Vaishnavi Bhat

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been identified, specifically in the powerpc/pseries/iommu component. The issue arises when a user attempts to use the same vfio container used by a different iommu group on pSeries, resulting in a crash due to a kernel NULL pointer dereference on read. The `spapr tce set window()` function returns -EPERM, leading to a subsequent cleanup that causes the crash. The vulnerability can be exploited, as indicated by the kernel's attempt to read a user page. Technical details include the `spapr tce unset window()` function and the `tce iommu attach group()` function, which are involved in the crash. **Recommendations** To resolve this issue, apply the fix that includes a null check for the `tbl` passed to the `spapr tce unset window()` function. This fix prevents the kernel NULL pointer dereference on read, thereby avoiding the crash. As a temporary workaround, consider restricting access to the `vfio iommu spapr tce` module to minimize the risk of exploitation until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The vulnerability is related to a deadlock in the MCS queue of the powerpc/qspinlock component. If an interrupt occurs after incrementing `qnodesp->count` and before initializing `node->lock`, another CPU might see stale lock values, leading to a deadlock. This can cause the CPU to spin indefinitely until its "next" pointer is set by its successor in the queue. The issue can be reproduced by running stress-ng on a 16-core shared LPAR, resulting in occasional lockups. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A race condition exists between the reset and transmit paths in the Linux kernel's ibmvnic driver. This can lead to a crash when the `ibmvnic xmit()` function accesses a `tx scrq` after it has been freed during a reset. The issue arises because the `ibmvnic xmit()` function is not safe to call during a reset, and the reset path attempts to stop the queue to prevent this. However, an in-flight `ibmvnic complete tx()` call can restart the queue, allowing `ibmvnic xmit()` to access the freed `tx scrq`. To resolve this, a new flag `tx queues active` is introduced to indicate whether the queues are active, and only the open/reset paths control this flag. The `ibmvnic complete tx()` function checks this flag before restarting the queue. **Recommendations** To resolve the issue, apply the patch that introduces the `tx queues active` flag and modifies the `ibmvnic cleanup()` and ` ibmvnic open()` functions to control this flag. Additionally, modify the `ibmvnic complete tx()` function to check the `tx queues active` flag before restarting the queue. Ensure that the lock used to protect the `tx queues active` flag is taken in the interrupt path to maintain consistency.