Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/ttm: don&amp;#39;t leak the ccs state<br /> <br /> The kernel only manages the ccs state with lmem-only objects, however<br /> the kernel should still take care not to leak the CCS state from the<br /> previous user.<br /> <br /> (cherry picked from commit 353819d85f87be46aeb9c1dd929d445a006fc6ec)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors()<br /> <br /> In this function, there are two refcount leak bugs:<br /> (1) when breaking out of for_each_endpoint_of_node(), we need call<br /> the of_node_put() for the &amp;#39;ep&amp;#39;;<br /> (2) we should call of_node_put() for the reference returned by<br /> of_graph_get_remote_port() when it is not used anymore.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> stmmac: intel: Add a missing clk_disable_unprepare() call in intel_eth_pci_remove()<br /> <br /> Commit 09f012e64e4b ("stmmac: intel: Fix clock handling on error and remove<br /> paths") removed this clk_disable_unprepare()<br /> <br /> This was partly revert by commit ac322f86b56c ("net: stmmac: Fix clock<br /> handling on remove path") which removed this clk_disable_unprepare()<br /> because:<br /> "<br /> While unloading the dwmac-intel driver, clk_disable_unprepare() is<br /> being called twice in stmmac_dvr_remove() and<br /> intel_eth_pci_remove(). This causes kernel panic on the second call.<br /> "<br /> <br /> However later on, commit 5ec55823438e8 ("net: stmmac: add clocks management<br /> for gmac driver") has updated stmmac_dvr_remove() which do not call<br /> clk_disable_unprepare() anymore.<br /> <br /> So this call should now be called from intel_eth_pci_remove().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: sja1105: fix buffer overflow in sja1105_setup_devlink_regions()<br /> <br /> If an error occurs in dsa_devlink_region_create(), then &amp;#39;priv-&gt;regions&amp;#39;<br /> array will be accessed by negative index &amp;#39;-1&amp;#39;.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: Fix call trace with null VSI during VF reset<br /> <br /> During stress test with attaching and detaching VF from KVM and<br /> simultaneously changing VFs spoofcheck and trust there was a<br /> call trace in ice_reset_vf that VF&amp;#39;s VSI is null.<br /> <br /> [145237.352797] WARNING: CPU: 46 PID: 840629 at drivers/net/ethernet/intel/ice/ice_vf_lib.c:508 ice_reset_vf+0x3d6/0x410 [ice]<br /> [145237.352851] Modules linked in: ice(E) vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio iavf dm_mod xt_CHECKSUM xt_MASQUERADE<br /> xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink tun<br /> bridge stp llc sunrpc intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm iTCO_wdt iTC<br /> O_vendor_support irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel rapl ipmi_si intel_cstate ipmi_devintf joydev intel_uncore m<br /> ei_me ipmi_msghandler i2c_i801 pcspkr mei lpc_ich ioatdma i2c_smbus acpi_pad acpi_power_meter ip_tables xfs libcrc32c i2c_algo_bit drm_sh<br /> mem_helper drm_kms_helper sd_mod t10_pi crc64_rocksoft syscopyarea crc64 sysfillrect sg sysimgblt fb_sys_fops drm i40e ixgbe ahci libahci<br /> libata crc32c_intel mdio dca wmi fuse [last unloaded: ice]<br /> [145237.352917] CPU: 46 PID: 840629 Comm: kworker/46:2 Tainted: G S W I E 5.19.0-rc6+ #24<br /> [145237.352921] Hardware name: Intel Corporation S2600WTT/S2600WTT, BIOS SE5C610.86B.01.01.0008.021120151325 02/11/2015<br /> [145237.352923] Workqueue: ice ice_service_task [ice]<br /> [145237.352948] RIP: 0010:ice_reset_vf+0x3d6/0x410 [ice]<br /> [145237.352984] Code: 30 ec f3 cc e9 28 fd ff ff 0f b7 4b 50 48 c7 c2 48 19 9c c0 4c 89 ee 48 c7 c7 30 fe 9e c0 e8 d1 21 9d cc 31 c0 e9 a<br /> 9 fe ff ff 0b b8 ea ff ff ff e9 c1 fc ff ff 0f 0b b8 fb ff ff ff e9 91 fe<br /> [145237.352987] RSP: 0018:ffffb453e257fdb8 EFLAGS: 00010246<br /> [145237.352990] RAX: ffff8bd0040181c0 RBX: ffff8be68db8f800 RCX: 0000000000000000<br /> [145237.352991] RDX: 000000000000ffff RSI: 0000000000000000 RDI: ffff8be68db8f800<br /> [145237.352993] RBP: ffff8bd0040181c0 R08: 0000000000001000 R09: ffff8bcfd520e000<br /> [145237.352995] R10: 0000000000000000 R11: 00008417b5ab0bc0 R12: 0000000000000005<br /> [145237.352996] R13: ffff8bcee061c0d0 R14: ffff8bd004019640 R15: 0000000000000000<br /> [145237.352998] FS: 0000000000000000(0000) GS:ffff8be5dfb00000(0000) knlGS:0000000000000000<br /> [145237.353000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [145237.353002] CR2: 00007fd81f651d68 CR3: 0000001a0fe10001 CR4: 00000000001726e0<br /> [145237.353003] Call Trace:<br /> [145237.353008] <br /> [145237.353011] ice_process_vflr_event+0x8d/0xb0 [ice]<br /> [145237.353049] ice_service_task+0x79f/0xef0 [ice]<br /> [145237.353074] process_one_work+0x1c8/0x390<br /> [145237.353081] ? process_one_work+0x390/0x390<br /> [145237.353084] worker_thread+0x30/0x360<br /> [145237.353087] ? process_one_work+0x390/0x390<br /> [145237.353090] kthread+0xe8/0x110<br /> [145237.353094] ? kthread_complete_and_exit+0x20/0x20<br /> [145237.353097] ret_from_fork+0x22/0x30<br /> [145237.353103] <br /> <br /> Remove WARN_ON() from check if VSI is null in ice_reset_vf.<br /> Add "VF is already removed\n" in dev_dbg().<br /> <br /> This WARN_ON() is unnecessary and causes call trace, despite that<br /> call trace, driver still works. There is no need for this warn<br /> because this piece of code is responsible for disabling VF&amp;#39;s Tx/Rx<br /> queues when VF is disabled, but when VF is already removed there<br /> is no need to do reset or disable queues.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: genl: fix error path memory leak in policy dumping<br /> <br /> If construction of the array of policies fails when recording<br /> non-first policy we need to unwind.<br /> <br /> netlink_policy_dump_add_policy() itself also needs fixing as<br /> it currently gives up on error without recording the allocated<br /> pointer in the pstate pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix potential refcount leak in ndisc_router_discovery()<br /> <br /> The issue happens on specific paths in the function. After both the<br /> object `rt` and `neigh` are grabbed successfully, when `lifetime` is<br /> nonzero but the metric needs change, the function just deletes the<br /> route and set `rt` to NULL. Then, it may try grabbing `rt` and `neigh`<br /> again if above conditions hold. The function simply overwrite `neigh`<br /> if succeeds or returns if fails, without decreasing the reference<br /> count of previous `neigh`. This may result in memory leaks.<br /> <br /> Fix it by decrementing the reference count of `neigh` in place.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: qrtr: start MHI channel after endpoit creation<br /> <br /> MHI channel may generates event/interrupt right after enabling.<br /> It may leads to 2 race conditions issues.<br /> <br /> 1)<br /> Such event may be dropped by qcom_mhi_qrtr_dl_callback() at check:<br /> <br /> if (!qdev || mhi_res-&gt;transaction_status)<br /> return;<br /> <br /> Because dev_set_drvdata(&amp;mhi_dev-&gt;dev, qdev) may be not performed at<br /> this moment. In this situation qrtr-ns will be unable to enumerate<br /> services in device.<br /> ---------------------------------------------------------------<br /> <br /> 2)<br /> Such event may come at the moment after dev_set_drvdata() and<br /> before qrtr_endpoint_register(). In this case kernel will panic with<br /> accessing wrong pointer at qcom_mhi_qrtr_dl_callback():<br /> <br /> rc = qrtr_endpoint_post(&amp;qdev-&gt;ep, mhi_res-&gt;buf_addr,<br /> mhi_res-&gt;bytes_xferd);<br /> <br /> Because endpoint is not created yet.<br /> --------------------------------------------------------------<br /> So move mhi_prepare_for_transfer_autoqueue after endpoint creation<br /> to fix it.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gadgetfs: ep_io - wait until IRQ finishes<br /> <br /> after usb_ep_queue() if wait_for_completion_interruptible() is<br /> interrupted we need to wait until IRQ gets finished.<br /> <br /> Otherwise complete() from epio_complete() can corrupt stack.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: ipq8074: dont disable gcc_sleep_clk_src<br /> <br /> Once the usb sleep clocks are disabled, clock framework is trying to<br /> disable the sleep clock source also.<br /> <br /> However, it seems that it cannot be disabled and trying to do so produces:<br /> [ 245.436390] ------------[ cut here ]------------<br /> [ 245.441233] gcc_sleep_clk_src status stuck at &amp;#39;on&amp;#39;<br /> [ 245.441254] WARNING: CPU: 2 PID: 223 at clk_branch_wait+0x130/0x140<br /> [ 245.450435] Modules linked in: xhci_plat_hcd xhci_hcd dwc3 dwc3_qcom leds_gpio<br /> [ 245.456601] CPU: 2 PID: 223 Comm: sh Not tainted 5.18.0-rc4 #215<br /> [ 245.463889] Hardware name: Xiaomi AX9000 (DT)<br /> [ 245.470050] pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 245.474307] pc : clk_branch_wait+0x130/0x140<br /> [ 245.481073] lr : clk_branch_wait+0x130/0x140<br /> [ 245.485588] sp : ffffffc009f2bad0<br /> [ 245.489838] x29: ffffffc009f2bad0 x28: ffffff8003e6c800 x27: 0000000000000000<br /> [ 245.493057] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800226ef20<br /> [ 245.500175] x23: ffffffc0089ff550 x22: 0000000000000000 x21: ffffffc008476ad0<br /> [ 245.507294] x20: 0000000000000000 x19: ffffffc00965ac70 x18: fffffffffffc51a7<br /> [ 245.514413] x17: 68702e3030303837 x16: 3a6d726f6674616c x15: ffffffc089f2b777<br /> [ 245.521531] x14: ffffffc0095c9d18 x13: 0000000000000129 x12: 0000000000000129<br /> [ 245.528649] x11: 00000000ffffffea x10: ffffffc009621d18 x9 : 0000000000000001<br /> [ 245.535767] x8 : 0000000000000001 x7 : 0000000000017fe8 x6 : 0000000000000001<br /> [ 245.542885] x5 : ffffff803fdca6d8 x4 : 0000000000000000 x3 : 0000000000000027<br /> [ 245.550002] x2 : 0000000000000027 x1 : 0000000000000023 x0 : 0000000000000026<br /> [ 245.557122] Call trace:<br /> [ 245.564229] clk_branch_wait+0x130/0x140<br /> [ 245.566490] clk_branch2_disable+0x2c/0x40<br /> [ 245.570656] clk_core_disable+0x60/0xb0<br /> [ 245.574561] clk_core_disable+0x68/0xb0<br /> [ 245.578293] clk_disable+0x30/0x50<br /> [ 245.582113] dwc3_qcom_remove+0x60/0xc0 [dwc3_qcom]<br /> [ 245.585588] platform_remove+0x28/0x60<br /> [ 245.590361] device_remove+0x4c/0x80<br /> [ 245.594179] device_release_driver_internal+0x1dc/0x230<br /> [ 245.597914] device_driver_detach+0x18/0x30<br /> [ 245.602861] unbind_store+0xec/0x110<br /> [ 245.607027] drv_attr_store+0x24/0x40<br /> [ 245.610847] sysfs_kf_write+0x44/0x60<br /> [ 245.614405] kernfs_fop_write_iter+0x128/0x1c0<br /> [ 245.618052] new_sync_write+0xc0/0x130<br /> [ 245.622391] vfs_write+0x1d4/0x2a0<br /> [ 245.626123] ksys_write+0x58/0xe0<br /> [ 245.629508] __arm64_sys_write+0x1c/0x30<br /> [ 245.632895] invoke_syscall.constprop.0+0x5c/0x110<br /> [ 245.636890] do_el0_svc+0xa0/0x150<br /> [ 245.641488] el0_svc+0x18/0x60<br /> [ 245.644872] el0t_64_sync_handler+0xa4/0x130<br /> [ 245.647914] el0t_64_sync+0x174/0x178<br /> [ 245.652340] ---[ end trace 0000000000000000 ]---<br /> <br /> So, add CLK_IS_CRITICAL flag to the clock so that the kernel won&amp;#39;t try<br /> to disable the sleep clock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input<br /> <br /> Malformed user input to debugfs results in buffer overflow crashes. Adapt<br /> input string lengths to fit within internal buffers, leaving space for NULL<br /> terminators.