Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()<br /> <br /> syzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for<br /> crafted filesystem image can contain bogus length. There conditions are<br /> not kernel bugs that can justify kernel to panic.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwmon: (xgene) Fix ioremap and memremap leak<br /> <br /> Smatch reports:<br /> <br /> drivers/hwmon/xgene-hwmon.c:757 xgene_hwmon_probe() warn:<br /> &amp;#39;ctx-&gt;pcc_comm_addr&amp;#39; from ioremap() not released on line: 757.<br /> <br /> This is because in drivers/hwmon/xgene-hwmon.c:701 xgene_hwmon_probe(),<br /> ioremap and memremap is not released, which may cause a leak.<br /> <br /> To fix this, ioremap and memremap is modified to devm_ioremap and<br /> devm_memremap.<br /> <br /> [groeck: Fixed formatting and subject]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent<br /> <br /> In some specific situations, the return value of __bch_btree_node_alloc<br /> may be NULL. This may lead to a potential NULL pointer dereference in<br /> caller function like a calling chain :<br /> btree_split-&gt;bch_btree_node_alloc-&gt;__bch_btree_node_alloc.<br /> <br /> Fix it by initializing the return value in __bch_btree_node_alloc.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Avoid calling OPDESC() with ops-&gt;opnum == OP_ILLEGAL<br /> <br /> OPDESC() simply indexes into nfsd4_ops[] by the op&amp;#39;s operation<br /> number, without range checking that value. It assumes callers are<br /> careful to avoid calling it with an out-of-bounds opnum value.<br /> <br /> nfsd4_decode_compound() is not so careful, and can invoke OPDESC()<br /> with opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end<br /> of nfsd4_ops[].

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt7601u: fix an integer underflow<br /> <br /> Fix an integer underflow that leads to a null pointer dereference in<br /> &amp;#39;mt7601u_rx_skb_from_seg()&amp;#39;. The variable &amp;#39;dma_len&amp;#39; in the URB packet<br /> could be manipulated, which could trigger an integer underflow of<br /> &amp;#39;seg_len&amp;#39; in &amp;#39;mt7601u_rx_process_seg()&amp;#39;. This underflow subsequently<br /> causes the &amp;#39;bad_frame&amp;#39; checks in &amp;#39;mt7601u_rx_skb_from_seg()&amp;#39; to be<br /> bypassed, eventually leading to a dereference of the pointer &amp;#39;p&amp;#39;, which<br /> is a null pointer.<br /> <br /> Ensure that &amp;#39;dma_len&amp;#39; is greater than &amp;#39;min_seg_len&amp;#39;.<br /> <br /> Found by a modified version of syzkaller.<br /> <br /> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]<br /> CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+<br /> #139<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:skb_add_rx_frag+0x143/0x370<br /> Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44<br /> 89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 3c 02<br /> 00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00<br /> RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202<br /> RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000<br /> RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8<br /> RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010<br /> R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000<br /> R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008<br /> FS: 0000000000000000(0000) GS:ffff88811a800000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> mt7601u_rx_tasklet+0xc73/0x1270<br /> ? mt7601u_submit_rx_buf.isra.0+0x510/0x510<br /> ? tasklet_action_common.isra.0+0x79/0x2f0<br /> tasklet_action_common.isra.0+0x206/0x2f0<br /> __do_softirq+0x1b5/0x880<br /> ? tasklet_unlock+0x30/0x30<br /> run_ksoftirqd+0x26/0x50<br /> smpboot_thread_fn+0x34f/0x7d0<br /> ? smpboot_register_percpu_thread+0x370/0x370<br /> kthread+0x3a1/0x480<br /> ? set_kthread_struct+0x120/0x120<br /> ret_from_fork+0x1f/0x30<br /> Modules linked in: 88XXau(O) 88x2bu(O)<br /> ---[ end trace 57f34f93b4da0f9b ]---<br /> RIP: 0010:skb_add_rx_frag+0x143/0x370<br /> Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44<br /> 89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 3c 02<br /> 00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00<br /> RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202<br /> RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000<br /> RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8<br /> RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010<br /> R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000<br /> R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008<br /> FS: 0000000000000000(0000) GS:ffff88811a800000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915: Fix system suspend without fbdev being initialized<br /> <br /> If fbdev is not initialized for some reason - in practice on platforms<br /> without display - suspending fbdev should be skipped during system<br /> suspend, fix this up. While at it add an assert that suspending fbdev<br /> only happens with the display present.<br /> <br /> This fixes the following:<br /> <br /> [ 91.227923] PM: suspend entry (s2idle)<br /> [ 91.254598] Filesystems sync: 0.025 seconds<br /> [ 91.270518] Freezing user space processes<br /> [ 91.272266] Freezing user space processes completed (elapsed 0.001 seconds)<br /> [ 91.272686] OOM killer disabled.<br /> [ 91.272872] Freezing remaining freezable tasks<br /> [ 91.274295] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)<br /> [ 91.659622] BUG: kernel NULL pointer dereference, address: 00000000000001c8<br /> [ 91.659981] #PF: supervisor write access in kernel mode<br /> [ 91.660252] #PF: error_code(0x0002) - not-present page<br /> [ 91.660511] PGD 0 P4D 0<br /> [ 91.660647] Oops: 0002 [#1] PREEMPT SMP NOPTI<br /> [ 91.660875] CPU: 4 PID: 917 Comm: bash Not tainted 6.2.0-rc7+ #54<br /> [ 91.661185] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20221117gitfff6d81270b5-9.fc37 unknown<br /> [ 91.661680] RIP: 0010:mutex_lock+0x19/0x30<br /> [ 91.661914] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 53 48 89 fb e8 62 d3 ff ff 31 c0 65 48 8b 14 25 00 15 03 00 48 0f b1 13 75 06 5b c3 cc cc cc cc 48 89 df 5b eb b4 0f 1f 40<br /> [ 91.662840] RSP: 0018:ffffa1e8011ffc08 EFLAGS: 00010246<br /> [ 91.663087] RAX: 0000000000000000 RBX: 00000000000001c8 RCX: 0000000000000000<br /> [ 91.663440] RDX: ffff8be455eb0000 RSI: 0000000000000001 RDI: 00000000000001c8<br /> [ 91.663802] RBP: ffff8be459440000 R08: ffff8be459441f08 R09: ffffffff8e1432c0<br /> [ 91.664167] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001<br /> [ 91.664532] R13: 00000000000001c8 R14: 0000000000000000 R15: ffff8be442f4fb20<br /> [ 91.664905] FS: 00007f28ffc16740(0000) GS:ffff8be4bb900000(0000) knlGS:0000000000000000<br /> [ 91.665334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 91.665626] CR2: 00000000000001c8 CR3: 0000000114926006 CR4: 0000000000770ee0<br /> [ 91.665988] PKRU: 55555554<br /> [ 91.666131] Call Trace:<br /> [ 91.666265] <br /> [ 91.666381] intel_fbdev_set_suspend+0x97/0x1b0 [i915]<br /> [ 91.666738] i915_drm_suspend+0xb9/0x100 [i915]<br /> [ 91.667029] pci_pm_suspend+0x78/0x170<br /> [ 91.667234] ? __pfx_pci_pm_suspend+0x10/0x10<br /> [ 91.667461] dpm_run_callback+0x47/0x150<br /> [ 91.667673] __device_suspend+0x10a/0x4e0<br /> [ 91.667880] dpm_suspend+0x134/0x270<br /> [ 91.668069] dpm_suspend_start+0x79/0x80<br /> [ 91.668272] suspend_devices_and_enter+0x11b/0x890<br /> [ 91.668526] pm_suspend.cold+0x270/0x2fc<br /> [ 91.668737] state_store+0x46/0x90<br /> [ 91.668916] kernfs_fop_write_iter+0x11b/0x200<br /> [ 91.669153] vfs_write+0x1e1/0x3a0<br /> [ 91.669336] ksys_write+0x53/0xd0<br /> [ 91.669510] do_syscall_64+0x58/0xc0<br /> [ 91.669699] ? syscall_exit_to_user_mode_prepare+0x18e/0x1c0<br /> [ 91.669980] ? syscall_exit_to_user_mode_prepare+0x18e/0x1c0<br /> [ 91.670278] ? syscall_exit_to_user_mode+0x17/0x40<br /> [ 91.670524] ? do_syscall_64+0x67/0xc0<br /> [ 91.670717] ? __irq_exit_rcu+0x3d/0x140<br /> [ 91.670931] entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> [ 91.671202] RIP: 0033:0x7f28ffd14284<br /> <br /> v2: CC stable. (Jani)<br /> <br /> References: https://gitlab.freedesktop.org/drm/intel/-/issues/8015<br /> (cherry picked from commit 9542d708409a41449e99c9a464deb5e062c4bee2)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915: Fix memory leaks in i915 selftests<br /> <br /> This patch fixes memory leaks on error escapes in function fake_get_pages<br /> <br /> (cherry picked from commit 8bfbdadce85c4c51689da10f39c805a7106d4567)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()<br /> <br /> The function lio_target_nacl_info_show() uses sprintf() in a loop to print<br /> details for every iSCSI connection in a session without checking for the<br /> buffer length. With enough iSCSI connections it&amp;#39;s possible to overflow the<br /> buffer provided by configfs and corrupt the memory.<br /> <br /> This patch replaces sprintf() with sysfs_emit_at() that checks for buffer<br /> boundries.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ses: Fix possible desc_ptr out-of-bounds accesses<br /> <br /> Sanitize possible desc_ptr out-of-bounds accesses in<br /> ses_enclosure_data_process().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: Fix memory leak in devm_clk_notifier_register()<br /> <br /> devm_clk_notifier_register() allocates a devres resource for clk<br /> notifier but didn&amp;#39;t register that to the device, so the notifier didn&amp;#39;t<br /> get unregistered on device detach and the allocated resource was leaked.<br /> <br /> Fix the issue by registering the resource through devres_add().<br /> <br /> This issue was found with kmemleak on a Chromebook.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: output extra debug info if we failed to find an inline backref<br /> <br /> [BUG]<br /> Syzbot reported several warning triggered inside<br /> lookup_inline_extent_backref().<br /> <br /> [CAUSE]<br /> As usual, the reproducer doesn&amp;#39;t reliably trigger locally here, but at<br /> least we know the WARN_ON() is triggered when an inline backref can not<br /> be found, and it can only be triggered when @insert is true. (I.e.<br /> inserting a new inline backref, which means the backref should already<br /> exist)<br /> <br /> [ENHANCEMENT]<br /> After the WARN_ON(), dump all the parameters and the extent tree<br /> leaf to help debug.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> srcu: Delegate work to the boot cpu if using SRCU_SIZE_SMALL<br /> <br /> Commit 994f706872e6 ("srcu: Make Tree SRCU able to operate without<br /> snp_node array") assumes that cpu 0 is always online. However, there<br /> really are situations when some other CPU is the boot CPU, for example,<br /> when booting a kdump kernel with the maxcpus=1 boot parameter.<br /> <br /> On PowerPC, the kdump kernel can hang as follows:<br /> ...<br /> [ 1.740036] systemd[1]: Hostname set to <br /> [ 243.686240] INFO: task systemd:1 blocked for more than 122 seconds.<br /> [ 243.686264] Not tainted 6.1.0-rc1 #1<br /> [ 243.686272] "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> [ 243.686281] task:systemd state:D stack:0 pid:1 ppid:0 flags:0x00042000<br /> [ 243.686296] Call Trace:<br /> [ 243.686301] [c000000016657640] [c000000016657670] 0xc000000016657670 (unreliable)<br /> [ 243.686317] [c000000016657830] [c00000001001dec0] __switch_to+0x130/0x220<br /> [ 243.686333] [c000000016657890] [c000000010f607b8] __schedule+0x1f8/0x580<br /> [ 243.686347] [c000000016657940] [c000000010f60bb4] schedule+0x74/0x140<br /> [ 243.686361] [c0000000166579b0] [c000000010f699b8] schedule_timeout+0x168/0x1c0<br /> [ 243.686374] [c000000016657a80] [c000000010f61de8] __wait_for_common+0x148/0x360<br /> [ 243.686387] [c000000016657b20] [c000000010176bb0] __flush_work.isra.0+0x1c0/0x3d0<br /> [ 243.686401] [c000000016657bb0] [c0000000105f2768] fsnotify_wait_marks_destroyed+0x28/0x40<br /> [ 243.686415] [c000000016657bd0] [c0000000105f21b8] fsnotify_destroy_group+0x68/0x160<br /> [ 243.686428] [c000000016657c40] [c0000000105f6500] inotify_release+0x30/0xa0<br /> [ 243.686440] [c000000016657cb0] [c0000000105751a8] __fput+0xc8/0x350<br /> [ 243.686452] [c000000016657d00] [c00000001017d524] task_work_run+0xe4/0x170<br /> [ 243.686464] [c000000016657d50] [c000000010020e94] do_notify_resume+0x134/0x140<br /> [ 243.686478] [c000000016657d80] [c00000001002eb18] interrupt_exit_user_prepare_main+0x198/0x270<br /> [ 243.686493] [c000000016657de0] [c00000001002ec60] syscall_exit_prepare+0x70/0x180<br /> [ 243.686505] [c000000016657e10] [c00000001000bf7c] system_call_vectored_common+0xfc/0x280<br /> [ 243.686520] --- interrupt: 3000 at 0x7fffa47d5ba4<br /> [ 243.686528] NIP: 00007fffa47d5ba4 LR: 0000000000000000 CTR: 0000000000000000<br /> [ 243.686538] REGS: c000000016657e80 TRAP: 3000 Not tainted (6.1.0-rc1)<br /> [ 243.686548] MSR: 800000000000d033 CR: 42044440 XER: 00000000<br /> [ 243.686572] IRQMASK: 0<br /> [ 243.686572] GPR00: 0000000000000006 00007ffffa606710 00007fffa48e7200 0000000000000000<br /> [ 243.686572] GPR04: 0000000000000002 000000000000000a 0000000000000000 0000000000000001<br /> [ 243.686572] GPR08: 000001000c172dd0 0000000000000000 0000000000000000 0000000000000000<br /> [ 243.686572] GPR12: 0000000000000000 00007fffa4ff4bc0 0000000000000000 0000000000000000<br /> [ 243.686572] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000<br /> [ 243.686572] GPR20: 0000000132dfdc50 000000000000000e 0000000000189375 0000000000000000<br /> [ 243.686572] GPR24: 00007ffffa606ae0 0000000000000005 000001000c185490 000001000c172570<br /> [ 243.686572] GPR28: 000001000c172990 000001000c184850 000001000c172e00 00007fffa4fedd98<br /> [ 243.686683] NIP [00007fffa47d5ba4] 0x7fffa47d5ba4<br /> [ 243.686691] LR [0000000000000000] 0x0<br /> [ 243.686698] --- interrupt: 3000<br /> [ 243.686708] INFO: task kworker/u16:1:24 blocked for more than 122 seconds.<br /> [ 243.686717] Not tainted 6.1.0-rc1 #1<br /> [ 243.686724] "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> [ 243.686733] task:kworker/u16:1 state:D stack:0 pid:24 ppid:2 flags:0x00000800<br /> [ 243.686747] Workqueue: events_unbound fsnotify_mark_destroy_workfn<br /> [ 243.686758] Call Trace:<br /> [ 243.686762] [c0000000166736e0] [c00000004fd91000] 0xc00000004fd91000 (unreliable)<br /> [ 243.686775] [c0000000166738d0] [c00000001001dec0] __switch_to+0x130/0x220<br /> [ 243.686788] [c000000016673930] [c000000010f607b8] __schedule+0x1f8/0x<br /> ---truncated---