Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add()<br /> <br /> Port is allocated by sas_port_alloc_num() and rphy is allocated by either<br /> sas_end_device_alloc() or sas_expander_alloc(), all of which may return<br /> NULL. So we need to check the rphy to avoid possible NULL pointer access.<br /> <br /> If sas_rphy_add() returned with failure, rphy is set to NULL. We would<br /> access the rphy in the following lines which would also result NULL pointer<br /> access.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: smsc75xx: Limit packet length to skb-&gt;len<br /> <br /> Packet length retrieved from skb data may be larger than<br /> the actual socket buffer length (up to 9026 bytes). In such<br /> case the cloned skb passed up the network stack will leak<br /> kernel memory contents.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Fix sas_hba.phy memory leak in mpi3mr_remove()<br /> <br /> Free mrioc-&gt;sas_hba.phy at .remove.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Fix expander node leak in mpi3mr_remove()<br /> <br /> Add a missing resource clean up in .remove.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Fix throttle_groups memory leak<br /> <br /> Add a missing kfree().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: Fix deadlock during directory rename<br /> <br /> As lockdep properly warns, we should not be locking i_rwsem while having<br /> transactions started as the proper lock ordering used by all directory<br /> handling operations is i_rwsem -&gt; transaction start. Fix the lock<br /> ordering by moving the locking of the directory earlier in<br /> ext4_rename().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix wrong mode for blkdev_put() from disk_scan_partitions()<br /> <br /> If disk_scan_partitions() is called with &amp;#39;FMODE_EXCL&amp;#39;,<br /> blkdev_get_by_dev() will be called without &amp;#39;FMODE_EXCL&amp;#39;, however, follow<br /> blkdev_put() is still called with &amp;#39;FMODE_EXCL&amp;#39;, which will cause<br /> &amp;#39;bd_holders&amp;#39; counter to leak.<br /> <br /> Fix the problem by using the right mode for blkdev_put().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> loop: Fix use-after-free issues<br /> <br /> do_req_filebacked() calls blk_mq_complete_request() synchronously or<br /> asynchronously when using asynchronous I/O unless memory allocation fails.<br /> Hence, modify loop_handle_cmd() such that it does not dereference &amp;#39;cmd&amp;#39; nor<br /> &amp;#39;rq&amp;#39; after do_req_filebacked() finished unless we are sure that the request<br /> has not yet been completed. This patch fixes the following kernel crash:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054<br /> Call trace:<br /> css_put.42938+0x1c/0x1ac<br /> loop_process_work+0xc8c/0xfd4<br /> loop_rootcg_workfn+0x24/0x34<br /> process_one_work+0x244/0x558<br /> worker_thread+0x400/0x8fc<br /> kthread+0x16c/0x1e0<br /> ret_from_fork+0x10/0x20

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/sseu: fix max_subslices array-index-out-of-bounds access<br /> <br /> It seems that commit bc3c5e0809ae ("drm/i915/sseu: Don&amp;#39;t try to store EU<br /> mask internally in UAPI format") exposed a potential out-of-bounds<br /> access, reported by UBSAN as following on a laptop with a gen 11 i915<br /> card:<br /> <br /> UBSAN: array-index-out-of-bounds in drivers/gpu/drm/i915/gt/intel_sseu.c:65:27<br /> index 6 is out of range for type &amp;#39;u16 [6]&amp;#39;<br /> CPU: 2 PID: 165 Comm: systemd-udevd Not tainted 6.2.0-9-generic #9-Ubuntu<br /> Hardware name: Dell Inc. XPS 13 9300/077Y9N, BIOS 1.11.0 03/22/2022<br /> Call Trace:<br /> <br /> show_stack+0x4e/0x61<br /> dump_stack_lvl+0x4a/0x6f<br /> dump_stack+0x10/0x18<br /> ubsan_epilogue+0x9/0x3a<br /> __ubsan_handle_out_of_bounds.cold+0x42/0x47<br /> gen11_compute_sseu_info+0x121/0x130 [i915]<br /> intel_sseu_info_init+0x15d/0x2b0 [i915]<br /> intel_gt_init_mmio+0x23/0x40 [i915]<br /> i915_driver_mmio_probe+0x129/0x400 [i915]<br /> ? intel_gt_probe_all+0x91/0x2e0 [i915]<br /> i915_driver_probe+0xe1/0x3f0 [i915]<br /> ? drm_privacy_screen_get+0x16d/0x190 [drm]<br /> ? acpi_dev_found+0x64/0x80<br /> i915_pci_probe+0xac/0x1b0 [i915]<br /> ...<br /> <br /> According to the definition of sseu_dev_info, eu_mask-&gt;hsw is limited to<br /> a maximum of GEN_MAX_SS_PER_HSW_SLICE (6) sub-slices, but<br /> gen11_sseu_info_init() can potentially set 8 sub-slices, in the<br /> !IS_JSL_EHL(gt-&gt;i915) case.<br /> <br /> Fix this by reserving up to 8 slots for max_subslices in the eu_mask<br /> struct.<br /> <br /> (cherry picked from commit 3cba09a6ac86ea1d456909626eb2685596c07822)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: nl80211: fix NULL-ptr deref in offchan check<br /> <br /> If, e.g. in AP mode, the link was already created by userspace<br /> but not activated yet, it has a chandef but the chandef isn&amp;#39;t<br /> valid and has no channel. Check for this and ignore this link.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: Fix kernel crash during reboot when adapter is in recovery mode<br /> <br /> If the driver detects during probe that firmware is in recovery<br /> mode then i40e_init_recovery_mode() is called and the rest of<br /> probe function is skipped including pci_set_drvdata(). Subsequent<br /> i40e_shutdown() called during shutdown/reboot dereferences NULL<br /> pointer as pci_get_drvdata() returns NULL.<br /> <br /> To fix call pci_set_drvdata() also during entering to recovery mode.<br /> <br /> Reproducer:<br /> 1) Lets have i40e NIC with firmware in recovery mode<br /> 2) Run reboot<br /> <br /> Result:<br /> [ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver<br /> [ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation.<br /> [ 139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality.<br /> [ 139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.<br /> [ 139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]<br /> [ 139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0<br /> [ 139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality.<br /> [ 139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.<br /> [ 139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]<br /> [ 139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0<br /> ...<br /> [ 156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2<br /> [ 156.318330] #PF: supervisor write access in kernel mode<br /> [ 156.323546] #PF: error_code(0x0002) - not-present page<br /> [ 156.328679] PGD 0 P4D 0<br /> [ 156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI<br /> [ 156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G E 6.2.0+ #1<br /> [ 156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022<br /> [ 156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e]<br /> [ 156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00<br /> [ 156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282<br /> [ 156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001<br /> [ 156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000<br /> [ 156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40<br /> [ 156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000<br /> [ 156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000<br /> [ 156.418007] FS: 00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000<br /> [ 156.426083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0<br /> [ 156.438944] PKRU: 55555554<br /> [ 156.441647] Call Trace:<br /> [ 156.444096] <br /> [ 156.446199] pci_device_shutdown+0x38/0x60<br /> [ 156.450297] device_shutdown+0x163/0x210<br /> [ 156.454215] kernel_restart+0x12/0x70<br /> [ 156.457872] __do_sys_reboot+0x1ab/0x230<br /> [ 156.461789] ? vfs_writev+0xa6/0x1a0<br /> [ 156.465362] ? __pfx_file_free_rcu+0x10/0x10<br /> [ 156.469635] ? __call_rcu_common.constprop.85+0x109/0x5a0<br /> [ 156.475034] do_syscall_64+0x3e/0x90<br /> [ 156.478611] entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> [ 156.483658] RIP: 0033:0x7fe7bff37ab7

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Fix memory leaks in mpi3mr_init_ioc()<br /> <br /> Don&amp;#39;t allocate memory again when IOC is being reinitialized.