Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak<br /> <br /> In crb_acpi_add(), we get the TPM2 table to retrieve information<br /> like start method, and then assign them to the priv data, so the<br /> TPM2 table is not used after the init, should be freed, call<br /> acpi_put_table() to fix the memory leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix user-after-free<br /> <br /> This uses l2cap_chan_hold_unless_zero() after calling<br /> __l2cap_get_chan_blah() to prevent the following trace:<br /> <br /> Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref<br /> *kref)<br /> Bluetooth: chan 0000000023c4974d<br /> Bluetooth: parent 00000000ae861c08<br /> ==================================================================<br /> BUG: KASAN: use-after-free in __mutex_waiter_is_first<br /> kernel/locking/mutex.c:191 [inline]<br /> BUG: KASAN: use-after-free in __mutex_lock_common<br /> kernel/locking/mutex.c:671 [inline]<br /> BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400<br /> kernel/locking/mutex.c:729<br /> Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFS: Fix an Oops in nfs_d_automount()<br /> <br /> When mounting from a NFSv4 referral, path-&gt;dentry can end up being a<br /> negative dentry, so derive the struct nfs_server from the dentry<br /> itself instead.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: vme_user: Fix possible UAF in tsi148_dma_list_add<br /> <br /> Smatch report warning as follows:<br /> <br /> drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:<br /> &amp;#39;&amp;entry-&gt;list&amp;#39; not removed from list<br /> <br /> In tsi148_dma_list_add(), the error path "goto err_dma" will not<br /> remove entry-&gt;list from list-&gt;entries, but entry will be freed,<br /> then list traversal may cause UAF.<br /> <br /> Fix by removeing it from list-&gt;entries before free().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED<br /> <br /> Shifting signed 32-bit value by 31 bits is undefined, so changing<br /> significant bit to unsigned. The UBSAN warning calltrace like below:<br /> <br /> UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26<br /> left shift of 1 by 31 places cannot be represented in type &amp;#39;int&amp;#39;<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x7d/0xa5<br /> dump_stack+0x15/0x1b<br /> ubsan_epilogue+0xe/0x4e<br /> __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c<br /> ttm_bo_move_memcpy+0x3b4/0x460 [ttm]<br /> bo_driver_move+0x32/0x40 [drm_vram_helper]<br /> ttm_bo_handle_move_mem+0x118/0x200 [ttm]<br /> ttm_bo_validate+0xfa/0x220 [ttm]<br /> drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper]<br /> drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper]<br /> drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper]<br /> drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper]<br /> drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper]<br /> drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper]<br /> drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper]<br /> drm_atomic_commit+0x9c/0x160 [drm]<br /> drm_client_modeset_commit_atomic+0x33a/0x380 [drm]<br /> drm_client_modeset_commit_locked+0x77/0x220 [drm]<br /> drm_client_modeset_commit+0x31/0x60 [drm]<br /> __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper]<br /> drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper]<br /> fbcon_init+0x316/0x790<br /> visual_init+0x113/0x1d0<br /> do_bind_con_driver+0x2a3/0x5c0<br /> do_take_over_console+0xa9/0x270<br /> do_fbcon_takeover+0xa1/0x170<br /> do_fb_registered+0x2a8/0x340<br /> fbcon_fb_registered+0x47/0xe0<br /> register_framebuffer+0x294/0x4a0<br /> __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]<br /> drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]<br /> drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]<br /> drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]<br /> bochs_pci_probe+0x6ca/0x772 [bochs]<br /> local_pci_probe+0x4d/0xb0<br /> pci_device_probe+0x119/0x320<br /> really_probe+0x181/0x550<br /> __driver_probe_device+0xc6/0x220<br /> driver_probe_device+0x32/0x100<br /> __driver_attach+0x195/0x200<br /> bus_for_each_dev+0xbb/0x120<br /> driver_attach+0x27/0x30<br /> bus_add_driver+0x22e/0x2f0<br /> driver_register+0xa9/0x190<br /> __pci_register_driver+0x90/0xa0<br /> bochs_pci_driver_init+0x52/0x1000 [bochs]<br /> do_one_initcall+0x76/0x430<br /> do_init_module+0x61/0x28a<br /> load_module+0x1f82/0x2e50<br /> __do_sys_finit_module+0xf8/0x190<br /> __x64_sys_finit_module+0x23/0x30<br /> do_syscall_64+0x58/0x80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> padata: Always leave BHs disabled when running -&gt;parallel()<br /> <br /> A deadlock can happen when an overloaded system runs -&gt;parallel() in the<br /> context of the current task:<br /> <br /> padata_do_parallel<br /> -&gt;parallel()<br /> pcrypt_aead_enc/dec<br /> padata_do_serial<br /> spin_lock(&amp;reorder-&gt;lock) // BHs still enabled<br /> <br /> ...<br /> __do_softirq<br /> ...<br /> padata_do_serial<br /> spin_lock(&amp;reorder-&gt;lock)<br /> <br /> It&amp;#39;s a bug for BHs to be on in _do_serial as Steffen points out, so<br /> ensure they&amp;#39;re off in the "current task" case like they are in<br /> padata_parallel_worker to avoid this situation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md: fix a crash in mempool_free<br /> <br /> There&amp;#39;s a crash in mempool_free when running the lvm test<br /> shell/lvchange-rebuild-raid.sh.<br /> <br /> The reason for the crash is this:<br /> * super_written calls atomic_dec_and_test(&amp;mddev-&gt;pending_writes) and<br /> wake_up(&amp;mddev-&gt;sb_wait). Then it calls rdev_dec_pending(rdev, mddev)<br /> and bio_put(bio).<br /> * so, the process that waited on sb_wait and that is woken up is racing<br /> with bio_put(bio).<br /> * if the process wins the race, it calls bioset_exit before bio_put(bio)<br /> is executed.<br /> * bio_put(bio) attempts to free a bio into a destroyed bio set - causing<br /> a crash in mempool_free.<br /> <br /> We fix this bug by moving bio_put before atomic_dec_and_test.<br /> <br /> We also move rdev_dec_pending before atomic_dec_and_test as suggested by<br /> Neil Brown.<br /> <br /> The function md_end_flush has a similar bug - we must call bio_put before<br /> we decrement the number of in-progress bios.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor write access in kernel mode<br /> #PF: error_code(0x0002) - not-present page<br /> PGD 11557f0067 P4D 11557f0067 PUD 0<br /> Oops: 0002 [#1] PREEMPT SMP<br /> CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014<br /> Workqueue: kdelayd flush_expired_bios [dm_delay]<br /> RIP: 0010:mempool_free+0x47/0x80<br /> Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00<br /> RSP: 0018:ffff88910036bda8 EFLAGS: 00010093<br /> RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001<br /> RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8<br /> RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900<br /> R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000<br /> R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05<br /> FS: 0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0<br /> Call Trace:<br /> <br /> clone_endio+0xf4/0x1c0 [dm_mod]<br /> clone_endio+0xf4/0x1c0 [dm_mod]<br /> __submit_bio+0x76/0x120<br /> submit_bio_noacct_nocheck+0xb6/0x2a0<br /> flush_expired_bios+0x28/0x2f [dm_delay]<br /> process_one_work+0x1b4/0x300<br /> worker_thread+0x45/0x3e0<br /> ? rescuer_thread+0x380/0x380<br /> kthread+0xc2/0x100<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x1f/0x30<br /> <br /> Modules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd]<br /> CR2: 0000000000000000<br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: /proc/pid/smaps_rollup: fix no vma&amp;#39;s null-deref<br /> <br /> Commit 258f669e7e88 ("mm: /proc/pid/smaps_rollup: convert to single value<br /> seq_file") introduced a null-deref if there are no vma&amp;#39;s in the task in<br /> show_smaps_rollup.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix race between quota enable and quota rescan ioctl<br /> <br /> When enabling quotas, at btrfs_quota_enable(), after committing the<br /> transaction, we change fs_info-&gt;quota_root to point to the quota root we<br /> created and set BTRFS_FS_QUOTA_ENABLED at fs_info-&gt;flags. Then we try<br /> to start the qgroup rescan worker, first by initializing it with a call<br /> to qgroup_rescan_init() - however if that fails we end up freeing the<br /> quota root but we leave fs_info-&gt;quota_root still pointing to it, this<br /> can later result in a use-after-free somewhere else.<br /> <br /> We have previously set the flags BTRFS_FS_QUOTA_ENABLED and<br /> BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with -EINPROGRESS at<br /> btrfs_quota_enable(), which is possible if someone already called the<br /> quota rescan ioctl, and therefore started the rescan worker.<br /> <br /> So fix this by ignoring an -EINPROGRESS and asserting we can&amp;#39;t get any<br /> other error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/meson: reorder driver deinit sequence to fix use-after-free bug<br /> <br /> Unloading the driver triggers the following KASAN warning:<br /> <br /> [ +0.006275] =============================================================<br /> [ +0.000029] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0x1a0<br /> [ +0.000026] Read of size 8 at addr ffff000020c395e0 by task rmmod/2695<br /> <br /> [ +0.000019] CPU: 5 PID: 2695 Comm: rmmod Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1<br /> [ +0.000013] Hardware name: Hardkernel ODROID-N2Plus (DT)<br /> [ +0.000008] Call trace:<br /> [ +0.000007] dump_backtrace+0x1ec/0x280<br /> [ +0.000013] show_stack+0x24/0x80<br /> [ +0.000008] dump_stack_lvl+0x98/0xd4<br /> [ +0.000011] print_address_description.constprop.0+0x80/0x520<br /> [ +0.000011] print_report+0x128/0x260<br /> [ +0.000007] kasan_report+0xb8/0xfc<br /> [ +0.000008] __asan_report_load8_noabort+0x3c/0x50<br /> [ +0.000010] __list_del_entry_valid+0xe0/0x1a0<br /> [ +0.000009] drm_atomic_private_obj_fini+0x30/0x200 [drm]<br /> [ +0.000172] drm_bridge_detach+0x94/0x260 [drm]<br /> [ +0.000145] drm_encoder_cleanup+0xa4/0x290 [drm]<br /> [ +0.000144] drm_mode_config_cleanup+0x118/0x740 [drm]<br /> [ +0.000143] drm_mode_config_init_release+0x1c/0x2c [drm]<br /> [ +0.000144] drm_managed_release+0x170/0x414 [drm]<br /> [ +0.000142] drm_dev_put.part.0+0xc0/0x124 [drm]<br /> [ +0.000143] drm_dev_put+0x20/0x30 [drm]<br /> [ +0.000142] meson_drv_unbind+0x1d8/0x2ac [meson_drm]<br /> [ +0.000028] take_down_aggregate_device+0xb0/0x160<br /> [ +0.000016] component_del+0x18c/0x360<br /> [ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi]<br /> [ +0.000015] platform_remove+0x64/0xb0<br /> [ +0.000009] device_remove+0xb8/0x154<br /> [ +0.000009] device_release_driver_internal+0x398/0x5b0<br /> [ +0.000009] driver_detach+0xac/0x1b0<br /> [ +0.000009] bus_remove_driver+0x158/0x29c<br /> [ +0.000009] driver_unregister+0x70/0xb0<br /> [ +0.000008] platform_driver_unregister+0x20/0x2c<br /> [ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi]<br /> [ +0.000012] __do_sys_delete_module+0x288/0x400<br /> [ +0.000011] __arm64_sys_delete_module+0x5c/0x80<br /> [ +0.000009] invoke_syscall+0x74/0x260<br /> [ +0.000009] el0_svc_common.constprop.0+0xcc/0x260<br /> [ +0.000009] do_el0_svc+0x50/0x70<br /> [ +0.000007] el0_svc+0x68/0x1a0<br /> [ +0.000012] el0t_64_sync_handler+0x11c/0x150<br /> [ +0.000008] el0t_64_sync+0x18c/0x190<br /> <br /> [ +0.000018] Allocated by task 0:<br /> [ +0.000007] (stack is not available)<br /> <br /> [ +0.000011] Freed by task 2695:<br /> [ +0.000008] kasan_save_stack+0x2c/0x5c<br /> [ +0.000011] kasan_set_track+0x2c/0x40<br /> [ +0.000008] kasan_set_free_info+0x28/0x50<br /> [ +0.000009] ____kasan_slab_free+0x128/0x1d4<br /> [ +0.000008] __kasan_slab_free+0x18/0x24<br /> [ +0.000007] slab_free_freelist_hook+0x108/0x230<br /> [ +0.000011] kfree+0x110/0x35c<br /> [ +0.000008] release_nodes+0xf0/0x16c<br /> [ +0.000009] devres_release_group+0x180/0x270<br /> [ +0.000008] component_unbind+0x128/0x1e0<br /> [ +0.000010] component_unbind_all+0x1b8/0x264<br /> [ +0.000009] meson_drv_unbind+0x1a0/0x2ac [meson_drm]<br /> [ +0.000025] take_down_aggregate_device+0xb0/0x160<br /> [ +0.000009] component_del+0x18c/0x360<br /> [ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi]<br /> [ +0.000012] platform_remove+0x64/0xb0<br /> [ +0.000008] device_remove+0xb8/0x154<br /> [ +0.000009] device_release_driver_internal+0x398/0x5b0<br /> [ +0.000009] driver_detach+0xac/0x1b0<br /> [ +0.000009] bus_remove_driver+0x158/0x29c<br /> [ +0.000008] driver_unregister+0x70/0xb0<br /> [ +0.000008] platform_driver_unregister+0x20/0x2c<br /> [ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi]<br /> [ +0.000011] __do_sys_delete_module+0x288/0x400<br /> [ +0.000010] __arm64_sys_delete_module+0x5c/0x80<br /> [ +0.000008] invoke_syscall+0x74/0x260<br /> [ +0.000008] el0_svc_common.constprop.0+0xcc/0x260<br /> [ +0.000008] do_el0_svc+0x50/0x70<br /> [ +0.000007] el0_svc+0x68/0x1a0<br /> [ +0.000009] el0t_64_sync_handler+0x11c/0x150<br /> [ +0.000009] el0t_64_sync+0x18c/0x190<br /> <br /> [ +0.000014] The buggy address belongs to the object at ffff000020c39000<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()<br /> <br /> When insert and remove the orangefs module, there are memory leaked<br /> as below:<br /> <br /> unreferenced object 0xffff88816b0cc000 (size 2048):<br /> comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)<br /> hex dump (first 32 bytes):<br /> 6e 6f 6e 65 0a 00 00 00 00 00 00 00 00 00 00 00 none............<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_debugfs_init.cold+0xaf/0x17f<br /> [] 0xffffffffa02780f9<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> Use the golbal variable as the buffer rather than dynamic allocate to<br /> slove the problem.