Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> serial: 8250: Fix oops for port-&gt;pm on uart_change_pm()<br /> <br /> Unloading a hardware specific 8250 driver can produce error "Unable to<br /> handle kernel paging request at virtual address" about ten seconds after<br /> unloading the driver. This happens on uart_hangup() calling<br /> uart_change_pm().<br /> <br /> Turns out commit 04e82793f068 ("serial: 8250: Reinit port-&gt;pm on port<br /> specific driver unbind") was only a partial fix. If the hardware specific<br /> driver has initialized port-&gt;pm function, we need to clear port-&gt;pm too.<br /> Just reinitializing port-&gt;ops does not do this. Otherwise serial8250_pm()<br /> will call port-&gt;pm() instead of serial8250_do_pm().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe<br /> <br /> In function probe(), it returns directly without unregistered hws<br /> when error occurs.<br /> <br /> Fix this by adding &amp;#39;goto unregister_hws;&amp;#39; on line 295 and<br /> line 310.<br /> <br /> Use devm_kzalloc() instead of kzalloc() to automatically<br /> free the memory using devm_kfree() when error occurs.<br /> <br /> Replace of_iomap() with devm_of_iomap() to automatically<br /> handle the unused ioremap region and delete &amp;#39;iounmap(anatop_base);&amp;#39;<br /> in unregister_hws.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id()<br /> <br /> The "map_sz" is the number of elements in the "m" array so the &gt;<br /> comparison needs to be changed to &gt;= to prevent an out of bounds<br /> read.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: xsk: Fix invalid buffer access for legacy rq<br /> <br /> The below crash can be encountered when using xdpsock in rx mode for<br /> legacy rq: the buffer gets released in the XDP_REDIRECT path, and then<br /> once again in the driver. This fix sets the flag to avoid releasing on<br /> the driver side.<br /> <br /> XSK handling of buffers for legacy rq was relying on the caller to set<br /> the skip release flag. But the referenced fix started using fragment<br /> counts for pages instead of the skip flag.<br /> <br /> Crash log:<br /> general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP<br /> CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28<br /> Code: ...<br /> RSP: 0018:ffff88810082fc98 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc<br /> RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901<br /> RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006<br /> R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000<br /> R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00<br /> FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? die_addr+0x32/0x80<br /> ? exc_general_protection+0x192/0x390<br /> ? asm_exc_general_protection+0x22/0x30<br /> ? 0xffffffffa000b514<br /> ? bpf_prog_03b13f331978c78c+0xf/0x28<br /> mlx5e_xdp_handle+0x48/0x670 [mlx5_core]<br /> ? dev_gro_receive+0x3b5/0x6e0<br /> mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core]<br /> mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core]<br /> mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core]<br /> mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core]<br /> __napi_poll+0x25/0x1a0<br /> net_rx_action+0x28a/0x300<br /> __do_softirq+0xcd/0x279<br /> ? sort_range+0x20/0x20<br /> run_ksoftirqd+0x1a/0x20<br /> smpboot_thread_fn+0xa2/0x130<br /> kthread+0xc9/0xf0<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x1f/0x30<br /> <br /> Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core]<br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix lockdep splat and potential deadlock after failure running delayed items<br /> <br /> When running delayed items we are holding a delayed node&amp;#39;s mutex and then<br /> we will attempt to modify a subvolume btree to insert/update/delete the<br /> delayed items. However if have an error during the insertions for example,<br /> btrfs_insert_delayed_items() may return with a path that has locked extent<br /> buffers (a leaf at the very least), and then we attempt to release the<br /> delayed node at __btrfs_run_delayed_items(), which requires taking the<br /> delayed node&amp;#39;s mutex, causing an ABBA type of deadlock. This was reported<br /> by syzbot and the lockdep splat is the following:<br /> <br /> WARNING: possible circular locking dependency detected<br /> 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted<br /> ------------------------------------------------------<br /> syz-executor.2/13257 is trying to acquire lock:<br /> ffff88801835c0c0 (&amp;delayed_node-&gt;mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256<br /> <br /> but task is already holding lock:<br /> ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #1 (btrfs-tree-00){++++}-{3:3}:<br /> __lock_release kernel/locking/lockdep.c:5475 [inline]<br /> lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781<br /> up_write+0x79/0x580 kernel/locking/rwsem.c:1625<br /> btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]<br /> btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239<br /> search_leaf fs/btrfs/ctree.c:1986 [inline]<br /> btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230<br /> btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376<br /> btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]<br /> btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]<br /> __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111<br /> __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153<br /> flush_space+0x269/0xe70 fs/btrfs/space-info.c:723<br /> btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078<br /> process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600<br /> worker_thread+0xa63/0x1210 kernel/workqueue.c:2751<br /> kthread+0x2b8/0x350 kernel/kthread.c:389<br /> ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br /> <br /> -&gt; #0 (&amp;delayed_node-&gt;mutex){+.+.}-{3:3}:<br /> check_prev_add kernel/locking/lockdep.c:3142 [inline]<br /> check_prevs_add kernel/locking/lockdep.c:3261 [inline]<br /> validate_chain kernel/locking/lockdep.c:3876 [inline]<br /> __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144<br /> lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761<br /> __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603<br /> __mutex_lock kernel/locking/mutex.c:747 [inline]<br /> mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799<br /> __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256<br /> btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]<br /> __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156<br /> btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276<br /> btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988<br /> vfs_fsync_range fs/sync.c:188 [inline]<br /> vfs_fsync fs/sync.c:202 [inline]<br /> do_fsync fs/sync.c:212 [inline]<br /> __do_sys_fsync fs/sync.c:220 [inline]<br /> __se_sys_fsync fs/sync.c:218 [inline]<br /> __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> other info that<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipa: only reset hashed tables when supported<br /> <br /> Last year, the code that manages GSI channel transactions switched<br /> from using spinlock-protected linked lists to using indexes into the<br /> ring buffer used for a channel. Recently, Google reported seeing<br /> transaction reference count underflows occasionally during shutdown.<br /> <br /> Doug Anderson found a way to reproduce the issue reliably, and<br /> bisected the issue to the commit that eliminated the linked lists<br /> and the lock. The root cause was ultimately determined to be<br /> related to unused transactions being committed as part of the modem<br /> shutdown cleanup activity. Unused transactions are not normally<br /> expected (except in error cases).<br /> <br /> The modem uses some ranges of IPA-resident memory, and whenever it<br /> shuts down we zero those ranges. In ipa_filter_reset_table() a<br /> transaction is allocated to zero modem filter table entries. If<br /> hashing is not supported, hashed table memory should not be zeroed.<br /> But currently nothing prevents that, and the result is an unused<br /> transaction. Something similar occurs when we zero routing table<br /> entries for the modem.<br /> <br /> By preventing any attempt to clear hashed tables when hashing is not<br /> supported, the reference count underflow is avoided in this case.<br /> <br /> Note that there likely remains an issue with properly freeing unused<br /> transactions (if they occur due to errors). This patch addresses<br /> only the underflows that Google originally reported.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: Fix data races around sk-&gt;sk_shutdown.<br /> <br /> KCSAN found a data race around sk-&gt;sk_shutdown where unix_release_sock()<br /> and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll()<br /> and unix_dgram_poll() read it locklessly.<br /> <br /> We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE().<br /> <br /> BUG: KCSAN: data-race in unix_poll / unix_release_sock<br /> <br /> write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0:<br /> unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631<br /> unix_release+0x59/0x80 net/unix/af_unix.c:1042<br /> __sock_release+0x7d/0x170 net/socket.c:653<br /> sock_close+0x19/0x30 net/socket.c:1397<br /> __fput+0x179/0x5e0 fs/file_table.c:321<br /> ____fput+0x15/0x20 fs/file_table.c:349<br /> task_work_run+0x116/0x1a0 kernel/task_work.c:179<br /> resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]<br /> exit_to_user_mode_loop kernel/entry/common.c:171 [inline]<br /> exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204<br /> __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]<br /> syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297<br /> do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1:<br /> unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170<br /> sock_poll+0xcf/0x2b0 net/socket.c:1385<br /> vfs_poll include/linux/poll.h:88 [inline]<br /> ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855<br /> ep_send_events fs/eventpoll.c:1694 [inline]<br /> ep_poll fs/eventpoll.c:1823 [inline]<br /> do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258<br /> __do_sys_epoll_wait fs/eventpoll.c:2270 [inline]<br /> __se_sys_epoll_wait fs/eventpoll.c:2265 [inline]<br /> __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> value changed: 0x00 -&gt; 0x03<br /> <br /> Reported by Kernel Concurrency Sanitizer on:<br /> CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix blktrace debugfs entries leakage<br /> <br /> Commit 99d055b4fd4b ("block: remove per-disk debugfs files in<br /> blk_unregister_queue") moves blk_trace_shutdown() from<br /> blk_release_queue() to blk_unregister_queue(), this is safe if blktrace<br /> is created through sysfs, however, there is a regression in corner<br /> case.<br /> <br /> blktrace can still be enabled after del_gendisk() through ioctl if<br /> the disk is opened before del_gendisk(), and if blktrace is not shutdown<br /> through ioctl before closing the disk, debugfs entries will be leaked.<br /> <br /> Fix this problem by shutdown blktrace in disk_release(), this is safe<br /> because blk_trace_remove() is reentrant.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()<br /> <br /> KASAN reports that there&amp;#39;s a use-after-free in<br /> hci_remove_adv_monitor(). Trawling through the disassembly, you can<br /> see that the complaint is from the access in bt_dev_dbg() under the<br /> HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because<br /> msft_remove_monitor() can end up freeing the monitor<br /> structure. Specifically:<br /> hci_remove_adv_monitor() -&gt;<br /> msft_remove_monitor() -&gt;<br /> msft_remove_monitor_sync() -&gt;<br /> msft_le_cancel_monitor_advertisement_cb() -&gt;<br /> hci_free_adv_monitor()<br /> <br /> Let&amp;#39;s fix the problem by just stashing the relevant data when it&amp;#39;s<br /> still valid.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Fix warning in trace_buffered_event_disable()<br /> <br /> Warning happened in trace_buffered_event_disable() at<br /> WARN_ON_ONCE(!trace_buffered_event_ref)<br /> <br /> Call Trace:<br /> ? __warn+0xa5/0x1b0<br /> ? trace_buffered_event_disable+0x189/0x1b0<br /> __ftrace_event_enable_disable+0x19e/0x3e0<br /> free_probe_data+0x3b/0xa0<br /> unregister_ftrace_function_probe_func+0x6b8/0x800<br /> event_enable_func+0x2f0/0x3d0<br /> ftrace_process_regex.isra.0+0x12d/0x1b0<br /> ftrace_filter_write+0xe6/0x140<br /> vfs_write+0x1c9/0x6f0<br /> [...]<br /> <br /> The cause of the warning is in __ftrace_event_enable_disable(),<br /> trace_buffered_event_enable() was called once while<br /> trace_buffered_event_disable() was called twice.<br /> Reproduction script show as below, for analysis, see the comments:<br /> ```<br /> #!/bin/bash<br /> <br /> cd /sys/kernel/tracing/<br /> <br /> # 1. Register a &amp;#39;disable_event&amp;#39; command, then:<br /> # 1) SOFT_DISABLED_BIT was set;<br /> # 2) trace_buffered_event_enable() was called first time;<br /> echo &amp;#39;cmdline_proc_show:disable_event:initcall:initcall_finish&amp;#39; &gt; \<br /> set_ftrace_filter<br /> <br /> # 2. Enable the event registered, then:<br /> # 1) SOFT_DISABLED_BIT was cleared;<br /> # 2) trace_buffered_event_disable() was called first time;<br /> echo 1 &gt; events/initcall/initcall_finish/enable<br /> <br /> # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was<br /> # set again!!!<br /> cat /proc/cmdline<br /> <br /> # 4. Unregister the &amp;#39;disable_event&amp;#39; command, then:<br /> # 1) SOFT_DISABLED_BIT was cleared again;<br /> # 2) trace_buffered_event_disable() was called second time!!!<br /> echo &amp;#39;!cmdline_proc_show:disable_event:initcall:initcall_finish&amp;#39; &gt; \<br /> set_ftrace_filter<br /> ```<br /> <br /> To fix it, IIUC, we can change to call trace_buffered_event_enable() at<br /> fist time soft-mode enabled, and call trace_buffered_event_disable() at<br /> last time soft-mode disabled.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: sisusbvga: Add endpoint checks<br /> <br /> The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver:<br /> <br /> ------------[ cut here ]------------<br /> usb 1-1: BOGUS urb xfer, pipe 3 != type 1<br /> WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504<br /> Modules linked in:<br /> CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023<br /> Workqueue: usb_hub_wq hub_event<br /> RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504<br /> Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7<br /> RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000<br /> RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95<br /> RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000<br /> R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003<br /> R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600<br /> FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline]<br /> sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379<br /> sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline]<br /> sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline]<br /> sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177<br /> sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869<br /> ...<br /> <br /> The problem was caused by the fact that the driver does not check<br /> whether the endpoints it uses are actually present and have the<br /> appropriate types. This can be fixed by adding a simple check of<br /> the endpoints.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix potential user-after-free<br /> <br /> This fixes all instances of which requires to allocate a buffer calling<br /> alloc_skb which may release the chan lock and reacquire later which<br /> makes it possible that the chan is disconnected in the meantime.