Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: cancle set bad inode after removing name fails<br /> <br /> The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link.<br /> When renaming, the file0&amp;#39;s inode is marked as a bad inode because the file<br /> name cannot be deleted.<br /> <br /> The underlying bug is that make_bad_inode() is called on a live inode.<br /> In some cases it&amp;#39;s "icache lookup finds a normal inode, d_splice_alias()<br /> is called to attach it to dentry, while another thread decides to call<br /> make_bad_inode() on it - that would evict it from icache, but we&amp;#39;d already<br /> found it there earlier".<br /> In some it&amp;#39;s outright "we have an inode attached to dentry - that&amp;#39;s how we<br /> got it in the first place; let&amp;#39;s call make_bad_inode() on it just for shits<br /> and giggles".

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls<br /> <br /> When sending plaintext data, we initially calculated the corresponding<br /> ciphertext length. However, if we later reduced the plaintext data length<br /> via socket policy, we failed to recalculate the ciphertext length.<br /> <br /> This results in transmitting buffers containing uninitialized data during<br /> ciphertext transmission.<br /> <br /> This causes uninitialized bytes to be appended after a complete<br /> "Application Data" packet, leading to errors on the receiving end when<br /> parsing TLS record.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PM / devfreq: Check governor before using governor-&gt;name<br /> <br /> Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from<br /> struct devfreq") removes governor_name and uses governor-&gt;name to replace<br /> it. But devfreq-&gt;governor may be NULL and directly using<br /> devfreq-&gt;governor-&gt;name may cause null pointer exception. Move the check of<br /> governor to before using governor-&gt;name.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()<br /> <br /> The get_pd_power_uw() function can crash with a NULL pointer dereference<br /> when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible<br /> during runtime, causing get_cpu_device() to return NULL, which propagates<br /> through em_cpu_get() and leads to a crash when em_span_cpus() dereferences<br /> the NULL pointer.<br /> <br /> Add a NULL check after em_cpu_get() and return 0 if unavailable,<br /> matching the existing fallback behavior in __dtpm_cpu_setup().<br /> <br /> [ rjw: Drop an excess empty code line ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()<br /> <br /> In the error paths after fb_info structure is successfully allocated,<br /> the memory allocated in fb_deferred_io_init() for info-&gt;pagerefs is not<br /> freed. Fix that by adding the cleanup function on the error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: handle jset (if a &amp; b ...) as a jump in CFG computation<br /> <br /> BPF_JSET is a conditional jump and currently verifier.c:can_jump()<br /> does not know about that. This can lead to incorrect live registers<br /> and SCC computation.<br /> <br /> E.g. in the following example:<br /> <br /> 1: r0 = 1;<br /> 2: r2 = 2;<br /> 3: if r1 &amp; 0x7 goto +1;<br /> 4: exit;<br /> 5: r0 = r2;<br /> 6: exit;<br /> <br /> W/o this fix insn_successors(3) will return only (4), a jump to (5)<br /> would be missed and r2 won&amp;#39;t be marked as alive at (3).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: gpib: fix unset padding field copy back to userspace<br /> <br /> The introduction of a padding field in the gpib_board_info_ioctl is<br /> showing up as initialized data on the stack frame being copyied back<br /> to userspace in function board_info_ioctl. The simplest fix is to<br /> initialize the entire struct to zero to ensure all unassigned padding<br /> fields are zero&amp;#39;d before being copied back to userspace.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: clear initialized flag for deinit-ed srng lists<br /> <br /> In a number of cases we see kernel panics on resume due<br /> to ath11k kernel page fault, which happens under the<br /> following circumstances:<br /> <br /> 1) First ath11k_hal_dump_srng_stats() call<br /> <br /> Last interrupt received for each group:<br /> ath11k_pci 0000:01:00.0: group_id 0 22511ms before<br /> ath11k_pci 0000:01:00.0: group_id 1 14440788ms before<br /> [..]<br /> ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..<br /> ath11k_pci 0000:01:00.0: Service connect timeout<br /> ath11k_pci 0000:01:00.0: failed to connect to HTT: -110<br /> ath11k_pci 0000:01:00.0: failed to start core: -110<br /> ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM<br /> ath11k_pci 0000:01:00.0: already resetting count 2<br /> ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110<br /> ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110<br /> ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery<br /> [..]<br /> <br /> 2) At this point reconfiguration fails (we have 2 resets) and<br /> ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()<br /> which destroys srng lists. However, it does not reset per-list<br /> -&gt;initialized flag.<br /> <br /> 3) Second ath11k_hal_dump_srng_stats() call sees stale -&gt;initialized<br /> flag and attempts to dump srng stats:<br /> <br /> Last interrupt received for each group:<br /> ath11k_pci 0000:01:00.0: group_id 0 66785ms before<br /> ath11k_pci 0000:01:00.0: group_id 1 14485062ms before<br /> ath11k_pci 0000:01:00.0: group_id 2 14485062ms before<br /> ath11k_pci 0000:01:00.0: group_id 3 14485062ms before<br /> ath11k_pci 0000:01:00.0: group_id 4 14780845ms before<br /> ath11k_pci 0000:01:00.0: group_id 5 14780845ms before<br /> ath11k_pci 0000:01:00.0: group_id 6 14485062ms before<br /> ath11k_pci 0000:01:00.0: group_id 7 66814ms before<br /> ath11k_pci 0000:01:00.0: group_id 8 68997ms before<br /> ath11k_pci 0000:01:00.0: group_id 9 67588ms before<br /> ath11k_pci 0000:01:00.0: group_id 10 69511ms before<br /> BUG: unable to handle page fault for address: ffffa007404eb010<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]<br /> Call Trace:<br /> <br /> ? __die_body+0xae/0xb0<br /> ? page_fault_oops+0x381/0x3e0<br /> ? exc_page_fault+0x69/0xa0<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]<br /> ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]<br /> worker_thread+0x389/0x930<br /> kthread+0x149/0x170<br /> <br /> Clear per-list -&gt;initialized flag in ath11k_hal_srng_deinit().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iwlwifi: Add missing check for alloc_ordered_workqueue<br /> <br /> Add check for the return value of alloc_ordered_workqueue since it may<br /> return NULL pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtl818x: Kill URBs before clearing tx status queue<br /> <br /> In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing<br /> b_tx_status.queue. This change prevents callbacks from using already freed<br /> skb due to anchor was not killed before freeing such skb.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000080<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015<br /> RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]<br /> Call Trace:<br /> <br /> rtl8187_tx_cb+0x116/0x150 [rtl8187]<br /> __usb_hcd_giveback_urb+0x9d/0x120<br /> usb_giveback_urb_bh+0xbb/0x140<br /> process_one_work+0x19b/0x3c0<br /> bh_worker+0x1a7/0x210<br /> tasklet_action+0x10/0x30<br /> handle_softirqs+0xf0/0x340<br /> __irq_exit_rcu+0xcd/0xf0<br /> common_interrupt+0x85/0xa0<br /> <br /> <br /> Tested on RTL8187BvE device.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.