Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall<br /> <br /> If a compat process tries to execute an unknown system call above the<br /> __ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the<br /> offending process. Information about the error is printed to dmesg in<br /> compat_arm_syscall() -&gt; arm64_notify_die() -&gt; arm64_force_sig_fault() -&gt;<br /> arm64_show_signal().<br /> <br /> arm64_show_signal() interprets a non-zero value for<br /> current-&gt;thread.fault_code as an exception syndrome and displays the<br /> message associated with the ESR_ELx.EC field (bits 31:26).<br /> current-&gt;thread.fault_code is set in compat_arm_syscall() -&gt;<br /> arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx<br /> value. This means that the ESR_ELx.EC field has the value that the user set<br /> for the syscall number and the kernel can end up printing bogus exception<br /> messages*. For example, for the syscall number 0x68000000, which evaluates<br /> to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error:<br /> <br /> [ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000]<br /> [ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79<br /> [ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT)<br /> [..]<br /> <br /> which is misleading, as the bad compat syscall has nothing to do with<br /> pointer authentication.<br /> <br /> Stop arm64_show_signal() from printing exception syndrome information by<br /> having compat_arm_syscall() set the ESR_ELx value to 0, as it has no<br /> meaning for an invalid system call number. The example above now becomes:<br /> <br /> [ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000]<br /> [ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80<br /> [ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT)<br /> [..]<br /> <br /> which although shows less information because the syscall number,<br /> wrongfully advertised as the ESR value, is missing, it is better than<br /> showing plainly wrong information. The syscall number can be easily<br /> obtained with strace.<br /> <br /> *A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative<br /> integer in compat_arm_syscal() and the condition scno

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix resource leak in lpfc_sli4_send_seq_to_ulp()<br /> <br /> If no handler is found in lpfc_complete_unsol_iocb() to match the rctl of a<br /> received frame, the frame is dropped and resources are leaked.<br /> <br /> Fix by returning resources when discarding an unhandled frame type. Update<br /> lpfc_fc_frame_check() handling of NOP basic link service.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: jz4740: Apply DMA engine limits to maximum segment size<br /> <br /> Do what is done in other DMA-enabled MMC host drivers (cf. host/mmci.c) and<br /> limit the maximum segment size based on the DMA engine&amp;#39;s capabilities. This<br /> is needed to avoid warnings like the following with CONFIG_DMA_API_DEBUG=y.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 21 at kernel/dma/debug.c:1162 debug_dma_map_sg+0x2f4/0x39c<br /> DMA-API: jz4780-dma 13420000.dma-controller: mapping sg segment longer than device claims to support [len=98304] [max=65536]<br /> CPU: 0 PID: 21 Comm: kworker/0:1H Not tainted 5.18.0-rc1 #19<br /> Workqueue: kblockd blk_mq_run_work_fn<br /> Stack : 81575aec 00000004 80620000 80620000 80620000 805e7358 00000009 801537ac<br /> 814c832c 806276e3 806e34b4 80620000 81575aec 00000001 81575ab8 09291444<br /> 00000000 00000000 805e7358 81575958 ffffffea 8157596c 00000000 636f6c62<br /> 6220646b 80387a70 0000000f 6d5f6b6c 80620000 00000000 81575ba4 00000009<br /> 805e170c 80896640 00000001 00010000 00000000 00000000 00006098 806e0000<br /> ...<br /> Call Trace:<br /> [] show_stack+0x84/0x120<br /> [] __warn+0xb8/0xec<br /> [] warn_slowpath_fmt+0x6c/0xb8<br /> [] debug_dma_map_sg+0x2f4/0x39c<br /> [] __dma_map_sg_attrs+0xf0/0x118<br /> [] dma_map_sg_attrs+0x14/0x28<br /> [] jz4740_mmc_prepare_dma_data+0x74/0xa4<br /> [] jz4740_mmc_pre_request+0x30/0x54<br /> [] mmc_blk_mq_issue_rq+0x6e0/0x7bc<br /> [] mmc_mq_queue_rq+0x220/0x2d4<br /> [] blk_mq_dispatch_rq_list+0x480/0x664<br /> [] blk_mq_do_dispatch_sched+0x2dc/0x370<br /> [] __blk_mq_sched_dispatch_requests+0xec/0x164<br /> [] blk_mq_sched_dispatch_requests+0x44/0x94<br /> [] __blk_mq_run_hw_queue+0xb0/0xcc<br /> [] process_one_work+0x1b8/0x264<br /> [] worker_thread+0x2ec/0x3b8<br /> [] kthread+0x104/0x10c<br /> [] ret_from_kernel_thread+0x14/0x1c<br /> <br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ath11k: disable spectral scan during spectral deinit<br /> <br /> When ath11k modules are removed using rmmod with spectral scan enabled,<br /> crash is observed. Different crash trace is observed for each crash.<br /> <br /> Send spectral scan disable WMI command to firmware before cleaning<br /> the spectral dbring in the spectral_deinit API to avoid this crash.<br /> <br /> call trace from one of the crash observed:<br /> [ 1252.880802] Unable to handle kernel NULL pointer dereference at virtual address 00000008<br /> [ 1252.882722] pgd = 0f42e886<br /> [ 1252.890955] [00000008] *pgd=00000000<br /> [ 1252.893478] Internal error: Oops: 5 [#1] PREEMPT SMP ARM<br /> [ 1253.093035] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.89 #0<br /> [ 1253.115261] Hardware name: Generic DT based system<br /> [ 1253.121149] PC is at ath11k_spectral_process_data+0x434/0x574 [ath11k]<br /> [ 1253.125940] LR is at 0x88e31017<br /> [ 1253.132448] pc : [] lr : [] psr: a0000193<br /> [ 1253.135488] sp : 80d01bc8 ip : 00000001 fp : 970e0000<br /> [ 1253.141737] r10: 88e31000 r9 : 970ec000 r8 : 00000080<br /> [ 1253.146946] r7 : 94734040 r6 : a0000113 r5 : 00000057 r4 : 00000000<br /> [ 1253.152159] r3 : e18cb694 r2 : 00000217 r1 : 1df1f000 r0 : 00000001<br /> [ 1253.158755] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user<br /> [ 1253.165266] Control: 10c0383d Table: 5e71006a DAC: 00000055<br /> [ 1253.172472] Process swapper/0 (pid: 0, stack limit = 0x60870141)<br /> [ 1253.458055] [] (ath11k_spectral_process_data [ath11k]) from [] (ath11k_dbring_buffer_release_event+0x214/0x2e4 [ath11k])<br /> [ 1253.466139] [] (ath11k_dbring_buffer_release_event [ath11k]) from [] (ath11k_wmi_tlv_op_rx+0x1840/0x29cc [ath11k])<br /> [ 1253.478807] [] (ath11k_wmi_tlv_op_rx [ath11k]) from [] (ath11k_htc_rx_completion_handler+0x180/0x4e0 [ath11k])<br /> [ 1253.490699] [] (ath11k_htc_rx_completion_handler [ath11k]) from [] (ath11k_ce_per_engine_service+0x2c4/0x3b4 [ath11k])<br /> [ 1253.502386] [] (ath11k_ce_per_engine_service [ath11k]) from [] (ath11k_pci_ce_tasklet+0x28/0x80 [ath11k_pci])<br /> [ 1253.514811] [] (ath11k_pci_ce_tasklet [ath11k_pci]) from [] (tasklet_action_common.constprop.2+0x64/0xe8)<br /> [ 1253.526476] [] (tasklet_action_common.constprop.2) from [] (__do_softirq+0x130/0x2d0)<br /> [ 1253.537756] [] (__do_softirq) from [] (irq_exit+0xcc/0xe8)<br /> [ 1253.547304] [] (irq_exit) from [] (__handle_domain_irq+0x60/0xb4)<br /> [ 1253.554428] [] (__handle_domain_irq) from [] (gic_handle_irq+0x4c/0x90)<br /> [ 1253.562321] [] (gic_handle_irq) from [] (__irq_svc+0x58/0x8c)<br /> <br /> Tested-on: QCN6122 hw1.0 AHB WLAN.HK.2.6.0.1-00851-QCAHKSWPL_SILICONZ-1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: pci: cx23885: Fix the error handling in cx23885_initdev()<br /> <br /> When the driver fails to call the dma_set_mask(), the driver will get<br /> the following splat:<br /> <br /> [ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240<br /> [ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590<br /> [ 55.856822] Call Trace:<br /> [ 55.860327] __process_removed_driver+0x3c/0x240<br /> [ 55.861347] bus_for_each_dev+0x102/0x160<br /> [ 55.861681] i2c_del_driver+0x2f/0x50<br /> <br /> This is because the driver has initialized the i2c related resources<br /> in cx23885_dev_setup() but not released them in error handling, fix this<br /> bug by modifying the error path that jumps after failing to call the<br /> dma_set_mask().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: cx25821: Fix the warning when removing the module<br /> <br /> When removing the module, we will get the following warning:<br /> <br /> [ 14.746697] remove_proc_entry: removing non-empty directory &amp;#39;irq/21&amp;#39;, leaking at least &amp;#39;cx25821[1]&amp;#39;<br /> [ 14.747449] WARNING: CPU: 4 PID: 368 at fs/proc/generic.c:717 remove_proc_entry+0x389/0x3f0<br /> [ 14.751611] RIP: 0010:remove_proc_entry+0x389/0x3f0<br /> [ 14.759589] Call Trace:<br /> [ 14.759792] <br /> [ 14.759975] unregister_irq_proc+0x14c/0x170<br /> [ 14.760340] irq_free_descs+0x94/0xe0<br /> [ 14.760640] mp_unmap_irq+0xb6/0x100<br /> [ 14.760937] acpi_unregister_gsi_ioapic+0x27/0x40<br /> [ 14.761334] acpi_pci_irq_disable+0x1d3/0x320<br /> [ 14.761688] pci_disable_device+0x1ad/0x380<br /> [ 14.762027] ? _raw_spin_unlock_irqrestore+0x2d/0x60<br /> [ 14.762442] ? cx25821_shutdown+0x20/0x9f0 [cx25821]<br /> [ 14.762848] cx25821_finidev+0x48/0xc0 [cx25821]<br /> [ 14.763242] pci_device_remove+0x92/0x240<br /> <br /> Fix this by freeing the irq before call pci_disable_device().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/bitmap: don&amp;#39;t set sb values if can&amp;#39;t pass sanity check<br /> <br /> If bitmap area contains invalid data, kernel will crash then mdadm<br /> triggers "Segmentation fault".<br /> This is cluster-md speical bug. In non-clustered env, mdadm will<br /> handle broken metadata case. In clustered array, only kernel space<br /> handles bitmap slot info. But even this bug only happened in clustered<br /> env, current sanity check is wrong, the code should be changed.<br /> <br /> How to trigger: (faulty injection)<br /> <br /> dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sda<br /> dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sdb<br /> mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb<br /> mdadm -Ss<br /> echo aaa &gt; magic.txt<br /> == below modifying slot 2 bitmap data ==<br /> dd if=magic.txt of=/dev/sda seek=16384 bs=1 count=3

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: venus: hfi: avoid null dereference in deinit<br /> <br /> If venus_probe fails at pm_runtime_put_sync the error handling first<br /> calls hfi_destroy and afterwards hfi_core_deinit. As hfi_destroy sets<br /> core-&gt;ops to NULL, hfi_core_deinit cannot call the core_deinit function<br /> anymore.<br /> <br /> Avoid this null pointer derefence by skipping the call when necessary.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: i2c: dw9714: Disable the regulator when the driver fails to probe<br /> <br /> When the driver fails to probe, we will get the following splat:<br /> <br /> [ 59.305988] ------------[ cut here ]------------<br /> [ 59.306417] WARNING: CPU: 2 PID: 395 at drivers/regulator/core.c:2257 _regulator_put+0x3ec/0x4e0<br /> [ 59.310345] RIP: 0010:_regulator_put+0x3ec/0x4e0<br /> [ 59.318362] Call Trace:<br /> [ 59.318582] <br /> [ 59.318765] regulator_put+0x1f/0x30<br /> [ 59.319058] devres_release_group+0x319/0x3d0<br /> [ 59.319420] i2c_device_probe+0x766/0x940<br /> <br /> Fix this by disabling the regulator in error handling.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/pm: fix the null pointer while the smu is disabled<br /> <br /> It needs to check if the pp_funcs is initialized while release the<br /> context, otherwise it will trigger null pointer panic while the software<br /> smu is not enabled.<br /> <br /> [ 1109.404555] BUG: kernel NULL pointer dereference, address: 0000000000000078<br /> [ 1109.404609] #PF: supervisor read access in kernel mode<br /> [ 1109.404638] #PF: error_code(0x0000) - not-present page<br /> [ 1109.404657] PGD 0 P4D 0<br /> [ 1109.404672] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 1109.404701] CPU: 7 PID: 9150 Comm: amdgpu_test Tainted: G OEL 5.16.0-custom #1<br /> [ 1109.404732] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006<br /> [ 1109.404765] RIP: 0010:amdgpu_dpm_force_performance_level+0x1d/0x170 [amdgpu]<br /> [ 1109.405109] Code: 5d c3 44 8b a3 f0 80 00 00 eb e5 66 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 4c 8b b7 f0 7d 00 00 83 7e 78 00 0f 84 f2 00 00 00 80 bf 87 80 00 00 00 48 89 fb 0f<br /> [ 1109.405176] RSP: 0018:ffffaf3083ad7c20 EFLAGS: 00010282<br /> [ 1109.405203] RAX: 0000000000000000 RBX: ffff9796b1c14600 RCX: 0000000002862007<br /> [ 1109.405229] RDX: ffff97968591c8c0 RSI: 0000000000000001 RDI: ffff9796a3700000<br /> [ 1109.405260] RBP: ffffaf3083ad7c50 R08: ffffffff9897de00 R09: ffff979688d9db60<br /> [ 1109.405286] R10: 0000000000000000 R11: ffff979688d9db90 R12: 0000000000000001<br /> [ 1109.405316] R13: ffff9796a3700000 R14: 0000000000000000 R15: ffff9796a3708fc0<br /> [ 1109.405345] FS: 00007ff055cff180(0000) GS:ffff9796bfdc0000(0000) knlGS:0000000000000000<br /> [ 1109.405378] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1109.405400] CR2: 0000000000000078 CR3: 000000000a394000 CR4: 00000000000506e0<br /> [ 1109.405434] Call Trace:<br /> [ 1109.405445] <br /> [ 1109.405456] ? delete_object_full+0x1d/0x20<br /> [ 1109.405480] amdgpu_ctx_set_stable_pstate+0x7c/0xa0 [amdgpu]<br /> [ 1109.405698] amdgpu_ctx_fini.part.0+0xcb/0x100 [amdgpu]<br /> [ 1109.405911] amdgpu_ctx_do_release+0x71/0x80 [amdgpu]<br /> [ 1109.406121] amdgpu_ctx_ioctl+0x52d/0x550 [amdgpu]<br /> [ 1109.406327] ? _raw_spin_unlock+0x1a/0x30<br /> [ 1109.406354] ? drm_gem_handle_delete+0x81/0xb0 [drm]<br /> [ 1109.406400] ? amdgpu_ctx_get_entity+0x2c0/0x2c0 [amdgpu]<br /> [ 1109.406609] drm_ioctl_kernel+0xb6/0x140 [drm]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/pm: fix double free in si_parse_power_table()<br /> <br /> In function si_parse_power_table(), array adev-&gt;pm.dpm.ps and its member<br /> is allocated. If the allocation of each member fails, the array itself<br /> is freed and returned with an error code. However, the array is later<br /> freed again in si_dpm_fini() function which is called when the function<br /> returns an error.<br /> <br /> This leads to potential double free of the array adev-&gt;pm.dpm.ps, as<br /> well as leak of its array members, since the members are not freed in<br /> the allocation function and the array is not nulled when freed.<br /> In addition adev-&gt;pm.dpm.num_ps, which keeps track of the allocated<br /> array member, is not updated until the member allocation is<br /> successfully finished, this could also lead to either use after free,<br /> or uninitialized variable access in si_dpm_fini().<br /> <br /> Fix this by postponing the free of the array until si_dpm_fini() and<br /> increment adev-&gt;pm.dpm.num_ps everytime the array member is allocated.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/omap: fix NULL but dereferenced coccicheck error<br /> <br /> Fix the following coccicheck warning:<br /> ./drivers/gpu/drm/omapdrm/omap_overlay.c:89:22-25: ERROR: r_ovl is NULL<br /> but dereferenced.<br /> <br /> Here should be ovl-&gt;idx rather than r_ovl-&gt;idx.