Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params<br /> <br /> Each cpu DAI should associate with a widget. However, the topology might<br /> not create the right number of DAI widgets for aggregated amps. And it<br /> will cause NULL pointer deference.<br /> Check that the DAI widget associated with the CPU DAI is valid to prevent<br /> NULL pointer deference due to missing DAI widgets in topologies with<br /> aggregated amps.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: Fix for out-of bound access error<br /> <br /> Selfgen stats are placed in a buffer using print_array_to_buf_index() function.<br /> Array length parameter passed to the function is too big, resulting in possible<br /> out-of bound memory error.<br /> Decreasing buffer size by one fixes faulty upper bound of passed array.<br /> <br /> Discovered in coverity scan, CID 1600742 and CID 1600758

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvkm: correctly calculate the available space of the GSP cmdq buffer<br /> <br /> r535_gsp_cmdq_push() waits for the available page in the GSP cmdq<br /> buffer when handling a large RPC request. When it sees at least one<br /> available page in the cmdq, it quits the waiting with the amount of<br /> free buffer pages in the queue.<br /> <br /> Unfortunately, it always takes the [write pointer, buf_size) as<br /> available buffer pages before rolling back and wrongly calculates the<br /> size of the data should be copied. Thus, it can overwrite the RPC<br /> request that GSP is currently reading, which causes GSP hang due<br /> to corrupted RPC request:<br /> <br /> [ 549.209389] ------------[ cut here ]------------<br /> [ 549.214010] WARNING: CPU: 8 PID: 6314 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:116 r535_gsp_msgq_wait+0xd0/0x190 [nvkm]<br /> [ 549.225678] Modules linked in: nvkm(E+) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) mlx5_ib(E) amd64_edac(E) edac_mce_amd(E) kvm_amd(E) ib_uverbs(E) kvm(E) ib_core(E) acpi_ipmi(E) ipmi_si(E) mxm_wmi(E) ipmi_devintf(E) rapl(E) i2c_piix4(E) wmi_bmof(E) joydev(E) ptdma(E) acpi_cpufreq(E) k10temp(E) pcspkr(E) ipmi_msghandler(E) xfs(E) libcrc32c(E) ast(E) i2c_algo_bit(E) crct10dif_pclmul(E) drm_shmem_helper(E) nvme_tcp(E) crc32_pclmul(E) ahci(E) drm_kms_helper(E) libahci(E) nvme_fabrics(E) crc32c_intel(E) nvme(E) cdc_ether(E) mlx5_core(E) nvme_core(E) usbnet(E) drm(E) libata(E) ccp(E) ghash_clmulni_intel(E) mii(E) t10_pi(E) mlxfw(E) sp5100_tco(E) psample(E) pci_hyperv_intf(E) wmi(E) dm_multipath(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) be2iscsi(E) bnx2i(E) cnic(E) uio(E) cxgb4i(E) cxgb4(E) tls(E) libcxgbi(E) libcxgb(E) qla4xxx(E)<br /> [ 549.225752] iscsi_boot_sysfs(E) iscsi_tcp(E) libiscsi_tcp(E) libiscsi(E) scsi_transport_iscsi(E) fuse(E) [last unloaded: gsp_log(E)]<br /> [ 549.326293] CPU: 8 PID: 6314 Comm: insmod Tainted: G E 6.9.0-rc6+ #1<br /> [ 549.334039] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022<br /> [ 549.341781] RIP: 0010:r535_gsp_msgq_wait+0xd0/0x190 [nvkm]<br /> [ 549.347343] Code: 08 00 00 89 da c1 e2 0c 48 8d ac 11 00 10 00 00 48 8b 0c 24 48 85 c9 74 1f c1 e0 0c 4c 8d 6d 30 83 e8 30 89 01 e9 68 ff ff ff 0b 49 c7 c5 92 ff ff ff e9 5a ff ff ff ba ff ff ff ff be c0 0c<br /> [ 549.366090] RSP: 0018:ffffacbccaaeb7d0 EFLAGS: 00010246<br /> [ 549.371315] RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000923e28<br /> [ 549.378451] RDX: 0000000000000000 RSI: 0000000055555554 RDI: ffffacbccaaeb730<br /> [ 549.385590] RBP: 0000000000000001 R08: ffff8bd14d235f70 R09: ffff8bd14d235f70<br /> [ 549.392721] R10: 0000000000000002 R11: ffff8bd14d233864 R12: 0000000000000020<br /> [ 549.399854] R13: ffffacbccaaeb818 R14: 0000000000000020 R15: ffff8bb298c67000<br /> [ 549.406988] FS: 00007f5179244740(0000) GS:ffff8bd14d200000(0000) knlGS:0000000000000000<br /> [ 549.415076] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 549.420829] CR2: 00007fa844000010 CR3: 00000001567dc005 CR4: 0000000000770ef0<br /> [ 549.427963] PKRU: 55555554<br /> [ 549.430672] Call Trace:<br /> [ 549.433126] <br /> [ 549.435233] ? __warn+0x7f/0x130<br /> [ 549.438473] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]<br /> [ 549.443426] ? report_bug+0x18a/0x1a0<br /> [ 549.447098] ? handle_bug+0x3c/0x70<br /> [ 549.450589] ? exc_invalid_op+0x14/0x70<br /> [ 549.454430] ? asm_exc_invalid_op+0x16/0x20<br /> [ 549.458619] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]<br /> [ 549.463565] r535_gsp_msg_recv+0x46/0x230 [nvkm]<br /> [ 549.468257] r535_gsp_rpc_push+0x106/0x160 [nvkm]<br /> [ 549.473033] r535_gsp_rpc_rm_ctrl_push+0x40/0x130 [nvkm]<br /> [ 549.478422] nvidia_grid_init_vgpu_types+0xbc/0xe0 [nvkm]<br /> [ 549.483899] nvidia_grid_init+0xb1/0xd0 [nvkm]<br /> [ 549.488420] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 549.493213] nvkm_device_pci_probe+0x305/0x420 [nvkm]<br /> [ 549.498338] local_pci_probe+0x46/<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86: int3472: Check for adev == NULL<br /> <br /> Not all devices have an ACPI companion fwnode, so adev might be NULL. This<br /> can e.g. (theoretically) happen when a user manually binds one of<br /> the int3472 drivers to another i2c/platform device through sysfs.<br /> <br /> Add a check for adev not being set and return -ENODEV in that case to<br /> avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync<br /> <br /> This fixes the following crash:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543<br /> Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961<br /> <br /> CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Workqueue: hci0 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:489<br /> kasan_report+0x143/0x180 mm/kasan/report.c:602<br /> mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543<br /> hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310<br /> worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br /> kthread+0x2f0/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> <br /> Allocated by task 16026:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314<br /> kmalloc_noprof include/linux/slab.h:901 [inline]<br /> kzalloc_noprof include/linux/slab.h:1037 [inline]<br /> mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269<br /> mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296<br /> remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568<br /> hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712<br /> hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:726<br /> sock_write_iter+0x2d7/0x3f0 net/socket.c:1147<br /> new_sync_write fs/read_write.c:586 [inline]<br /> vfs_write+0xaeb/0xd30 fs/read_write.c:679<br /> ksys_write+0x18f/0x2b0 fs/read_write.c:731<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 16022:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2338 [inline]<br /> slab_free mm/slub.c:4598 [inline]<br /> kfree+0x196/0x420 mm/slub.c:4746<br /> mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259<br /> __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550<br /> hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208<br /> hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]<br /> hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508<br /> sock_do_ioctl+0x158/0x460 net/socket.c:1209<br /> sock_ioctl+0x626/0x8e0 net/socket.c:1328<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:906 [inline]<br /> __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()<br /> <br /> In &amp;#39;wlc_phy_iqcal_gainparams_nphy()&amp;#39;, add gain range check to WARN()<br /> instead of possible out-of-bounds &amp;#39;tbl_iqcal_gainparams_nphy&amp;#39; access.<br /> Compile tested only.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> safesetid: check size of policy writes<br /> <br /> syzbot attempts to write a buffer with a large size to a sysfs entry<br /> with writes handled by handle_policy_update(), triggering a warning<br /> in kmalloc.<br /> <br /> Check the size specified for write buffers before allocating.<br /> <br /> [PM: subject tweak]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX<br /> <br /> Shifting 1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: multitouch: Add NULL check in mt_input_configured<br /> <br /> devm_kasprintf() can return a NULL pointer on failure,but this<br /> returned value in mt_input_configured() is not checked.<br /> Add NULL check in mt_input_configured(), to handle kernel NULL<br /> pointer dereference error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: i2c: ds90ub9x3: Fix extra fwnode_handle_put()<br /> <br /> The ub913 and ub953 drivers call fwnode_handle_put(priv-&gt;sd.fwnode) as<br /> part of their remove process, and if the driver is removed multiple<br /> times, eventually leads to put "overflow", possibly causing memory<br /> corruption or crash.<br /> <br /> The fwnode_handle_put() is a leftover from commit 905f88ccebb1 ("media:<br /> i2c: ds90ub9x3: Fix sub-device matching"), which changed the code<br /> related to the sd.fwnode, but missed removing these fwnode_handle_put()<br /> calls.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: intel/ipu6: remove cpu latency qos request on error<br /> <br /> Fix cpu latency qos list corruption like below. It happens when<br /> we do not remove cpu latency request on error path and free<br /> corresponding memory.<br /> <br /> [ 30.634378] l7 kernel: list_add corruption. prev-&gt;next should be next (ffffffff9645e960), but was 0000000100100001. (prev=ffff8e9e877e20a8).<br /> [ 30.634388] l7 kernel: WARNING: CPU: 2 PID: 2008 at lib/list_debug.c:32 __list_add_valid_or_report+0x83/0xa0<br /> <br /> [ 30.634640] l7 kernel: Call Trace:<br /> [ 30.634650] l7 kernel: <br /> [ 30.634659] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0<br /> [ 30.634669] l7 kernel: ? __warn.cold+0x93/0xf6<br /> [ 30.634678] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0<br /> [ 30.634690] l7 kernel: ? report_bug+0xff/0x140<br /> [ 30.634702] l7 kernel: ? handle_bug+0x58/0x90<br /> [ 30.634712] l7 kernel: ? exc_invalid_op+0x17/0x70<br /> [ 30.634723] l7 kernel: ? asm_exc_invalid_op+0x1a/0x20<br /> [ 30.634733] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0<br /> [ 30.634742] l7 kernel: plist_add+0xdd/0x140<br /> [ 30.634754] l7 kernel: pm_qos_update_target+0xa0/0x1f0<br /> [ 30.634764] l7 kernel: cpu_latency_qos_update_request+0x61/0xc0<br /> [ 30.634773] l7 kernel: intel_dp_aux_xfer+0x4c7/0x6e0 [i915 1f824655ed04687c2b0d23dbce759fa785f6d033]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()<br /> <br /> In commit 4284c88fff0e ("PCI: designware-ep: Allow pci_epc_set_bar() update<br /> inbound map address") set_bar() was modified to support dynamically<br /> changing the backing physical address of a BAR that was already configured.<br /> <br /> This means that set_bar() can be called twice, without ever calling<br /> clear_bar() (as calling clear_bar() would clear the BAR&amp;#39;s PCI address<br /> assigned by the host).<br /> <br /> This can only be done if the new BAR size/flags does not differ from the<br /> existing BAR configuration. Add these missing checks.<br /> <br /> If we allow set_bar() to set e.g. a new BAR size that differs from the<br /> existing BAR size, the new address translation range will be smaller than<br /> the BAR size already determined by the host, which would mean that a read<br /> past the new BAR size would pass the iATU untranslated, which could allow<br /> the host to read memory not belonging to the new struct pci_epf_bar.<br /> <br /> While at it, add comments which clarifies the support for dynamically<br /> changing the physical address of a BAR. (Which was also missing.)