Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: rc: gpio-ir-recv: add remove function<br /> <br /> In case runtime PM is enabled, do runtime PM clean up to remove<br /> cpu latency qos request, otherwise driver removal may have below<br /> kernel dump:<br /> <br /> [ 19.463299] Unable to handle kernel NULL pointer dereference at<br /> virtual address 0000000000000048<br /> [ 19.472161] Mem abort info:<br /> [ 19.474985] ESR = 0x0000000096000004<br /> [ 19.478754] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 19.484081] SET = 0, FnV = 0<br /> [ 19.487149] EA = 0, S1PTW = 0<br /> [ 19.490361] FSC = 0x04: level 0 translation fault<br /> [ 19.495256] Data abort info:<br /> [ 19.498149] ISV = 0, ISS = 0x00000004<br /> [ 19.501997] CM = 0, WnR = 0<br /> [ 19.504977] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000049f81000<br /> [ 19.511432] [0000000000000048] pgd=0000000000000000,<br /> p4d=0000000000000000<br /> [ 19.518245] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> [ 19.524520] Modules linked in: gpio_ir_recv(+) rc_core [last<br /> unloaded: rc_core]<br /> [ 19.531845] CPU: 0 PID: 445 Comm: insmod Not tainted<br /> 6.2.0-rc1-00028-g2c397a46d47c #72<br /> [ 19.531854] Hardware name: FSL i.MX8MM EVK board (DT)<br /> [ 19.531859] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS<br /> BTYPE=--)<br /> [ 19.551777] pc : cpu_latency_qos_remove_request+0x20/0x110<br /> [ 19.557277] lr : gpio_ir_recv_runtime_suspend+0x18/0x30<br /> [gpio_ir_recv]<br /> [ 19.557294] sp : ffff800008ce3740<br /> [ 19.557297] x29: ffff800008ce3740 x28: 0000000000000000 x27:<br /> ffff800008ce3d50<br /> [ 19.574270] x26: ffffc7e3e9cea100 x25: 00000000000f4240 x24:<br /> ffffc7e3f9ef0e30<br /> [ 19.574284] x23: 0000000000000000 x22: ffff0061803820f4 x21:<br /> 0000000000000008<br /> [ 19.574296] x20: ffffc7e3fa75df30 x19: 0000000000000020 x18:<br /> ffffffffffffffff<br /> [ 19.588570] x17: 0000000000000000 x16: ffffc7e3f9efab70 x15:<br /> ffffffffffffffff<br /> [ 19.595712] x14: ffff800008ce37b8 x13: ffff800008ce37aa x12:<br /> 0000000000000001<br /> [ 19.602853] x11: 0000000000000001 x10: ffffcbe3ec0dff87 x9 :<br /> 0000000000000008<br /> [ 19.609991] x8 : 0101010101010101 x7 : 0000000000000000 x6 :<br /> 000000000f0bfe9f<br /> [ 19.624261] x5 : 00ffffffffffffff x4 : 0025ab8e00000000 x3 :<br /> ffff006180382010<br /> [ 19.631405] x2 : ffffc7e3e9ce8030 x1 : ffffc7e3fc3eb810 x0 :<br /> 0000000000000020<br /> [ 19.638548] Call trace:<br /> [ 19.640995] cpu_latency_qos_remove_request+0x20/0x110<br /> [ 19.646142] gpio_ir_recv_runtime_suspend+0x18/0x30 [gpio_ir_recv]<br /> [ 19.652339] pm_generic_runtime_suspend+0x2c/0x44<br /> [ 19.657055] __rpm_callback+0x48/0x1dc<br /> [ 19.660807] rpm_callback+0x6c/0x80<br /> [ 19.664301] rpm_suspend+0x10c/0x640<br /> [ 19.667880] rpm_idle+0x250/0x2d0<br /> [ 19.671198] update_autosuspend+0x38/0xe0<br /> [ 19.675213] pm_runtime_set_autosuspend_delay+0x40/0x60<br /> [ 19.680442] gpio_ir_recv_probe+0x1b4/0x21c [gpio_ir_recv]<br /> [ 19.685941] platform_probe+0x68/0xc0<br /> [ 19.689610] really_probe+0xc0/0x3dc<br /> [ 19.693189] __driver_probe_device+0x7c/0x190<br /> [ 19.697550] driver_probe_device+0x3c/0x110<br /> [ 19.701739] __driver_attach+0xf4/0x200<br /> [ 19.705578] bus_for_each_dev+0x70/0xd0<br /> [ 19.709417] driver_attach+0x24/0x30<br /> [ 19.712998] bus_add_driver+0x17c/0x240<br /> [ 19.716834] driver_register+0x78/0x130<br /> [ 19.720676] __platform_driver_register+0x28/0x34<br /> [ 19.725386] gpio_ir_recv_driver_init+0x20/0x1000 [gpio_ir_recv]<br /> [ 19.731404] do_one_initcall+0x44/0x2ac<br /> [ 19.735243] do_init_module+0x48/0x1d0<br /> [ 19.739003] load_module+0x19fc/0x2034<br /> [ 19.742759] __do_sys_finit_module+0xac/0x12c<br /> [ 19.747124] __arm64_sys_finit_module+0x20/0x30<br /> [ 19.751664] invoke_syscall+0x48/0x114<br /> [ 19.755420] el0_svc_common.constprop.0+0xcc/0xec<br /> [ 19.760132] do_el0_svc+0x38/0xb0<br /> [ 19.763456] el0_svc+0x2c/0x84<br /> [ 19.766516] el0t_64_sync_handler+0xf4/0x120<br /> [ 19.770789] el0t_64_sync+0x190/0x194<br /> [ 19.774460] Code: 910003fd a90153f3 aa0003f3 91204021 (f9401400)<br /> [ 19.780556] ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/iommu: fix memory leak with using debugfs_lookup()<br /> <br /> When calling debugfs_lookup() the result must have dput() called on it,<br /> otherwise the memory will leak over time. To make things simpler, just<br /> call debugfs_lookup_and_remove() instead which handles all of the logic<br /> at once.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> interconnect: fix mem leak when freeing nodes<br /> <br /> The node link array is allocated when adding links to a node but is not<br /> deallocated when nodes are destroyed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ttm: Fix a NULL pointer dereference<br /> <br /> The LRU mechanism may look up a resource in the process of being removed<br /> from an object. The locking rules here are a bit unclear but it looks<br /> currently like res-&gt;bo assignment is protected by the LRU lock, whereas<br /> bo-&gt;resource is protected by the object lock, while *clearing* of<br /> bo-&gt;resource is also protected by the LRU lock. This means that if<br /> we check that bo-&gt;resource points to the LRU resource under the LRU<br /> lock we should be safe.<br /> So perform that check before deciding to swap out a bo. That avoids<br /> dereferencing a NULL bo-&gt;resource in ttm_bo_swapout().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: serial: fsl_lpuart: fix race on RX DMA shutdown<br /> <br /> From time to time DMA completion can come in the middle of DMA shutdown:<br /> <br /> : :<br /> lpuart32_shutdown()<br /> lpuart_dma_shutdown()<br /> del_timer_sync()<br /> lpuart_dma_rx_complete()<br /> lpuart_copy_rx_to_tty()<br /> mod_timer()<br /> lpuart_dma_rx_free()<br /> <br /> When the timer fires a bit later, sport-&gt;dma_rx_desc is NULL:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004<br /> pc : lpuart_copy_rx_to_tty+0xcc/0x5bc<br /> lr : lpuart_timer_func+0x1c/0x2c<br /> Call trace:<br /> lpuart_copy_rx_to_tty<br /> lpuart_timer_func<br /> call_timer_fn<br /> __run_timers.part.0<br /> run_timer_softirq<br /> __do_softirq<br /> __irq_exit_rcu<br /> irq_exit<br /> handle_domain_irq<br /> gic_handle_irq<br /> call_on_irq_stack<br /> do_interrupt_handler<br /> ...<br /> <br /> To fix this fold del_timer_sync() into lpuart_dma_rx_free() after<br /> dmaengine_terminate_sync() to make sure timer will not be re-started in<br /> lpuart_copy_rx_to_tty()

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Do not let histogram values have some modifiers<br /> <br /> Histogram values can not be strings, stacktraces, graphs, symbols,<br /> syscalls, or grouped in buckets or log. Give an error if a value is set to<br /> do so.<br /> <br /> Note, the histogram code was not prepared to handle these modifiers for<br /> histograms and caused a bug.<br /> <br /> Mark Rutland reported:<br /> <br /> # echo &amp;#39;p:copy_to_user __arch_copy_to_user n=$arg2&amp;#39; &gt;&gt; /sys/kernel/tracing/kprobe_events<br /> # echo &amp;#39;hist:keys=n:vals=hitcount.buckets=8:sort=hitcount&amp;#39; &gt; /sys/kernel/tracing/events/kprobes/copy_to_user/trigger<br /> # cat /sys/kernel/tracing/events/kprobes/copy_to_user/hist<br /> [ 143.694628] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> [ 143.695190] Mem abort info:<br /> [ 143.695362] ESR = 0x0000000096000004<br /> [ 143.695604] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 143.695889] SET = 0, FnV = 0<br /> [ 143.696077] EA = 0, S1PTW = 0<br /> [ 143.696302] FSC = 0x04: level 0 translation fault<br /> [ 143.702381] Data abort info:<br /> [ 143.702614] ISV = 0, ISS = 0x00000004<br /> [ 143.702832] CM = 0, WnR = 0<br /> [ 143.703087] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000448f9000<br /> [ 143.703407] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000<br /> [ 143.704137] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> [ 143.704714] Modules linked in:<br /> [ 143.705273] CPU: 0 PID: 133 Comm: cat Not tainted 6.2.0-00003-g6fc512c10a7c #3<br /> [ 143.706138] Hardware name: linux,dummy-virt (DT)<br /> [ 143.706723] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 143.707120] pc : hist_field_name.part.0+0x14/0x140<br /> [ 143.707504] lr : hist_field_name.part.0+0x104/0x140<br /> [ 143.707774] sp : ffff800008333a30<br /> [ 143.707952] x29: ffff800008333a30 x28: 0000000000000001 x27: 0000000000400cc0<br /> [ 143.708429] x26: ffffd7a653b20260 x25: 0000000000000000 x24: ffff10d303ee5800<br /> [ 143.708776] x23: ffffd7a6539b27b0 x22: ffff10d303fb8c00 x21: 0000000000000001<br /> [ 143.709127] x20: ffff10d303ec2000 x19: 0000000000000000 x18: 0000000000000000<br /> [ 143.709478] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> [ 143.709824] x14: 0000000000000000 x13: 203a6f666e692072 x12: 6567676972742023<br /> [ 143.710179] x11: 0a230a6d6172676f x10: 000000000000002c x9 : ffffd7a6521e018c<br /> [ 143.710584] x8 : 000000000000002c x7 : 7f7f7f7f7f7f7f7f x6 : 000000000000002c<br /> [ 143.710915] x5 : ffff10d303b0103e x4 : ffffd7a653b20261 x3 : 000000000000003d<br /> [ 143.711239] x2 : 0000000000020001 x1 : 0000000000000001 x0 : 0000000000000000<br /> [ 143.711746] Call trace:<br /> [ 143.712115] hist_field_name.part.0+0x14/0x140<br /> [ 143.712642] hist_field_name.part.0+0x104/0x140<br /> [ 143.712925] hist_field_print+0x28/0x140<br /> [ 143.713125] event_hist_trigger_print+0x174/0x4d0<br /> [ 143.713348] hist_show+0xf8/0x980<br /> [ 143.713521] seq_read_iter+0x1bc/0x4b0<br /> [ 143.713711] seq_read+0x8c/0xc4<br /> [ 143.713876] vfs_read+0xc8/0x2a4<br /> [ 143.714043] ksys_read+0x70/0xfc<br /> [ 143.714218] __arm64_sys_read+0x24/0x30<br /> [ 143.714400] invoke_syscall+0x50/0x120<br /> [ 143.714587] el0_svc_common.constprop.0+0x4c/0x100<br /> [ 143.714807] do_el0_svc+0x44/0xd0<br /> [ 143.714970] el0_svc+0x2c/0x84<br /> [ 143.715134] el0t_64_sync_handler+0xbc/0x140<br /> [ 143.715334] el0t_64_sync+0x190/0x194<br /> [ 143.715742] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (f9400000)<br /> [ 143.716510] ---[ end trace 0000000000000000 ]---<br /> Segmentation fault

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> interconnect: exynos: fix node leak in probe PM QoS error path<br /> <br /> Make sure to add the newly allocated interconnect node to the provider<br /> before adding the PM QoS request so that the node is freed on errors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: update s_journal_inum if it changes after journal replay<br /> <br /> When mounting a crafted ext4 image, s_journal_inum may change after journal<br /> replay, which is obviously unreasonable because we have successfully loaded<br /> and replayed the journal through the old s_journal_inum. And the new<br /> s_journal_inum bypasses some of the checks in ext4_get_journal(), which<br /> may trigger a null pointer dereference problem. So if s_journal_inum<br /> changes after the journal replay, we ignore the change, and rewrite the<br /> current journal_inum to the superblock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vp_vdpa: fix the crash in hot unplug with vp_vdpa<br /> <br /> While unplugging the vp_vdpa device, it triggers a kernel panic<br /> The root cause is: vdpa_mgmtdev_unregister() will accesses modern<br /> devices which will cause a use after free.<br /> So need to change the sequence in vp_vdpa_remove<br /> <br /> [ 195.003359] BUG: unable to handle page fault for address: ff4e8beb80199014<br /> [ 195.004012] #PF: supervisor read access in kernel mode<br /> [ 195.004486] #PF: error_code(0x0000) - not-present page<br /> [ 195.004960] PGD 100000067 P4D 1001b6067 PUD 1001b7067 PMD 1001b8067 PTE 0<br /> [ 195.005578] Oops: 0000 1 PREEMPT SMP PTI<br /> [ 195.005968] CPU: 13 PID: 164 Comm: kworker/u56:10 Kdump: loaded Not tainted 5.14.0-252.el9.x86_64 #1<br /> [ 195.006792] Hardware name: Red Hat KVM/RHEL, BIOS edk2-20221207gitfff6d81270b5-2.el9 unknown<br /> [ 195.007556] Workqueue: kacpi_hotplug acpi_hotplug_work_fn<br /> [ 195.008059] RIP: 0010:ioread8+0x31/0x80<br /> [ 195.008418] Code: 77 28 48 81 ff 00 00 01 00 76 0b 89 fa ec 0f b6 c0 c3 cc cc cc cc 8b 15 ad 72 93 01 b8 ff 00 00 00 85 d2 75 0f c3 cc cc cc cc 07 0f b6 c0 c3 cc cc cc cc 83 ea 01 48 83 ec 08 48 89 fe 48 c7<br /> [ 195.010104] RSP: 0018:ff4e8beb8067bab8 EFLAGS: 00010292<br /> [ 195.010584] RAX: ffffffffc05834a0 RBX: ffffffffc05843c0 RCX: ff4e8beb8067bae0<br /> [ 195.011233] RDX: ff1bcbd580f88000 RSI: 0000000000000246 RDI: ff4e8beb80199014<br /> [ 195.011881] RBP: ff1bcbd587e39000 R08: ffffffff916fa2d0 R09: ff4e8beb8067ba68<br /> [ 195.012527] R10: 000000000000001c R11: 0000000000000000 R12: ff1bcbd5a3de9120<br /> [ 195.013179] R13: ffffffffc062d000 R14: 0000000000000080 R15: ff1bcbe402bc7805<br /> [ 195.013826] FS: 0000000000000000(0000) GS:ff1bcbe402740000(0000) knlGS:0000000000000000<br /> [ 195.014564] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 195.015093] CR2: ff4e8beb80199014 CR3: 0000000107dea002 CR4: 0000000000771ee0<br /> [ 195.015741] PKRU: 55555554<br /> [ 195.016001] Call Trace:<br /> [ 195.016233] <br /> [ 195.016434] vp_modern_get_status+0x12/0x20<br /> [ 195.016823] vp_vdpa_reset+0x1b/0x50 [vp_vdpa]<br /> [ 195.017238] virtio_vdpa_reset+0x3c/0x48 [virtio_vdpa]<br /> [ 195.017709] remove_vq_common+0x1f/0x3a0 [virtio_net]<br /> [ 195.018178] virtnet_remove+0x5d/0x70 [virtio_net]<br /> [ 195.018618] virtio_dev_remove+0x3d/0x90<br /> [ 195.018986] device_release_driver_internal+0x1aa/0x230<br /> [ 195.019466] bus_remove_device+0xd8/0x150<br /> [ 195.019841] device_del+0x18b/0x3f0<br /> [ 195.020167] ? kernfs_find_ns+0x35/0xd0<br /> [ 195.020526] device_unregister+0x13/0x60<br /> [ 195.020894] unregister_virtio_device+0x11/0x20<br /> [ 195.021311] device_release_driver_internal+0x1aa/0x230<br /> [ 195.021790] bus_remove_device+0xd8/0x150<br /> [ 195.022162] device_del+0x18b/0x3f0<br /> [ 195.022487] device_unregister+0x13/0x60<br /> [ 195.022852] ? vdpa_dev_remove+0x30/0x30 [vdpa]<br /> [ 195.023270] vp_vdpa_dev_del+0x12/0x20 [vp_vdpa]<br /> [ 195.023694] vdpa_match_remove+0x2b/0x40 [vdpa]<br /> [ 195.024115] bus_for_each_dev+0x78/0xc0<br /> [ 195.024471] vdpa_mgmtdev_unregister+0x65/0x80 [vdpa]<br /> [ 195.024937] vp_vdpa_remove+0x23/0x40 [vp_vdpa]<br /> [ 195.025353] pci_device_remove+0x36/0xa0<br /> [ 195.025719] device_release_driver_internal+0x1aa/0x230<br /> [ 195.026201] pci_stop_bus_device+0x6c/0x90<br /> [ 195.026580] pci_stop_and_remove_bus_device+0xe/0x20<br /> [ 195.027039] disable_slot+0x49/0x90<br /> [ 195.027366] acpiphp_disable_and_eject_slot+0x15/0x90<br /> [ 195.027832] hotplug_event+0xea/0x210<br /> [ 195.028171] ? hotplug_event+0x210/0x210<br /> [ 195.028535] acpiphp_hotplug_notify+0x22/0x80<br /> [ 195.028942] ? hotplug_event+0x210/0x210<br /> [ 195.029303] acpi_device_hotplug+0x8a/0x1d0<br /> [ 195.029690] acpi_hotplug_work_fn+0x1a/0x30<br /> [ 195.030077] process_one_work+0x1e8/0x3c0<br /> [ 195.030451] worker_thread+0x50/0x3b0<br /> [ 195.030791] ? rescuer_thread+0x3a0/0x3a0<br /> [ 195.031165] kthread+0xd9/0x100<br /> [ 195.031459] ? kthread_complete_and_exit+0x20/0x20<br /> [ 195.031899] ret_from_fork+0x22/0x30<br /> [ 195.032233]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix data corruption after failed write<br /> <br /> When buffered write fails to copy data into underlying page cache page,<br /> ocfs2_write_end_nolock() just zeroes out and dirties the page. This can<br /> leave dirty page beyond EOF and if page writeback tries to write this page<br /> before write succeeds and expands i_size, page gets into inconsistent<br /> state where page dirty bit is clear but buffer dirty bits stay set<br /> resulting in page data never getting written and so data copied to the<br /> page is lost. Fix the problem by invalidating page beyond EOF after<br /> failed write.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xsk: Add missing overflow check in xdp_umem_reg<br /> <br /> The number of chunks can overflow u32. Make sure to return -EINVAL on<br /> overflow. Also remove a redundant u32 cast assigning umem-&gt;npgs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Fix an illegal memory access<br /> <br /> In the kfd_wait_on_events() function, the kfd_event_waiter structure is<br /> allocated by alloc_event_waiters(), but the event field of the waiter<br /> structure is not initialized; When copy_from_user() fails in the<br /> kfd_wait_on_events() function, it will enter exception handling to<br /> release the previously allocated memory of the waiter structure;<br /> Due to the event field of the waiters structure being accessed<br /> in the free_waiters() function, this results in illegal memory access<br /> and system crash, here is the crash log:<br /> <br /> localhost kernel: RIP: 0010:native_queued_spin_lock_slowpath+0x185/0x1e0<br /> localhost kernel: RSP: 0018:ffffaa53c362bd60 EFLAGS: 00010082<br /> localhost kernel: RAX: ff3d3d6bff4007cb RBX: 0000000000000282 RCX: 00000000002c0000<br /> localhost kernel: RDX: ffff9e855eeacb80 RSI: 000000000000279c RDI: ffffe7088f6a21d0<br /> localhost kernel: RBP: ffffe7088f6a21d0 R08: 00000000002c0000 R09: ffffaa53c362be64<br /> localhost kernel: R10: ffffaa53c362bbd8 R11: 0000000000000001 R12: 0000000000000002<br /> localhost kernel: R13: ffff9e7ead15d600 R14: 0000000000000000 R15: ffff9e7ead15d698<br /> localhost kernel: FS: 0000152a3d111700(0000) GS:ffff9e855ee80000(0000) knlGS:0000000000000000<br /> localhost kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> localhost kernel: CR2: 0000152938000010 CR3: 000000044d7a4000 CR4: 00000000003506e0<br /> localhost kernel: Call Trace:<br /> localhost kernel: _raw_spin_lock_irqsave+0x30/0x40<br /> localhost kernel: remove_wait_queue+0x12/0x50<br /> localhost kernel: kfd_wait_on_events+0x1b6/0x490 [hydcu]<br /> localhost kernel: ? ftrace_graph_caller+0xa0/0xa0<br /> localhost kernel: kfd_ioctl+0x38c/0x4a0 [hydcu]<br /> localhost kernel: ? kfd_ioctl_set_trap_handler+0x70/0x70 [hydcu]<br /> localhost kernel: ? kfd_ioctl_create_queue+0x5a0/0x5a0 [hydcu]<br /> localhost kernel: ? ftrace_graph_caller+0xa0/0xa0<br /> localhost kernel: __x64_sys_ioctl+0x8e/0xd0<br /> localhost kernel: ? syscall_trace_enter.isra.18+0x143/0x1b0<br /> localhost kernel: do_syscall_64+0x33/0x80<br /> localhost kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9<br /> localhost kernel: RIP: 0033:0x152a4dff68d7<br /> <br /> Allocate the structure with kcalloc, and remove redundant 0-initialization<br /> and a redundant loop condition check.