Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kernfs: fix use-after-free in __kernfs_remove<br /> <br /> Syzkaller managed to trigger concurrent calls to<br /> kernfs_remove_by_name_ns() for the same file resulting in<br /> a KASAN detected use-after-free. The race occurs when the root<br /> node is freed during kernfs_drain().<br /> <br /> To prevent this acquire an additional reference for the root<br /> of the tree that is removed before calling __kernfs_remove().<br /> <br /> Found by syzkaller with the following reproducer (slab_nomerge is<br /> required):<br /> <br /> syz_mount_image$ext4(0x0, &amp;(0x7f0000000100)=&amp;#39;./file0\x00&amp;#39;, 0x100000, 0x0, 0x0, 0x0, 0x0)<br /> r0 = openat(0xffffffffffffff9c, &amp;(0x7f0000000080)=&amp;#39;/proc/self/exe\x00&amp;#39;, 0x0, 0x0)<br /> close(r0)<br /> pipe2(&amp;(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800)<br /> mount$9p_fd(0x0, &amp;(0x7f0000000040)=&amp;#39;./file0\x00&amp;#39;, &amp;(0x7f00000000c0), 0x408, &amp;(0x7f0000000280)={&amp;#39;trans=fd,&amp;#39;, {&amp;#39;rfdno&amp;#39;, 0x3d, r0}, 0x2c, {&amp;#39;wfdno&amp;#39;, 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={&amp;#39;mask&amp;#39;, 0x3d, &amp;#39;^MAY_EXEC&amp;#39;}}, {@fsmagic={&amp;#39;fsmagic&amp;#39;, 0x3d, 0x10001}}, {@dont_hash}]}})<br /> <br /> Sample report:<br /> <br /> ==================================================================<br /> BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline]<br /> BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]<br /> BUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369<br /> Read of size 2 at addr ffff8880088807f0 by task syz-executor.2/857<br /> <br /> CPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:317 [inline]<br /> print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433<br /> kasan_report+0xa3/0x130 mm/kasan/report.c:495<br /> kernfs_type include/linux/kernfs.h:335 [inline]<br /> kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]<br /> __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369<br /> __kernfs_remove fs/kernfs/dir.c:1356 [inline]<br /> kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589<br /> sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943<br /> __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899<br /> create_cache mm/slab_common.c:229 [inline]<br /> kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335<br /> p9_client_create+0xd4d/0x1190 net/9p/client.c:993<br /> v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408<br /> v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126<br /> legacy_get_tree+0xf1/0x200 fs/fs_context.c:610<br /> vfs_get_tree+0x85/0x2e0 fs/super.c:1530<br /> do_new_mount fs/namespace.c:3040 [inline]<br /> path_mount+0x675/0x1d00 fs/namespace.c:3370<br /> do_mount fs/namespace.c:3383 [inline]<br /> __do_sys_mount fs/namespace.c:3591 [inline]<br /> __se_sys_mount fs/namespace.c:3568 [inline]<br /> __x64_sys_mount+0x282/0x300 fs/namespace.c:3568<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f725f983aed<br /> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5<br /> RAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed<br /> RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000<br /> RBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000<br /> R10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000<br /> <br /> <br /> Allocated by task 855:<br /> kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38<br /> kasan_set_track mm/kasan/common.c:45 [inline]<br /> set_alloc_info mm/kasan/common.c:437 [inline]<br /> __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470<br /> kasan_slab_alloc include/linux/kasan.h:224 [inline]<br /> slab_post_alloc_hook mm/slab.h:7<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()<br /> <br /> dev_set_name() in soundbus_add_one() allocates memory for name, it need be<br /> freed when of_device_register() fails, call soundbus_dev_put() to give up<br /> the reference that hold in device_initialize(), so that it can be freed in<br /> kobject_cleanup() when the refcount hit to 0. And other resources are also<br /> freed in i2sbus_release_dev(), so it can return 0 directly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix off-by-one errors in fast-commit block filling<br /> <br /> Due to several different off-by-one errors, or perhaps due to a late<br /> change in design that wasn&amp;#39;t fully reflected in the code that was<br /> actually merged, there are several very strange constraints on how<br /> fast-commit blocks are filled with tlv entries:<br /> <br /> - tlvs must start at least 10 bytes before the end of the block, even<br /> though the minimum tlv length is 8. Otherwise, the replay code will<br /> ignore them. (BUG: ext4_fc_reserve_space() could violate this<br /> requirement if called with a len of blocksize - 9 or blocksize - 8.<br /> Fortunately, this doesn&amp;#39;t seem to happen currently.)<br /> <br /> - tlvs must end at least 1 byte before the end of the block. Otherwise<br /> the replay code will consider them to be invalid. This quirk<br /> contributed to a bug (fixed by an earlier commit) where uninitialized<br /> memory was being leaked to disk in the last byte of blocks.<br /> <br /> Also, strangely these constraints don&amp;#39;t apply to the replay code in<br /> e2fsprogs, which will accept any tlvs in the blocks (with no bounds<br /> checks at all, but that is a separate issue...).<br /> <br /> Given that this all seems to be a bug, let&amp;#39;s fix it by just filling<br /> blocks with tlv entries in the natural way.<br /> <br /> Note that old kernels will be unable to replay fast-commit journals<br /> created by kernels that have this commit.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: ac97: fix possible memory leak in snd_ac97_dev_register()<br /> <br /> If device_register() fails in snd_ac97_dev_register(), it should<br /> call put_device() to give up reference, or the name allocated in<br /> dev_set_name() is leaked.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> remoteproc: imx_dsp_rproc: Add mutex protection for workqueue<br /> <br /> The workqueue may execute late even after remoteproc is stopped or<br /> stopping, some resources (rpmsg device and endpoint) have been<br /> released in rproc_stop_subdevices(), then rproc_vq_interrupt()<br /> accessing these resources will cause kennel dump.<br /> <br /> Call trace:<br /> virtqueue_add_split+0x1ac/0x560<br /> virtqueue_add_inbuf+0x4c/0x60<br /> rpmsg_recv_done+0x15c/0x294<br /> vring_interrupt+0x6c/0xa4<br /> rproc_vq_interrupt+0x30/0x50<br /> imx_dsp_rproc_vq_work+0x24/0x40 [imx_dsp_rproc]<br /> process_one_work+0x1d0/0x354<br /> worker_thread+0x13c/0x470<br /> kthread+0x154/0x160<br /> ret_from_fork+0x10/0x20<br /> <br /> Add mutex protection in imx_dsp_rproc_vq_work(), if the state is<br /> not running, then just skip calling rproc_vq_interrupt().<br /> <br /> Also the flush workqueue operation can&amp;#39;t be added in rproc stop<br /> for the same reason. The call sequence is<br /> <br /> rproc_shutdown<br /> -&gt; rproc_stop<br /> -&gt;rproc_stop_subdevices<br /> -&gt;rproc-&gt;ops-&gt;stop()<br /> -&gt;imx_dsp_rproc_stop<br /> -&gt;flush_work<br /> -&gt; rproc_vq_interrupt<br /> <br /> The resource needed by rproc_vq_interrupt has been released in<br /> rproc_stop_subdevices, so flush_work is not safe to be called in<br /> imx_dsp_rproc_stop.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING<br /> <br /> vub300_enable_sdio_irq() works with mutex and need TASK_RUNNING here.<br /> Ensure that we mark current as TASK_RUNNING for sleepable context.<br /> <br /> [ 77.554641] do not call blocking ops when !TASK_RUNNING; state=1 set at [] sdio_irq_thread+0x17d/0x5b0<br /> [ 77.554652] WARNING: CPU: 2 PID: 1983 at kernel/sched/core.c:9813 __might_sleep+0x116/0x160<br /> [ 77.554905] CPU: 2 PID: 1983 Comm: ksdioirqd/mmc1 Tainted: G OE 6.1.0-rc5 #1<br /> [ 77.554910] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020<br /> [ 77.554912] RIP: 0010:__might_sleep+0x116/0x160<br /> [ 77.554920] RSP: 0018:ffff888107b7fdb8 EFLAGS: 00010282<br /> [ 77.554923] RAX: 0000000000000000 RBX: ffff888118c1b740 RCX: 0000000000000000<br /> [ 77.554926] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffed1020f6ffa9<br /> [ 77.554928] RBP: ffff888107b7fde0 R08: 0000000000000001 R09: ffffed1043ea60ba<br /> [ 77.554930] R10: ffff88821f5305cb R11: ffffed1043ea60b9 R12: ffffffff93aa3a60<br /> [ 77.554932] R13: 000000000000011b R14: 7fffffffffffffff R15: ffffffffc0558660<br /> [ 77.554934] FS: 0000000000000000(0000) GS:ffff88821f500000(0000) knlGS:0000000000000000<br /> [ 77.554937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 77.554939] CR2: 00007f8a44010d68 CR3: 000000024421a003 CR4: 00000000003706e0<br /> [ 77.554942] Call Trace:<br /> [ 77.554944] <br /> [ 77.554952] mutex_lock+0x78/0xf0<br /> [ 77.554973] vub300_enable_sdio_irq+0x103/0x3c0 [vub300]<br /> [ 77.554981] sdio_irq_thread+0x25c/0x5b0<br /> [ 77.555006] kthread+0x2b8/0x370<br /> [ 77.555017] ret_from_fork+0x1f/0x30<br /> [ 77.555023] <br /> [ 77.555025] ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()<br /> <br /> We should add the of_node_put() when breaking out of<br /> for_each_child_of_node() as it will automatically increase<br /> and decrease the refcount.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: hisilicon/hpre - fix resource leak in remove process<br /> <br /> In hpre_remove(), when the disable operation of qm sriov failed,<br /> the following logic should continue to be executed to release the<br /> remaining resources that have been allocated, instead of returning<br /> directly, otherwise there will be resource leakage.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rpmsg: char: Avoid double destroy of default endpoint<br /> <br /> The rpmsg_dev_remove() in rpmsg_core is the place for releasing<br /> this default endpoint.<br /> <br /> So need to avoid destroying the default endpoint in<br /> rpmsg_chrdev_eptdev_destroy(), this should be the same as<br /> rpmsg_eptdev_release(). Otherwise there will be double destroy<br /> issue that ept-&gt;refcount report warning:<br /> <br /> refcount_t: underflow; use-after-free.<br /> <br /> Call trace:<br /> refcount_warn_saturate+0xf8/0x150<br /> virtio_rpmsg_destroy_ept+0xd4/0xec<br /> rpmsg_dev_remove+0x60/0x70<br /> <br /> The issue can be reproduced by stopping remoteproc before<br /> closing the /dev/rpmsgX.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()<br /> <br /> When executing SMP task failed, the smp_execute_task_sg() calls del_timer()<br /> to delete "slow_task-&gt;timer". However, if the timer handler<br /> sas_task_internal_timedout() is running, the del_timer() in<br /> smp_execute_task_sg() will not stop it and a UAF will happen. The process<br /> is shown below:<br /> <br /> (thread 1) | (thread 2)<br /> smp_execute_task_sg() | sas_task_internal_timedout()<br /> ... |<br /> del_timer() |<br /> ... | ...<br /> sas_free_task(task) |<br /> kfree(task-&gt;slow_task) //FREE|<br /> | task-&gt;slow_task-&gt;... //USE<br /> <br /> Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure<br /> the timer handler have finished before the "task-&gt;slow_task" is<br /> deallocated.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()<br /> <br /> There is an use-after-free reported by KASAN:<br /> <br /> BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82<br /> Read of size 1 at addr ffff888112afc460 by task modprobe/2111<br /> CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),<br /> Call Trace:<br /> <br /> kasan_report+0xae/0xe0<br /> acpi_ut_remove_reference+0x3b/0x82<br /> acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5<br /> acpi_ds_store_object_to_local+0x15d/0x3a0<br /> acpi_ex_store+0x78d/0x7fd<br /> acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b<br /> acpi_ps_parse_aml+0x217/0x8d5<br /> ...<br /> <br /> <br /> The root cause of the problem is that the acpi_operand_object<br /> is freed when acpi_ut_walk_package_tree() fails in<br /> acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in<br /> acpi_ut_copy_iobject_to_iobject(). The problem was introduced<br /> by "8aa5e56eeb61" commit, this commit is to fix memory leak in<br /> acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove<br /> operation, lead to "acpi_operand_object" used after free.<br /> <br /> Fix it by removing acpi_ut_remove_reference() in<br /> acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()<br /> is called to copy an internal package object into another internal<br /> package object, when it fails, the memory of acpi_operand_object<br /> should be freed by the caller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()<br /> <br /> Fixed coverity issue with resource leaks at variable "fw" going out of<br /> scope leaks the storage it points to mt7921_check_offload_capability().<br /> <br /> Addresses-Coverity-ID: 1527806 ("Resource leaks")