Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: free iio for atombios when driver shutdown<br /> <br /> Fix below kmemleak when unload radeon driver:<br /> <br /> unreferenced object 0xffff9f8608ede200 (size 512):<br /> comm "systemd-udevd", pid 326, jiffies 4294682822 (age 716.338s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 c4 aa ec aa 14 ab 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmem_cache_alloc_trace+0x2f1/0x500<br /> [] atom_parse+0x117/0x230 [radeon]<br /> [] radeon_atombios_init+0xab/0x170 [radeon]<br /> [] si_init+0x57/0x750 [radeon]<br /> [] radeon_device_init+0x559/0x9c0 [radeon]<br /> [] radeon_driver_load_kms+0xc1/0x1a0 [radeon]<br /> [] drm_dev_register+0xdd/0x1d0<br /> [] radeon_pci_probe+0xbd/0x100 [radeon]<br /> [] pci_device_probe+0xe1/0x160<br /> [] really_probe.part.0+0xc1/0x2c0<br /> [] __driver_probe_device+0x96/0x130<br /> [] driver_probe_device+0x24/0xf0<br /> [] __driver_attach+0x77/0x190<br /> [] bus_for_each_dev+0x7f/0xd0<br /> [] driver_attach+0x1e/0x30<br /> [] bus_add_driver+0x12c/0x1e0<br /> <br /> iio was allocated in atom_index_iio() called by atom_parse(),<br /> but it doesn&amp;#39;t got released when the dirver is shutdown.<br /> Fix this kmemleak by free it in radeon_atombios_fini().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: fix potential race condition between napi_init and napi_enable<br /> <br /> A race condition can happen if netdev is registered, but NAPI isn&amp;#39;t<br /> initialized yet, and meanwhile user space starts the netdev that will<br /> enable NAPI. Then, it hits BUG_ON():<br /> <br /> kernel BUG at net/core/dev.c:6423!<br /> invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 0 PID: 417 Comm: iwd Not tainted 6.2.7-slab-dirty #3 eb0f5a8a9d91<br /> Hardware name: LENOVO 21DL/LNVNB161216, BIOS JPCN20WW(V1.06) 09/20/2022<br /> RIP: 0010:napi_enable+0x3f/0x50<br /> Code: 48 89 c2 48 83 e2 f6 f6 81 89 08 00 00 02 74 0d 48 83 ...<br /> RSP: 0018:ffffada1414f3548 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffffa01425802080 RCX: 0000000000000000<br /> RDX: 00000000000002ff RSI: ffffada14e50c614 RDI: ffffa01425808dc0<br /> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000001 R11: 0000000000000100 R12: ffffa01425808f58<br /> R13: 0000000000000000 R14: ffffa01423498940 R15: 0000000000000001<br /> FS: 00007f5577c0a740(0000) GS:ffffa0169fc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f5577a19972 CR3: 0000000125a7a000 CR4: 0000000000750ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> rtw89_pci_ops_start+0x1c/0x70 [rtw89_pci 6cbc75429515c181cbc386478d5cfb32ffc5a0f8]<br /> rtw89_core_start+0xbe/0x160 [rtw89_core fe07ecb874820b6d778370d4acb6ef8a37847f22]<br /> rtw89_ops_start+0x26/0x40 [rtw89_core fe07ecb874820b6d778370d4acb6ef8a37847f22]<br /> drv_start+0x42/0x100 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]<br /> ieee80211_do_open+0x311/0x7d0 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]<br /> ieee80211_open+0x6a/0x90 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]<br /> __dev_open+0xe0/0x180<br /> __dev_change_flags+0x1da/0x250<br /> dev_change_flags+0x26/0x70<br /> do_setlink+0x37c/0x12c0<br /> ? ep_poll_callback+0x246/0x290<br /> ? __nla_validate_parse+0x61/0xd00<br /> ? __wake_up_common_lock+0x8f/0xd0<br /> <br /> To fix this, follow Jonas&amp;#39; suggestion to switch the order of these<br /> functions and move register netdev to be the last step of PCI probe.<br /> Also, correct the error handling of rtw89_core_register_hw().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Fix potential NULL pointer dereference<br /> <br /> Klocwork tool reported &amp;#39;cur_dsd&amp;#39; may be dereferenced. Add fix to validate<br /> pointer before dereferencing the pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/dasd: Fix potential memleak in dasd_eckd_init()<br /> <br /> `dasd_reserve_req` is allocated before `dasd_vol_info_req`, and it<br /> also needs to be freed before the error returns, just like the other<br /> cases in this function.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: imxfb: Removed unneeded release_mem_region<br /> <br /> Remove unnecessary release_mem_region from the error path to prevent<br /> mem region from being released twice, which could avoid resource leak<br /> or other unexpected issues.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: remove a BUG_ON in ext4_mb_release_group_pa()<br /> <br /> If a malicious fuzzer overwrites the ext4 superblock while it is<br /> mounted such that the s_first_data_block is set to a very large<br /> number, the calculation of the block group can underflow, and trigger<br /> a BUG_ON check. Change this to be an ext4_warning so that we don&amp;#39;t<br /> crash the kernel.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix leaking uninitialized memory in fast-commit journal<br /> <br /> When space at the end of fast-commit journal blocks is unused, make sure<br /> to zero it out so that uninitialized memory is not leaked to disk.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/binfmt_elf: Fix memory leak in load_elf_binary()<br /> <br /> There is a memory leak reported by kmemleak:<br /> <br /> unreferenced object 0xffff88817104ef80 (size 224):<br /> comm "xfs_admin", pid 47165, jiffies 4298708825 (age 1333.476s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 60 a8 b3 00 81 88 ff ff a8 10 5a 00 81 88 ff ff `.........Z.....<br /> backtrace:<br /> [] __alloc_file+0x21/0x250<br /> [] alloc_empty_file+0x41/0xf0<br /> [] path_openat+0xea/0x3d30<br /> [] do_filp_open+0x1b9/0x290<br /> [] do_open_execat+0xce/0x5b0<br /> [] open_exec+0x27/0x50<br /> [] load_elf_binary+0x510/0x3ed0<br /> [] bprm_execve+0x599/0x1240<br /> [] do_execveat_common.isra.0+0x4c7/0x680<br /> [] __x64_sys_execve+0x88/0xb0<br /> [] do_syscall_64+0x35/0x80<br /> <br /> If "interp_elf_ex" fails to allocate memory in load_elf_binary(),<br /> the program will take the "out_free_ph" error handing path,<br /> resulting in "interpreter" file resource is not released.<br /> <br /> Fix it by adding an error handing path "out_free_file", which will<br /> release the file resource when "interp_elf_ex" failed to allocate<br /> memory.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix null ndlp ptr dereference in abnormal exit path for GFT_ID<br /> <br /> An error case exit from lpfc_cmpl_ct_cmd_gft_id() results in a call to<br /> lpfc_nlp_put() with a null pointer to a nodelist structure.<br /> <br /> Changed lpfc_cmpl_ct_cmd_gft_id() to initialize nodelist pointer upon<br /> entry.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()<br /> <br /> The following WARNING message was given when rmmod cros_usbpd_notify:<br /> <br /> Unexpected driver unregister!<br /> WARNING: CPU: 0 PID: 253 at drivers/base/driver.c:270 driver_unregister+0x8a/0xb0<br /> Modules linked in: cros_usbpd_notify(-)<br /> CPU: 0 PID: 253 Comm: rmmod Not tainted 6.1.0-rc3 #24<br /> ...<br /> Call Trace:<br /> <br /> cros_usbpd_notify_exit+0x11/0x1e [cros_usbpd_notify]<br /> __x64_sys_delete_module+0x3c7/0x570<br /> ? __ia32_sys_delete_module+0x570/0x570<br /> ? lock_is_held_type+0xe3/0x140<br /> ? syscall_enter_from_user_mode+0x17/0x50<br /> ? rcu_read_lock_sched_held+0xa0/0xd0<br /> ? syscall_enter_from_user_mode+0x1c/0x50<br /> do_syscall_64+0x37/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f333fe9b1b7<br /> <br /> The reason is that the cros_usbpd_notify_init() does not check the return<br /> value of platform_driver_register(), and the cros_usbpd_notify can<br /> install successfully even if platform_driver_register() failed.<br /> <br /> Fix by checking the return value of platform_driver_register() and<br /> unregister cros_usbpd_notify_plat_driver when it failed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()<br /> <br /> In rtw_init_drv_sw(), there are various init functions are called to<br /> populate the padapter structure and some checks for their return value.<br /> However, except for the first one error path, the other five error paths<br /> do not properly release the previous allocated resources, which leads to<br /> various memory leaks.<br /> <br /> This patch fixes them and keeps the success and error separate.<br /> Note that these changes keep the form of `rtw_init_drv_sw()` in<br /> "drivers/staging/r8188eu/os_dep/os_intfs.c". As there is no proper device<br /> to test with, no runtime testing was performed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix xid leak in cifs_flock()<br /> <br /> If not flock, before return -ENOLCK, should free the xid,<br /> otherwise, the xid will be leaked.