Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: ov8865: Fix an error handling path in ov8865_probe()<br /> <br /> The commit in Fixes also introduced some new error handling which should<br /> goto the existing error handling path.<br /> Otherwise some resources leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Fix reading strings from synthetic events<br /> <br /> The follow commands caused a crash:<br /> <br /> # cd /sys/kernel/tracing<br /> # echo &amp;#39;s:open char file[]&amp;#39; &gt; dynamic_events<br /> # echo &amp;#39;hist:keys=common_pid:file=filename:onchange($file).trace(open,$file)&amp;#39; &gt; events/syscalls/sys_enter_openat/trigger&amp;#39;<br /> # echo 1 &gt; events/synthetic/open/enable<br /> <br /> BOOM!<br /> <br /> The problem is that the synthetic event field "char file[]" will read<br /> the value given to it as a string without any memory checks to make sure<br /> the address is valid. The above example will pass in the user space<br /> address and the sythetic event code will happily call strlen() on it<br /> and then strscpy() where either one will cause an oops when accessing<br /> user space addresses.<br /> <br /> Use the helper functions from trace_kprobe and trace_eprobe that can<br /> read strings safely (and actually succeed when the address is from user<br /> space and the memory is mapped in).<br /> <br /> Now the above can show:<br /> <br /> packagekitd-1721 [000] ...2. 104.597170: open: file=/usr/lib/rpm/fileattrs/cmake.attr<br /> in:imjournal-978 [006] ...2. 104.599642: open: file=/var/lib/rsyslog/imjournal.state.tmp<br /> packagekitd-1721 [000] ...2. 104.626308: open: file=/usr/lib/rpm/fileattrs/debuginfo.attr

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/meson: remove drm bridges at aggregate driver unbind time<br /> <br /> drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init<br /> were not manually removed at module unload time, which caused dangling<br /> references to freed memory to remain linked in the global bridge_list.<br /> <br /> When loading the driver modules back in, the same functions would again<br /> call drm_bridge_add, and when traversing the global bridge_list, would<br /> end up peeking into freed memory.<br /> <br /> Once again KASAN revealed the problem:<br /> <br /> [ +0.000095] =============================================================<br /> [ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120<br /> [ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483<br /> <br /> [ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1<br /> [ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT)<br /> [ +0.000008] Call trace:<br /> [ +0.000006] dump_backtrace+0x1ec/0x280<br /> [ +0.000012] show_stack+0x24/0x80<br /> [ +0.000008] dump_stack_lvl+0x98/0xd4<br /> [ +0.000011] print_address_description.constprop.0+0x80/0x520<br /> [ +0.000011] print_report+0x128/0x260<br /> [ +0.000008] kasan_report+0xb8/0xfc<br /> [ +0.000008] __asan_report_load8_noabort+0x3c/0x50<br /> [ +0.000009] __list_add_valid+0x9c/0x120<br /> [ +0.000009] drm_bridge_add+0x6c/0x104 [drm]<br /> [ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi]<br /> [ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi]<br /> [ +0.000014] component_bind+0x174/0x520<br /> [ +0.000012] component_bind_all+0x1a8/0x38c<br /> [ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm]<br /> [ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm]<br /> [ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390<br /> [ +0.000010] component_master_add_with_match+0x1c8/0x284<br /> [ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm]<br /> [ +0.000026] platform_probe+0xd0/0x220<br /> [ +0.000009] really_probe+0x3ac/0xa80<br /> [ +0.000009] __driver_probe_device+0x1f8/0x400<br /> [ +0.000009] driver_probe_device+0x68/0x1b0<br /> [ +0.000009] __driver_attach+0x20c/0x480<br /> [ +0.000008] bus_for_each_dev+0x114/0x1b0<br /> [ +0.000009] driver_attach+0x48/0x64<br /> [ +0.000008] bus_add_driver+0x390/0x564<br /> [ +0.000009] driver_register+0x1a8/0x3e4<br /> [ +0.000009] __platform_driver_register+0x6c/0x94<br /> [ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm]<br /> [ +0.000027] do_one_initcall+0xc4/0x2b0<br /> [ +0.000011] do_init_module+0x154/0x570<br /> [ +0.000011] load_module+0x1a78/0x1ea4<br /> [ +0.000008] __do_sys_init_module+0x184/0x1cc<br /> [ +0.000009] __arm64_sys_init_module+0x78/0xb0<br /> [ +0.000009] invoke_syscall+0x74/0x260<br /> [ +0.000009] el0_svc_common.constprop.0+0xcc/0x260<br /> [ +0.000008] do_el0_svc+0x50/0x70<br /> [ +0.000007] el0_svc+0x68/0x1a0<br /> [ +0.000012] el0t_64_sync_handler+0x11c/0x150<br /> [ +0.000008] el0t_64_sync+0x18c/0x190<br /> <br /> [ +0.000016] Allocated by task 879:<br /> [ +0.000008] kasan_save_stack+0x2c/0x5c<br /> [ +0.000011] __kasan_kmalloc+0x90/0xd0<br /> [ +0.000007] __kmalloc+0x278/0x4a0<br /> [ +0.000011] mpi_resize+0x13c/0x1d0<br /> [ +0.000011] mpi_powm+0xd24/0x1570<br /> [ +0.000009] rsa_enc+0x1a4/0x30c<br /> [ +0.000009] pkcs1pad_verify+0x3f0/0x580<br /> [ +0.000009] public_key_verify_signature+0x7a8/0xba4<br /> [ +0.000010] public_key_verify_signature_2+0x40/0x60<br /> [ +0.000008] verify_signature+0xb4/0x114<br /> [ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574<br /> [ +0.000009] pkcs7_validate_trust+0xb8/0x15c<br /> [ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0<br /> [ +0.000012] verify_pkcs7_signature+0x78/0xac<br /> [ +0.000007] mod_verify_sig+0x110/0x190<br /> [ +0.000009] module_sig_check+0x114/0x1e0<br /> [ +0.000009] load_module+0xa0/0x1ea4<br /> [ +0.000008] __do_sys_init_module+0x184/0x1cc<br /> [ +0.000008] __arm64_sys_init_module+0x78/0xb0<br /> [ +0.000008] invoke_syscall+0x74/0x260<br /> [ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260<br /> [ +0.000008] do_el0_svc+0x50/0x70<br /> [ +0.000007] el0_svc+0x68/0x1a0<br /> [ +0.000009] el0t_64_sync_handler+0x11c/0x150<br /> [ +0.000009] el0t_64<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xen/gntdev: Prevent leaking grants<br /> <br /> Prior to this commit, if a grant mapping operation failed partially,<br /> some of the entries in the map_ops array would be invalid, whereas all<br /> of the entries in the kmap_ops array would be valid. This in turn would<br /> cause the following logic in gntdev_map_grant_pages to become invalid:<br /> <br /> for (i = 0; i count; i++) {<br /> if (map-&gt;map_ops[i].status == GNTST_okay) {<br /> map-&gt;unmap_ops[i].handle = map-&gt;map_ops[i].handle;<br /> if (!use_ptemod)<br /> alloced++;<br /> }<br /> if (use_ptemod) {<br /> if (map-&gt;kmap_ops[i].status == GNTST_okay) {<br /> if (map-&gt;map_ops[i].status == GNTST_okay)<br /> alloced++;<br /> map-&gt;kunmap_ops[i].handle = map-&gt;kmap_ops[i].handle;<br /> }<br /> }<br /> }<br /> ...<br /> atomic_add(alloced, &amp;map-&gt;live_grants);<br /> <br /> Assume that use_ptemod is true (i.e., the domain mapping the granted<br /> pages is a paravirtualized domain). In the code excerpt above, note that<br /> the "alloced" variable is only incremented when both kmap_ops[i].status<br /> and map_ops[i].status are set to GNTST_okay (i.e., both mapping<br /> operations are successful). However, as also noted above, there are<br /> cases where a grant mapping operation fails partially, breaking the<br /> assumption of the code excerpt above.<br /> <br /> The aforementioned causes map-&gt;live_grants to be incorrectly set. In<br /> some cases, all of the map_ops mappings fail, but all of the kmap_ops<br /> mappings succeed, meaning that live_grants may remain zero. This in turn<br /> makes it impossible to unmap the successfully grant-mapped pages pointed<br /> to by kmap_ops, because unmap_grant_pages has the following snippet of<br /> code at its beginning:<br /> <br /> if (atomic_read(&amp;map-&gt;live_grants) == 0)<br /> return; /* Nothing to do */<br /> <br /> In other cases where only some of the map_ops mappings fail but all<br /> kmap_ops mappings succeed, live_grants is made positive, but when the<br /> user requests unmapping the grant-mapped pages, __unmap_grant_pages_done<br /> will then make map-&gt;live_grants negative, because the latter function<br /> does not check if all of the pages that were requested to be unmapped<br /> were actually unmapped, and the same function unconditionally subtracts<br /> "data-&gt;count" (i.e., a value that can be greater than map-&gt;live_grants)<br /> from map-&gt;live_grants. The side effects of a negative live_grants value<br /> have not been studied.<br /> <br /> The net effect of all of this is that grant references are leaked in one<br /> of the above conditions. In Qubes OS v4.1 (which uses Xen&amp;#39;s grant<br /> mechanism extensively for X11 GUI isolation), this issue manifests<br /> itself with warning messages like the following to be printed out by the<br /> Linux kernel in the VM that had granted pages (that contain X11 GUI<br /> window data) to dom0: "g.e. 0x1234 still pending", especially after the<br /> user rapidly resizes GUI VM windows (causing some grant-mapping<br /> operations to partially or completely fail, due to the fact that the VM<br /> unshares some of the pages as part of the window resizing, making the<br /> pages impossible to grant-map from dom0).<br /> <br /> The fix for this issue involves counting all successful map_ops and<br /> kmap_ops mappings separately, and then adding the sum to live_grants.<br /> During unmapping, only the number of successfully unmapped grants is<br /> subtracted from live_grants. The code is also modified to check for<br /> negative live_grants values after the subtraction and warn the user.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()<br /> <br /> This patch fixes a stack-out-of-bounds read in brcmfmac that occurs<br /> when &amp;#39;buf&amp;#39; that is not null-terminated is passed as an argument of<br /> strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware<br /> version string by memcpy() in brcmf_fil_iovar_data_get().<br /> The patch ensures buf is null-terminated.<br /> <br /> Found by a modified version of syzkaller.<br /> <br /> [ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3<br /> [ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available<br /> [ 47.601565][ T1897] ==================================================================<br /> [ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0<br /> [ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897<br /> [ 47.604336][ T1897]<br /> [ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131<br /> [ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014<br /> [ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event<br /> [ 47.607453][ T1897] Call Trace:<br /> [ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1<br /> [ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334<br /> [ 47.609009][ T1897] ? strsep+0x1b2/0x1f0<br /> [ 47.609434][ T1897] ? strsep+0x1b2/0x1f0<br /> [ 47.609863][ T1897] kasan_report.cold+0x83/0xdf<br /> [ 47.610366][ T1897] ? strsep+0x1b2/0x1f0<br /> [ 47.610882][ T1897] strsep+0x1b2/0x1f0<br /> [ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0<br /> [ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40<br /> [ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100<br /> [ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0<br /> [ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0<br /> [ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0<br /> [ 47.614704][ T1897] ? find_held_lock+0x2d/0x110<br /> [ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260<br /> [ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0<br /> [ 47.616288][ T1897] brcmf_attach+0x246/0xd40<br /> [ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0<br /> [ 47.617280][ T1897] ? kmemdup+0x43/0x50<br /> [ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690<br /> [ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470<br /> [ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760<br /> [ 47.619429][ T1897] ? usb_probe_device+0x250/0x250<br /> [ 47.619950][ T1897] really_probe+0x205/0xb70<br /> [ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130<br /> [ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0<br /> [ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130<br /> [ 47.622209][ T1897] driver_probe_device+0x4e/0x150<br /> [ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0<br /> [ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0<br /> [ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30<br /> [ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br /> [ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160<br /> [ 47.625437][ T1897] __device_attach+0x23f/0x3a0<br /> [ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0<br /> [ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0<br /> [ 47.627057][ T1897] bus_probe_device+0x1da/0x290<br /> [ 47.627557][ T1897] device_add+0xb7b/0x1eb0<br /> [ 47.628027][ T1897] ? wait_for_completion+0x290/0x290<br /> [ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0<br /> [ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0<br /> [ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0<br /> [ 47.630385][ T1897] usb_probe_device+0xbb/0x250<br /> [ 47.630927][ T1897] ? usb_suspend+0x590/0x590<br /> [ 47.631397][ T1897] really_probe+0x205/0xb70<br /> [ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130<br /> [ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0<br /> [ 47.633002][ <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, sockmap: fix race in sock_map_free()<br /> <br /> sock_map_free() calls release_sock(sk) without owning a reference<br /> on the socket. This can cause use-after-free as syzbot found [1]<br /> <br /> Jakub Sitnicki already took care of a similar issue<br /> in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash:<br /> Synchronize delete from bucket list on map free")<br /> <br /> [1]<br /> refcount_t: decrement hit 0; leaking memory.<br /> WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31<br /> Modules linked in:<br /> CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022<br /> Workqueue: events_unbound bpf_map_free_deferred<br /> RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31<br /> Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff<br /> RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246<br /> RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0<br /> RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000<br /> RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5<br /> R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004<br /> R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf<br /> FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __refcount_dec include/linux/refcount.h:344 [inline]<br /> refcount_dec include/linux/refcount.h:359 [inline]<br /> __sock_put include/net/sock.h:779 [inline]<br /> tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092<br /> release_sock+0xaf/0x1c0 net/core/sock.c:3468<br /> sock_map_free+0x219/0x2c0 net/core/sock_map.c:356<br /> process_one_work+0x81c/0xd10 kernel/workqueue.c:2289<br /> worker_thread+0xb14/0x1330 kernel/workqueue.c:2436<br /> kthread+0x266/0x300 kernel/kthread.c:376<br /> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm: Make .remove and .shutdown HW shutdown consistent<br /> <br /> Drivers&amp;#39; .remove and .shutdown callbacks are executed on different code<br /> paths. The former is called when a device is removed from the bus, while<br /> the latter is called at system shutdown time to quiesce the device.<br /> <br /> This means that some overlap exists between the two, because both have to<br /> take care of properly shutting down the hardware. But currently the logic<br /> used in these two callbacks isn&amp;#39;t consistent in msm drivers, which could<br /> lead to kernel panic.<br /> <br /> For example, on .remove the component is deleted and its .unbind callback<br /> leads to the hardware being shutdown but only if the DRM device has been<br /> marked as registered.<br /> <br /> That check doesn&amp;#39;t exist in the .shutdown logic and this can lead to the<br /> driver calling drm_atomic_helper_shutdown() for a DRM device that hasn&amp;#39;t<br /> been properly initialized.<br /> <br /> A situation like this can happen if drivers for expected sub-devices fail<br /> to probe, since the .bind callback will never be executed. If that is the<br /> case, drm_atomic_helper_shutdown() will attempt to take mutexes that are<br /> only initialized if drm_mode_config_init() is called during a device bind.<br /> <br /> This bug was attempted to be fixed in commit 623f279c7781 ("drm/msm: fix<br /> shutdown hook in case GPU components failed to bind"), but unfortunately<br /> it still happens in some cases as the one mentioned above, i.e:<br /> <br /> systemd-shutdown[1]: Powering off.<br /> kvm: exiting hardware virtualization<br /> platform wifi-firmware.0: Removing from iommu group 12<br /> platform video-firmware.0: Removing from iommu group 10<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 6 PID: 1 at drivers/gpu/drm/drm_modeset_lock.c:317 drm_modeset_lock_all_ctx+0x3c4/0x3d0<br /> ...<br /> Hardware name: Google CoachZ (rev3+) (DT)<br /> pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : drm_modeset_lock_all_ctx+0x3c4/0x3d0<br /> lr : drm_modeset_lock_all_ctx+0x48/0x3d0<br /> sp : ffff80000805bb80<br /> x29: ffff80000805bb80 x28: ffff327c00128000 x27: 0000000000000000<br /> x26: 0000000000000000 x25: 0000000000000001 x24: ffffc95d820ec030<br /> x23: ffff327c00bbd090 x22: ffffc95d8215eca0 x21: ffff327c039c5800<br /> x20: ffff327c039c5988 x19: ffff80000805bbe8 x18: 0000000000000034<br /> x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000<br /> x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000<br /> x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000<br /> x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000<br /> x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : ffff327c00128000 x1 : 0000000000000000 x0 : ffff327c039c59b0<br /> Call trace:<br /> drm_modeset_lock_all_ctx+0x3c4/0x3d0<br /> drm_atomic_helper_shutdown+0x70/0x134<br /> msm_drv_shutdown+0x30/0x40<br /> platform_shutdown+0x28/0x40<br /> device_shutdown+0x148/0x350<br /> kernel_power_off+0x38/0x80<br /> __do_sys_reboot+0x288/0x2c0<br /> __arm64_sys_reboot+0x28/0x34<br /> invoke_syscall+0x48/0x114<br /> el0_svc_common.constprop.0+0x44/0xec<br /> do_el0_svc+0x2c/0xc0<br /> el0_svc+0x2c/0x84<br /> el0t_64_sync_handler+0x11c/0x150<br /> el0t_64_sync+0x18c/0x190<br /> ---[ end trace 0000000000000000 ]---<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004<br /> CM = 0, WnR = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=000000010eab1000<br /> [0000000000000018] pgd=0000000000000000, p4d=0000000000000000<br /> Internal error: Oops: 96000004 [#1] PREEMPT SMP<br /> ...<br /> Hardware name: Google CoachZ (rev3+) (DT)<br /> pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : ww_mutex_lock+0x28/0x32c<br /> lr : drm_modeset_lock_all_ctx+0x1b0/0x3d0<br /> sp : ffff80000805bb50<br /> x29: ffff80000805bb50 x28: ffff327c00128000 x27: 0000000000000000<br /> x26: 00000<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()<br /> <br /> With clang&amp;#39;s kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),<br /> indirect call targets are validated against the expected function<br /> pointer prototype to make sure the call target is valid to help mitigate<br /> ROP attacks. If they are not identical, there is a failure at run time,<br /> which manifests as either a kernel panic or thread getting killed. A<br /> proposed warning in clang aims to catch these at compile time, which<br /> reveals:<br /> <br /> drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing &amp;#39;enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)&amp;#39; with an expression of type &amp;#39;int (struct drm_connector *, struct drm_display_mode *)&amp;#39; [-Werror,-Wincompatible-function-pointer-types-strict]<br /> .mode_valid = sti_hda_connector_mode_valid,<br /> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /> drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing &amp;#39;enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)&amp;#39; with an expression of type &amp;#39;int (struct drm_connector *, struct drm_display_mode *)&amp;#39; [-Werror,-Wincompatible-function-pointer-types-strict]<br /> .mode_valid = sti_dvo_connector_mode_valid,<br /> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /> drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing &amp;#39;enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)&amp;#39; with an expression of type &amp;#39;int (struct drm_connector *, struct drm_display_mode *)&amp;#39; [-Werror,-Wincompatible-function-pointer-types-strict]<br /> .mode_valid = sti_hdmi_connector_mode_valid,<br /> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /> <br /> -&gt;mode_valid() in &amp;#39;struct drm_connector_helper_funcs&amp;#39; expects a return<br /> type of &amp;#39;enum drm_mode_status&amp;#39;, not &amp;#39;int&amp;#39;. Adjust the return type of<br /> sti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype&amp;#39;s to<br /> resolve the warning and CFI failure.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()<br /> <br /> I got the following report while doing device(mt6370-tcpc) load<br /> test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:<br /> <br /> OF: ERROR: memory leak, expected refcount 1 instead of 2,<br /> of_node_get()/of_node_put() unbalanced - destroy cset entry:<br /> attach overlay node /i2c/pmic@34/tcpc/connector<br /> <br /> The &amp;#39;fwnode&amp;#39; set in tcpci_parse_config() which is called<br /> in tcpci_register_port(), its node refcount is increased<br /> in device_get_named_child_node(). It needs be put while<br /> exiting, so call fwnode_handle_put() in the error path of<br /> tcpci_register_port() and in tcpci_unregister_port() to<br /> avoid leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq<br /> <br /> Can not set the @shared_hcd to NULL before decrease the usage count<br /> by usb_put_hcd(), this will cause the shared hcd not released.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: fix double free on tx path.<br /> <br /> We see kernel crashes and lockups and KASAN errors related to ax210<br /> firmware crashes. One of the KASAN dumps pointed at the tx path,<br /> and it appears there is indeed a way to double-free an skb.<br /> <br /> If iwl_mvm_tx_skb_sta returns non-zero, then the &amp;#39;skb&amp;#39; sent into the<br /> method will be freed. But, in case where we build TSO skb buffer,<br /> the skb may also be freed in error case. So, return 0 in that particular<br /> error case and do cleanup manually.<br /> <br /> BUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90<br /> iwlwifi 0000:06:00.0: 0x00000000 | tsf hi<br /> Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650<br /> <br /> CPU: 4 PID: 9650 Comm: btserver Tainted: G W 5.19.8+ #5<br /> iwlwifi 0000:06:00.0: 0x00000000 | time gp1<br /> Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x55/0x6d<br /> print_report.cold.12+0xf2/0x684<br /> iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2<br /> ? __list_del_entry_valid+0x12/0x90<br /> kasan_report+0x8b/0x180<br /> iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type<br /> ? __list_del_entry_valid+0x12/0x90<br /> __list_del_entry_valid+0x12/0x90<br /> iwlwifi 0000:06:00.0: 0x00000048 | uCode version major<br /> tcp_update_skb_after_send+0x5d/0x170<br /> __tcp_transmit_skb+0xb61/0x15c0<br /> iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor<br /> ? __tcp_select_window+0x490/0x490<br /> iwlwifi 0000:06:00.0: 0x00000420 | hw version<br /> ? trace_kmalloc_node+0x29/0xd0<br /> ? __kmalloc_node_track_caller+0x12a/0x260<br /> ? memset+0x1f/0x40<br /> ? __build_skb_around+0x125/0x150<br /> ? __alloc_skb+0x1d4/0x220<br /> ? skb_zerocopy_clone+0x55/0x230<br /> iwlwifi 0000:06:00.0: 0x00489002 | board version<br /> ? kmalloc_reserve+0x80/0x80<br /> ? rcu_read_lock_bh_held+0x60/0xb0<br /> tcp_write_xmit+0x3f1/0x24d0<br /> iwlwifi 0000:06:00.0: 0x034E001C | hcmd<br /> ? __check_object_size+0x180/0x350<br /> iwlwifi 0000:06:00.0: 0x24020000 | isr0<br /> tcp_sendmsg_locked+0x8a9/0x1520<br /> iwlwifi 0000:06:00.0: 0x01400000 | isr1<br /> ? tcp_sendpage+0x50/0x50<br /> iwlwifi 0000:06:00.0: 0x48F0000A | isr2<br /> ? lock_release+0xb9/0x400<br /> ? tcp_sendmsg+0x14/0x40<br /> iwlwifi 0000:06:00.0: 0x00C3080C | isr3<br /> ? lock_downgrade+0x390/0x390<br /> ? do_raw_spin_lock+0x114/0x1d0<br /> iwlwifi 0000:06:00.0: 0x00200000 | isr4<br /> ? rwlock_bug.part.2+0x50/0x50<br /> iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id<br /> ? rwlock_bug.part.2+0x50/0x50<br /> ? lockdep_hardirqs_on_prepare+0xe/0x200<br /> iwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event<br /> ? __local_bh_enable_ip+0x87/0xe0<br /> ? inet_send_prepare+0x220/0x220<br /> iwlwifi 0000:06:00.0: 0x000000C4 | l2p_control<br /> tcp_sendmsg+0x22/0x40<br /> sock_sendmsg+0x5f/0x70<br /> iwlwifi 0000:06:00.0: 0x00010034 | l2p_duration<br /> __sys_sendto+0x19d/0x250<br /> iwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid<br /> ? __ia32_sys_getpeername+0x40/0x40<br /> iwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match<br /> ? rcu_read_lock_held_common+0x12/0x50<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? rcu_read_lock_bh_held+0xb0/0xb0<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? lock_release+0xb9/0x400<br /> ? lock_downgrade+0x390/0x390<br /> ? ktime_get+0x64/0x130<br /> ? ktime_get+0x8d/0x130<br /> ? rcu_read_lock_held_common+0x12/0x50<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? rcu_read_lock_held_common+0x12/0x50<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? rcu_read_lock_bh_held+0xb0/0xb0<br /> ? rcu_read_lock_bh_held+0xb0/0xb0<br /> __x64_sys_sendto+0x6f/0x80<br /> do_syscall_64+0x34/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> RIP: 0033:0x7f1d126e4531<br /> Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89<br /> RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c<br /> RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531<br /> RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014<br /> RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memory: of: Fix refcount leak bug in of_get_ddr_timings()<br /> <br /> We should add the of_node_put() when breaking out of<br /> for_each_child_of_node() as it will automatically increase<br /> and decrease the refcount.