_all_rxdataring() function in drivers/net/vmxnet3/vmxnet3_drv.c, within the virtnet_send_command_reply(), virtnet_send_rx_notf_coal_cmds() and virtnet_rx_dim_work() functions in drivers/net/virtio_net.c, within the sfp_sm_module() function in drivers/net/phy/sfp.c, within the ksz8061_config_init(), ksz9477_config_init() and kszphy_resume() functions in drivers/net/phy/micrel.c, within the nsim_get_iflink() function in drivers/net/netdevsim/netdev.c, within the geneve_xmit_skb() and geneve6_xmit_skb() functions in drivers/net/geneve.c, within the tc_setup_cbs() function in drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c, within the qcom_ethqos_probe() function in drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c, within the ionic_run_xdp() function in drivers/net/ethernet/pensando/ionic/ionic_txrx.c, within the ionic_qcq_enable() function in drivers/net/ethernet/pensando/ionic/ionic_lif.c, within the mlx5_function_teardown() function in drivers/net/ethernet/mellanox/mlx5/core/main.c, within the mlx5_vsc_gw_lock() function in drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c, within the mlx5_lag_create_port_sel_table() function in drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c, within the mlx5_health_wait_pci_up() function in drivers/net/ethernet/mellanox/mlx5/core/health.c, within the mlx5_cmd_fast_teardown_hca() function in drivers/net/ethernet/mellanox/mlx5/core/fw.c, within the mlx5e_tunnel_features_check() and mlx5e_features_check() functions in drivers/net/ethernet/mellanox/mlx5/core/en_main.c, within the mtk_init_fq_dma(), mtk_tx_alloc(), mtk_tx_clean(), mtk_rx_alloc(), mtk_dma_free(), sizeof() and mtk_dma_size() functions in drivers/net/ethernet/mediatek/mtk_eth_soc.c, within the npc_mcam_alloc_entries() function in drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c, within the igc_up() and igc_probe() functions in drivers/net/ethernet/intel/igc/igc_main.c, within the igc_ethtool_get_eee() function in drivers/net/ethernet/intel/igc/igc_ethtool.c, within the ice_xsk_pool_disable(), ice_xsk_pool_enable() and ice_realloc_rx_xdp_bufs() functions in drivers/net/ethernet/intel/ice/ice_xsk.c, within the ice_read_nvm_module(), ice_get_pfa_module_tlv(), ice_determine_active_flash_banks() and ice_init_nvm() functions in drivers/net/ethernet/intel/ice/ice_nvm.c, within the ice_vsi_assign_bpf_prog(), ice_prepare_xdp_rings(), ice_destroy_xdp_rings() and ice_xdp_setup_prog() functions in drivers/net/ethernet/intel/ice/ice_main.c, within the ice_vsi_alloc_arrays(), ice_vsi_free_arrays(), ice_vsi_cfg_def() and ice_vsi_decfg() functions in drivers/net/ethernet/intel/ice/ice_lib.c, within the ice_vsi_map_rings_to_vectors() function in drivers/net/ethernet/intel/ice/ice_base.c, within the hclge_push_link_status(), hclge_update_link_status(), hclge_uninit_need_wait() and hclge_uninit_client_instance() functions in drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c, within the hns3_alloc_ring_buffers() and hns3_init_all_ring() functions in drivers/net/ethernet/hisilicon/hns3/hns3_enet.c, within the gve_prep_tso() function in drivers/net/ethernet/google/gve/gve_tx_dqo.c, within the gve_rx_skb_hash() and gve_rx_poll_dqo() functions in drivers/net/ethernet/google/gve/gve_rx_dqo.c, within the lio_vf_rep_copy_packet() function in drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c, within the bnxt_hwrm_fwd_resp() and bnxt_vf_set_link() functions in drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c, within the __hwrm_send() function in drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c, within the qca8k_parse_port_leds() and qca8k_setup_led_ctrl() functions in drivers/net/dsa/qca/qca8k-leds.c, within the vsc_get_sensor_name() function in drivers/misc/mei/vsc-fw-loader.c, within the mei_vsc_remove() function in drivers/misc/mei/platform-vsc.c, within the mei_me_pci_resume() function in drivers/misc/mei/pci-me.c, within the mei_write() function in drivers/misc/mei/main.c, within the gp_aux_bus_probe(), auxiliary_device_uninit() and kfree() functions in drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c, within the mgb4_remove() function in drivers/media/pci/mgb4/mgb4_core.c, within the mei_csi_probe() function in drivers/media/pci/intel/ivsc/mei_csi.c, within the export_symbol_ns_gpl() and ipu6_pci_remove() functions in drivers/media/pci/intel/ipu6/ipu6.c, within the isys_notifier_bound(), isys_remove() and isys_probe() functions in drivers/media/pci/intel/ipu6/ipu6-isys.c, within the ipu6_isys_stream_start() function in drivers/media/pci/intel/ipu6/ipu6-isys-queue.c, within the led_classdev_register_ext() function in drivers/leds/led-class.c, within the define_per_cpu() and plic_probe() functions in drivers/irqchip/irq-sifive-plic.c, within the irqchip_declare() and riscv_intc_acpi_init() functions in drivers/irqchip/irq-riscv-intc.c, within the its_vlpi_map(), its_vlpi_unmap() and its_irq_set_vcpu_affinity() functions in drivers/irqchip/irq-gic-v3-its.c, within the iommu_dma_init_domain() function in drivers/iommu/dma-iommu.c, within the amd_iommu_iopf_init() and amd_iommu_page_response() functions in drivers/iommu/amd/ppr.c, within the do_attach(), detach_device() and amd_iommu_attach_device() functions in drivers/iommu/amd/iommu.c, within the free_pci_segments() and amd_iommu_reenable() functions in drivers/iommu/amd/init.c, within the silead_ts_request_input_dev(), silead_ts_read_data(), silead_ts_init() and silead_ts_read_props() functions in drivers/input/touchscreen/silead.c, within the mlx90635_probe() function in drivers/iio/temperature/mlx90635.c, within the bmp580_read_temp() function in drivers/iio/pressure/bmp280-core.c, within the iio_read_channel_processed_scale() function in drivers/iio/inkern.c, within the inv_mpu6050_probe_trigger() function in drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c, within the inv_mpu6050_read_fifo() function in drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c, within the inv_icm42600_gyro_update_scan_mode() function in drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c, within the inv_icm42600_irq_init() function in drivers/iio/imu/inv_icm42600/inv_icm42600_core.c, within the inv_icm42600_buffer_update_watermark(), inv_icm42600_buffer_fifo_parse() and inv_icm42600_buffer_init() functions in drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c, within the inv_icm42600_accel_update_scan_mode() function in drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c, within the bmi323_trigger_handler() function in drivers/iio/imu/bmi323/bmi323_core.c, within the ad5592r_read_raw() function in drivers/iio/dac/ad5592r-base.c, within the export_symbol_ns_gpl() function in drivers/iio/common/inv_sensors/inv_sensors_timestamp.c, within the __ad9467_get_scale() function in drivers/iio/adc/ad9467.c, within the array_size(), ad7173_append_status(), ad7173_write_raw(), bit() and ad7173_fw_parse_channel_config() functions in drivers/iio/adc/ad7173.c, within the synquacer_i2c_probe() function in drivers/i2c/busses/i2c-synquacer.c, within the i2c_dw_configure_slave() function in drivers/i2c/busses/i2c-designware-slave.c, within the at91_unreg_slave() function in drivers/i2c/busses/i2c-at91-slave.c, within the loader_write_message(), loader_xfer_cmd(), release_dma_bufs() and ishtp_loader_work() functions in drivers/hid/intel-ish-hid/ishtp/loader.c, within the elan_i2c_hid_power_up(), elan_i2c_hid_power_down() and i2c_hid_of_elan_probe() functions in drivers/hid/i2c-hid/i2c-hid-of-elan.c, within the shield_haptics_create() function in drivers/hid/hid-nvidia-shield.c, within the nintendo_hid_probe() function in drivers/hid/hid-nintendo.c, within the module_description() function in drivers/hid/hid-logitech-hidpp.c, within the logi_dj_recv_switch_to_dj_mode() function in drivers/hid/hid-logitech-dj.c, within the hid_i2c_device() and hidinput_configure_usage() functions in drivers/hid/hid-input.c, within the implement() function in drivers/hid/hid-core.c, within the asus_report_fixup() function in drivers/hid/hid-asus.c, within the emit_store_imm_ggtt(), __emit_job_gen12_simple() and __emit_job_gen12_video() functions in drivers/gpu/drm/xe/xe_ring_ops.c, within the xe_guc_pc_stop() function in drivers/gpu/drm/xe/xe_guc_pc.c, within the pf_reset_vf_lmtt(), pf_update_vf_lmtt(), pf_release_vf_config_lmem(), pf_provision_vf_lmem() and pf_reset_config_sched() functions in drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c, within the gt_idle_sysfs_fini() and xe_gt_idle_enable_c6() functions in drivers/gpu/drm/xe/xe_gt_idle.c, within the vmw_connector_to_stdu(), vmw_stdu_crtc_atomic_disable() and vmw_stdu_connector_destroy() functions in drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c, within the vmw_du_cursor_plane_has_changed(), vmw_kms_write_svga() and vmw_connector_mode_valid() functions in drivers/gpu/drm/vmwgfx/vmwgfx_kms.c, within the vmw_gmrid_man_get_node() function in drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c, within the vmw_setup_pci_resources() and vmw_driver_load() functions in drivers/gpu/drm/vmwgfx/vmwgfx_drv.c, within the shmob_drm_remove() and of_match_ptr() functions in drivers/gpu/drm/renesas/shmobile/shmob_drm_drv.c, within the st7789v_probe() function in drivers/gpu/drm/panel/panel-sitronix-st7789v.c, within the nouveau_display_hpd_resume(), nouveau_display_fini() and nouveau_display_create() functions in drivers/gpu/drm/nouveau/nouveau_display.c, within the bioslog() function in drivers/gpu/drm/nouveau/nouveau_bios.c, within the nv50_display_fini() function in drivers/gpu/drm/nouveau/dispnv50/disp.c, within the nv04_display_fini() function in drivers/gpu/drm/nouveau/dispnv04/disp.c, within the mtk_drm_remove() function in drivers/gpu/drm/mediatek/mtk_drm_drv.c, within the hdmi_get_modes() function in drivers/gpu/drm/exynos/exynos_hdmi.c, within the vidi_get_modes() function in drivers/gpu/drm/exynos/exynos_drm_vidi.c, within the pm_ptr() function in drivers/gpu/drm/exynos/exynos_dp.c, within the dmi_match() function in drivers/gpu/drm/drm_panel_orientation_quirks.c, within the export_symbol() function in drivers/gpu/drm/bridge/panel.c, within the komeda_component_get_avail_scaler() function in drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c, within the komeda_register_show(), komeda_debugfs_init(), komeda_dev_create() and komeda_dev_destroy() functions in drivers/gpu/drm/arm/display/komeda/komeda_dev.c, within the smu_v13_0_4_system_features_control() function in drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c, within the amdgpu_bo_create() function in drivers/gpu/drm/amd/amdgpu/amdgpu_object.c, within the amdgpu_gem_object_create() function in drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c, within the tqmx86_gpii_falling bit(), tqmx86_gpio_set(), tqmx86_gpio_get_direction(), tqmx86_gpio_irq_unmask(), tqmx86_gpio_irq_set_type(), tqmx86_gpio_irq_handler() and tqmx86_gpio_probe() functions in drivers/gpio/gpio-tqmx86.c, within the module_amba_driver() function in drivers/gpio/gpio-pl061.c, within the pcf857x_exit() function in drivers/gpio/gpio-pcf857x.c, within the mc33880_exit() function in drivers/gpio/gpio-mc33880.c, within the module_i2c_driver() function in drivers/gpio/gpio-gw-pld.c, within the __alias(), virt_efi_set_variable(), virt_efi_query_variable_info() and virt_efi_get_next_high_mono_count() functions in drivers/firmware/efi/runtime-wrappers.c, within the exit_boot_func() function in drivers/firmware/efi/libstub/loongarch.c, within the efi_pstore_read_func(), efi_pstore_read(), efi_pstore_write() and efi_pstore_erase() functions in drivers/firmware/efi/efi-pstore.c, within the transmit_complete_callback(), __fw_send_request(), declare_completion(), fw_send_phy_config(), free_response_callback(), fw_send_response(), fw_core_handle_request() and fw_core_handle_response() functions in drivers/firewire/core-transaction.c, within the fw_core_handle_bus_reset() function in drivers/firewire/core-topology.c, within the outbound_phy_packet_callback() and ioctl_send_phy_packet() functions in drivers/firewire/core-cdev.c, within the reset_bus() and br_work() functions in drivers/firewire/core-card.c, within the errcmd_enable_error_reporting() function in drivers/edac/igen6_edac.c, within the __amd64_read_pci_cfg_dword(), __amd64_write_pci_cfg_dword() and gpu_get_node_map() functions in drivers/edac/amd64_edac.c, within the devm_cxl_add_region() and __create_region() functions in drivers/cxl/core/region.c, within the intel_pstate_update_policies(), store_no_turbo(), atom_get_val() and core_get_val() functions in drivers/cpufreq/intel_pstate.c, within the amd_pstate_set_boost() function in drivers/cpufreq/amd-pstate.c, within the __prci_register_clocks() function in drivers/clk/sifive/sifive-prci.c, within the pr_err() function in drivers/clk/clkdev.c, within the tpm_tis_remove() function in drivers/char/tpm/tpm_tis_core.c, within the null_validate_conf() function in drivers/block/null_blk/main.c, within the was_interrupted(), nbd_send_cmd(), set_bit(), trace_nbd_payload_sent() and nbd_handle_cmd() functions in drivers/block/nbd.c, within the lo_read_simple() and lo_fallocate() functions in drivers/block/loop.c, within the uevent_show(), devm_attr_group_remove() and devm_device_add_group() functions in drivers/base/core.c, within the pata_macio_qc_prep() function in drivers/ata/pata_macio.c, within the ata_scsiop_inq_std() function in drivers/ata/libata-scsi.c, within the acpi_device_override_status() function in drivers/acpi/x86/utils.c, within the acpi_thermal_get_polling_frequency() function in drivers/acpi/thermal.c, within the acpi_sbs_callback() function in drivers/acpi/sbs.c, within the acpi_ec_space_handler() and ec_install_handlers() functions in drivers/acpi/ec.c, within the einj_exit() function in drivers/acpi/apei/einj-core.c, within the acpi_execute_reg_methods() function in drivers/acpi/acpica/evxfregn.c, within the acpi_ev_reg_run() function in drivers/acpi/acpica/evregion.c, within the acpi_ac_notify() and acpi_ac_resume() functions in drivers/acpi/ac.c, within the read_sed_opal_key() function in block/sed-opal.c, within the disk_destroy_zone_wplugs_hash_table() function in block/blk-zoned.c, within the blk_flush_complete_seq() and flush_end_io() functions in block/blk-flush.c, within the bio_integrity_free() function in block/bio-integrity.c, within the numa_clear_kernel_node_hotplug() and numa_init() functions in arch/x86/mm/numa.c, within the array_index_mask_nospec() and sym_code_end() functions in arch/x86/lib/getuser.s, within the module_param() and kvm_arch_vcpu_create() functions in arch/x86/kvm/x86.c, within the handle_exception_nmi() function in arch/x86/kvm/vmx/vmx.c, within the prepare_vmcs02_constant_state() and nested_vmx_l0_wants_exit() functions in arch/x86/kvm/vmx/nested.c, within the module_param(), svm_copy_lbrs(), svm_enable_lbrv(), svm_disable_lbrv(), svm_get_msr_feature(), svm_set_msr(), svm_enable_nmi_window() and svm_hardware_setup() functions in arch/x86/kvm/svm/svm.c, within the __sev_launch_update_vmsa(), sev_hardware_setup() and sev_es_init_vmcb() functions in arch/x86/kvm/svm/sev.c, within the tdp_mmu_zap_spte_atomic() function in arch/x86/kvm/mmu/tdp_mmu.c, within the is_cpuid_pse36(), get_walk(), kvm_faultin_pfn() and export_symbol_gpl() functions in arch/x86/kvm/mmu/mmu.c, within the __kvm_wait_lapic_expire(), apic_timer_fn() and kvm_create_lapic() functions in arch/x86/kvm/lapic.c, within the machine_kexec_cleanup() and machine_kexec() functions in arch/x86/kernel/machine_kexec_64.c, within the amd_smn_read() function in arch/x86/kernel/amd_nb.c, within the vmlinux-objs-$() function in arch/x86/boot/compressed/makefile, within the nt_final(), ehdr_init(), get_mem_chunk_cnt(), loads_init(), notes_init(), get_elfcorehdr_size() and elfcorehdr_alloc() functions in arch/s390/kernel/crash_dump.c, within the align() function in arch/s390/boot/vmlinux.lds.s, within the _pa() function in arch/s390/boot/vmem.c, within the fixup_vmlinux_info() and startup_kernel() functions in arch/s390/boot/startup.c, within the setup_bootmem() function in arch/riscv/mm/init.c, within the handle_page_fault() function in arch/riscv/mm/fault.c, within the kvm_riscv_vcpu_set_reg_isa_ext() function in arch/riscv/kvm/vcpu_onereg.c, within the aia_imsic_ppn() function in arch/riscv/kvm/aia_device.c, within the ptr_page_align_down(), __flush_cache_page(), flush_icache_pages(), pte_needs_flush(), flush_dcache_folio(), purge_kernel_dcache_page_asm(), copy_user_highpage(), __flush_tlb_range(), flush_cache_range(), flush_anon_page() and invalidate_kernel_vmap_range() functions in arch/parisc/kernel/cache.c, within the absolute() function in arch/loongarch/kernel/vmlinux.lds.s, within the fdt_smp_setup() and smp_prepare_boot_cpu() functions in arch/loongarch/kernel/smp.c, within the fdt_setup() and platform_init() functions in arch/loongarch/kernel/setup.c, within the contpte_clear_young_dirty_ptes() function in arch/arm64/mm/contpte.c, within the kvm_arm_init_sve() function in arch/arm64/kvm/reset.c, within the limit_nv_id_reg() function in arch/arm64/kvm/nested.c, within the __activate_traps() and kvm_hyp_handle_eret() functions in arch/arm64/kvm/hyp/vhe/switch.c, within the __activate_traps() and kvm_handle_pvm_sys64() functions in arch/arm64/kvm/hyp/nvhe/switch.c, within the divide_memory_pool(), recreate_hyp_mappings() and __pkvm_init_finalise() functions in arch/arm64/kvm/hyp/nvhe/setup.c, within the kvm_get_vttbr(), pvm_init_traps_aa64pfr0() and pkvm_hyp_vm_table_init() functions in arch/arm64/kvm/hyp/nvhe/pkvm.c, within the define_per_cpu(), sync_hyp_vcpu(), handle___kvm_vcpu_run() and handle_trap() functions in arch/arm64/kvm/hyp/nvhe/hyp-main.c, within the sym_func_start() function in arch/arm64/kvm/hyp/fpsimd.s, within the kvm_condition_valid32() function in arch/arm64/kvm/hyp/aarch32.c, within the set_core_reg() function in arch/arm64/kvm/guest.c, within the kvm_arch_vcpu_load_fp() and kvm_arch_vcpu_put_fp() functions in arch/arm64/kvm/fpsimd.c, within the kvm_emulate_nested_eret() function in arch/arm64/kvm/emulate-nested.c, within the nvhe_percpu_order(), teardown_subsystems(), kvm_hyp_init_protection(), init_hyp_mode() and kvm_arm_init() functions in arch/arm64/kvm/arm.c, within the run_all_insn_set_hw_mode() function in arch/arm64/kernel/armv8_deprecated.c, within the prepare_ftrace_return() function in arch/arm/kernel/ftrace.c, within the select_speed() function in documentation/cdrom/cdrom-standard.rst. A local user can execute arbitrary code.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-testing&id=0c9acb1af77a3cb8707e43f45b72c95266903cee
- https://lore.kernel.org/lkml/c30fc539-68a8-65d7-226c-6f8e6fd8bdfb@suse.com/
- https://security.netapp.com/advisory/ntap-20200103-0001/
- https://usn.ubuntu.com/4258-1/
- https://usn.ubuntu.com/4284-1/