Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix device management cmd timeout flow<br /> <br /> In the UFS error handling flow, the host will send a device management cmd<br /> (NOP OUT) to the device for link recovery. If this cmd times out and<br /> clearing the doorbell fails, ufshcd_wait_for_dev_cmd() will do nothing and<br /> return. hba-&gt;dev_cmd.complete struct is not set to NULL.<br /> <br /> When this happens, if cmd has been completed by device, then we will call<br /> complete() in __ufshcd_transfer_req_compl(). Because the complete struct is<br /> allocated on the stack, the following crash will occur:<br /> <br /> ipanic_die+0x24/0x38 [mrdump]<br /> die+0x344/0x748<br /> arm64_notify_die+0x44/0x104<br /> do_debug_exception+0x104/0x1e0<br /> el1_dbg+0x38/0x54<br /> el1_sync_handler+0x40/0x88<br /> el1_sync+0x8c/0x140<br /> queued_spin_lock_slowpath+0x2e4/0x3c0<br /> __ufshcd_transfer_req_compl+0x3b0/0x1164<br /> ufshcd_trc_handler+0x15c/0x308<br /> ufshcd_host_reset_and_restore+0x54/0x260<br /> ufshcd_reset_and_restore+0x28c/0x57c<br /> ufshcd_err_handler+0xeb8/0x1b6c<br /> process_one_work+0x288/0x964<br /> worker_thread+0x4bc/0xc7c<br /> kthread+0x15c/0x264<br /> ret_from_fork+0x10/0x30

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/mediatek: Clean dangling pointer on bind error path<br /> <br /> mtk_drm_bind() can fail, in which case drm_dev_put() is called,<br /> destroying the drm_device object. However a pointer to it was still<br /> being held in the private object, and that pointer would be passed along<br /> to DRM in mtk_drm_sys_prepare() if a suspend were triggered at that<br /> point, resulting in a panic. Clean the pointer when destroying the<br /> object in the error path to prevent this from happening.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_conn: fail SCO/ISO via hci_conn_failed if ACL gone early<br /> <br /> Not calling hci_(dis)connect_cfm before deleting conn referred to by a<br /> socket generally results to use-after-free.<br /> <br /> When cleaning up SCO connections when the parent ACL is deleted too<br /> early, use hci_conn_failed to do the connection cleanup properly.<br /> <br /> We also need to clean up ISO connections in a similar situation when<br /> connecting has started but LE Create CIS is not yet sent, so do it too<br /> here.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Free error logs of tracing instances<br /> <br /> When a tracing instance is removed, the error messages that hold errors<br /> that occurred in the instance needs to be freed. The following reports a<br /> memory leak:<br /> <br /> # cd /sys/kernel/tracing<br /> # mkdir instances/foo<br /> # echo &amp;#39;hist:keys=x&amp;#39; &gt; instances/foo/events/sched/sched_switch/trigger<br /> # cat instances/foo/error_log<br /> [ 117.404795] hist:sched:sched_switch: error: Couldn&amp;#39;t find field<br /> Command: hist:keys=x<br /> ^<br /> # rmdir instances/foo<br /> <br /> Then check for memory leaks:<br /> <br /> # echo scan &gt; /sys/kernel/debug/kmemleak<br /> # cat /sys/kernel/debug/kmemleak<br /> unreferenced object 0xffff88810d8ec700 (size 192):<br /> comm "bash", pid 869, jiffies 4294950577 (age 215.752s)<br /> hex dump (first 32 bytes):<br /> 60 dd 68 61 81 88 ff ff 60 dd 68 61 81 88 ff ff `.ha....`.ha....<br /> a0 30 8c 83 ff ff ff ff 26 00 0a 00 00 00 00 00 .0......&amp;.......<br /> backtrace:<br /> [] kmalloc_trace+0x2a/0xa0<br /> [] tracing_log_err+0x277/0x2e0<br /> [] parse_atom+0x966/0xb40<br /> [] parse_expr+0x5f3/0xdb0<br /> [] event_hist_trigger_parse+0x27f8/0x3560<br /> [] trigger_process_regex+0x135/0x1a0<br /> [] event_trigger_write+0x87/0xf0<br /> [] vfs_write+0x162/0x670<br /> [] ksys_write+0xca/0x170<br /> [] do_syscall_64+0x3e/0xc0<br /> [] entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> unreferenced object 0xffff888170c35a00 (size 32):<br /> comm "bash", pid 869, jiffies 4294950577 (age 215.752s)<br /> hex dump (first 32 bytes):<br /> 0a 20 20 43 6f 6d 6d 61 6e 64 3a 20 68 69 73 74 . Command: hist<br /> 3a 6b 65 79 73 3d 78 0a 00 00 00 00 00 00 00 00 :keys=x.........<br /> backtrace:<br /> [] __kmalloc+0x4d/0x160<br /> [] tracing_log_err+0x29b/0x2e0<br /> [] parse_atom+0x966/0xb40<br /> [] parse_expr+0x5f3/0xdb0<br /> [] event_hist_trigger_parse+0x27f8/0x3560<br /> [] trigger_process_regex+0x135/0x1a0<br /> [] event_trigger_write+0x87/0xf0<br /> [] vfs_write+0x162/0x670<br /> [] ksys_write+0xca/0x170<br /> [] do_syscall_64+0x3e/0xc0<br /> [] entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> The problem is that the error log needs to be freed when the instance is<br /> removed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Use number of bits to manage bitmap sizes<br /> <br /> To allocate bitmaps, the mpi3mr driver calculates sizes of bitmaps using<br /> byte as unit. However, bitmap helper functions assume that bitmaps are<br /> allocated using unsigned long as unit. This gap causes memory access beyond<br /> the bitmap sizes and results in "BUG: KASAN: slab-out-of-bounds". The BUG<br /> was observed at firmware download to eHBA-9600. Call trace indicated that<br /> the out-of-bounds access happened in find_first_zero_bit() called from<br /> mpi3mr_send_event_ack() for miroc-&gt;evtack_cmds_bitmap.<br /> <br /> To fix the BUG, do not use bytes to manage bitmap sizes. Instead, use<br /> number of bits, and call bitmap helper functions which take number of bits<br /> as arguments. For memory allocation, call bitmap_zalloc() instead of<br /> kzalloc() and krealloc(). For memory free, call bitmap_free() instead of<br /> kfree(). For zero clear, call bitmap_clear() instead of memset().<br /> <br /> Remove three fields for bitmap byte sizes in struct scmd_priv which are no<br /> longer required. Replace the field dev_handle_bitmap_sz with<br /> dev_handle_bitmap_bits to keep number of bits of removepend_bitmap across<br /> resize.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: prevent use-after-free by freeing the cfile later<br /> <br /> In smb2_compound_op we have a possible use-after-free<br /> which can cause hard to debug problems later on.<br /> <br /> This was revealed during stress testing with KASAN enabled<br /> kernel. Fixing it by moving the cfile free call to<br /> a few lines below, after the usage.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/dpt: Treat the DPT BO as a framebuffer<br /> <br /> Currently i915_gem_object_is_framebuffer() doesn&amp;#39;t treat the<br /> BO containing the framebuffer&amp;#39;s DPT as a framebuffer itself.<br /> This means eg. that the shrinker can evict the DPT BO while<br /> leaving the actual FB BO bound, when the DPT is allocated<br /> from regular shmem.<br /> <br /> That causes an immediate oops during hibernate as we<br /> try to rewrite the PTEs inside the already evicted<br /> DPT obj.<br /> <br /> TODO: presumably this might also be the reason for the<br /> DPT related display faults under heavy memory pressure,<br /> but I&amp;#39;m still not sure how that would happen as the object<br /> should be pinned by intel_dpt_pin() while in active use by<br /> the display engine...<br /> <br /> (cherry picked from commit 779cb5ba64ec7df80675a956c9022929514f517a)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()<br /> <br /> Smatch reports:<br /> drivers/usb/phy/phy-tahvo.c: tahvo_usb_probe()<br /> warn: missing unwind goto?<br /> <br /> After geting irq, if ret

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request<br /> <br /> There are two check of &amp;#39;mreplace&amp;#39; in raid10_sync_request(). In the first<br /> check, &amp;#39;need_replace&amp;#39; will be set and &amp;#39;mreplace&amp;#39; will be used later if<br /> no-Faulty &amp;#39;mreplace&amp;#39; exists, In the second check, &amp;#39;mreplace&amp;#39; will be<br /> set to NULL if it is Faulty, but &amp;#39;need_replace&amp;#39; will not be changed<br /> accordingly. null-ptr-deref occurs if Faulty is set between two check.<br /> <br /> Fix it by merging two checks into one. And replace &amp;#39;need_replace&amp;#39; with<br /> &amp;#39;mreplace&amp;#39; because their values are always the same.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dp: add atomic_check to bridge ops<br /> <br /> DRM commit_tails() will disable downstream crtc/encoder/bridge if<br /> both disable crtc is required and crtc-&gt;active is set before pushing<br /> a new frame downstream.<br /> <br /> There is a rare case that user space display manager issue an extra<br /> screen update immediately followed by close DRM device while down<br /> stream display interface is disabled. This extra screen update will<br /> timeout due to the downstream interface is disabled but will cause<br /> crtc-&gt;active be set. Hence the followed commit_tails() called by<br /> drm_release() will pass the disable downstream crtc/encoder/bridge<br /> conditions checking even downstream interface is disabled.<br /> This cause the crash to happen at dp_bridge_disable() due to it trying<br /> to access the main link register to push the idle pattern out while main<br /> link clocks is disabled.<br /> <br /> This patch adds atomic_check to prevent the extra frame will not<br /> be pushed down if display interface is down so that crtc-&gt;active<br /> will not be set neither. This will fail the conditions checking<br /> of disabling down stream crtc/encoder/bridge which prevent<br /> drm_release() from calling dp_bridge_disable() so that crash<br /> at dp_bridge_disable() prevented.<br /> <br /> There is no protection in the DRM framework to check if the display<br /> pipeline has been already disabled before trying again. The only<br /> check is the crtc_state-&gt;active but this is controlled by usermode<br /> using UAPI. Hence if the usermode sets this and then crashes, the<br /> driver needs to protect against double disable.<br /> <br /> SError Interrupt on CPU7, code 0x00000000be000411 -- SError<br /> CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19<br /> Hardware name: Google Lazor (rev3 - 8) (DT)<br /> pstate: a04000c9 (NzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : __cmpxchg_case_acq_32+0x14/0x2c<br /> lr : do_raw_spin_lock+0xa4/0xdc<br /> sp : ffffffc01092b6a0<br /> x29: ffffffc01092b6a0 x28: 0000000000000028 x27: 0000000000000038<br /> x26: 0000000000000004 x25: ffffffd2973dce48 x24: 0000000000000000<br /> x23: 00000000ffffffff x22: 00000000ffffffff x21: ffffffd2978d0008<br /> x20: ffffffd2978d0008 x19: ffffff80ff759fc0 x18: 0000000000000000<br /> x17: 004800a501260460 x16: 0441043b04600438 x15: 04380000089807d0<br /> x14: 07b0089807800780 x13: 0000000000000000 x12: 0000000000000000<br /> x11: 0000000000000438 x10: 00000000000007d0 x9 : ffffffd2973e09e4<br /> x8 : ffffff8092d53300 x7 : ffffff808902e8b8 x6 : 0000000000000001<br /> x5 : ffffff808902e880 x4 : 0000000000000000 x3 : ffffff80ff759fc0<br /> x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffff80ff759fc0<br /> Kernel panic - not syncing: Asynchronous SError Interrupt<br /> CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19<br /> Hardware name: Google Lazor (rev3 - 8) (DT)<br /> Call trace:<br /> dump_backtrace.part.0+0xbc/0xe4<br /> show_stack+0x24/0x70<br /> dump_stack_lvl+0x68/0x84<br /> dump_stack+0x18/0x34<br /> panic+0x14c/0x32c<br /> nmi_panic+0x58/0x7c<br /> arm64_serror_panic+0x78/0x84<br /> do_serror+0x40/0x64<br /> el1h_64_error_handler+0x30/0x48<br /> el1h_64_error+0x68/0x6c<br /> __cmpxchg_case_acq_32+0x14/0x2c<br /> _raw_spin_lock_irqsave+0x38/0x4c<br /> lock_timer_base+0x40/0x78<br /> __mod_timer+0xf4/0x25c<br /> schedule_timeout+0xd4/0xfc<br /> __wait_for_common+0xac/0x140<br /> wait_for_completion_timeout+0x2c/0x54<br /> dp_ctrl_push_idle+0x40/0x88<br /> dp_bridge_disable+0x24/0x30<br /> drm_atomic_bridge_chain_disable+0x90/0xbc<br /> drm_atomic_helper_commit_modeset_disables+0x198/0x444<br /> msm_atomic_commit_tail+0x1d0/0x374<br /> commit_tail+0x80/0x108<br /> drm_atomic_helper_commit+0x118/0x11c<br /> drm_atomic_commit+0xb4/0xe0<br /> drm_client_modeset_commit_atomic+0x184/0x224<br /> drm_client_modeset_commit_locked+0x58/0x160<br /> drm_client_modeset_commit+0x3c/0x64<br /> __drm_fb_helper_restore_fbdev_mode_unlocked+0x98/0xac<br /> drm_fb_helper_set_par+0x74/0x80<br /> drm_fb_helper_hotplug_event+0xdc/0xe0<br /> __drm_fb_helper_restore_fbdev_mode_unlocked+0x7c/0xac<br /> drm_fb_helper_restore_fbdev_mode_unlocked+0x20/0x2c<br /> drm_fb_helper_lastclose+0x20/0x2c<br /> drm_lastclose+0x44/0x6c<br /> drm_release+0x88/0xd4<br /> __fput+0x104/0x220<br /> ____fput+0x1c/0x28<br /> task_work_run+0x8c/0x100<br /> d<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: atomisp: prevent integer overflow in sh_css_set_black_frame()<br /> <br /> The "height" and "width" values come from the user so the "height * width"<br /> multiplication can overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: greybus: audio_helper: remove unused and wrong debugfs usage<br /> <br /> In the greybus audio_helper code, the debugfs file for the dapm has the<br /> potential to be removed and memory will be leaked. There is also the<br /> very real potential for this code to remove ALL debugfs entries from the<br /> system, and it seems like this is what will really happen if this code<br /> ever runs. This all is very wrong as the greybus audio driver did not<br /> create this debugfs file, the sound core did and controls the lifespan<br /> of it.<br /> <br /> So remove all of the debugfs logic from the audio_helper code as there&amp;#39;s<br /> no way it could be correct. If this really is needed, it can come back<br /> with a fixup for the incorrect usage of the debugfs_lookup() call which<br /> is what caused this to be noticed at all.