Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> efi/libstub: Free correct pointer on failure<br /> <br /> cmdline_ptr is an out parameter, which is not allocated by the function<br /> itself, and likely points into the caller&amp;#39;s stack.<br /> <br /> cmdline refers to the pool allocation that should be freed when cleaning<br /> up after a failure, so pass this instead to free_pool().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mtk-jpeg: Fix null-ptr-deref during unload module<br /> <br /> The workqueue should be destroyed in mtk_jpeg_core.c since commit<br /> 09aea13ecf6f ("media: mtk-jpeg: refactor some variables"), otherwise<br /> the below calltrace can be easily triggered.<br /> <br /> [ 677.862514] Unable to handle kernel paging request at virtual address dfff800000000023<br /> [ 677.863633] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]<br /> ...<br /> [ 677.879654] CPU: 6 PID: 1071 Comm: modprobe Tainted: G O 6.8.12-mtk+gfa1a78e5d24b+ #17<br /> ...<br /> [ 677.882838] pc : destroy_workqueue+0x3c/0x770<br /> [ 677.883413] lr : mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]<br /> [ 677.884314] sp : ffff80008ad974f0<br /> [ 677.884744] x29: ffff80008ad974f0 x28: ffff0000d7115580 x27: ffff0000dd691070<br /> [ 677.885669] x26: ffff0000dd691408 x25: ffff8000844af3e0 x24: ffff80008ad97690<br /> [ 677.886592] x23: ffff0000e051d400 x22: ffff0000dd691010 x21: dfff800000000000<br /> [ 677.887515] x20: 0000000000000000 x19: 0000000000000000 x18: ffff800085397ac0<br /> [ 677.888438] x17: 0000000000000000 x16: ffff8000801b87c8 x15: 1ffff000115b2e10<br /> [ 677.889361] x14: 00000000f1f1f1f1 x13: 0000000000000000 x12: ffff7000115b2e4d<br /> [ 677.890285] x11: 1ffff000115b2e4c x10: ffff7000115b2e4c x9 : ffff80000aa43e90<br /> [ 677.891208] x8 : 00008fffeea4d1b4 x7 : ffff80008ad97267 x6 : 0000000000000001<br /> [ 677.892131] x5 : ffff80008ad97260 x4 : ffff7000115b2e4d x3 : 0000000000000000<br /> [ 677.893054] x2 : 0000000000000023 x1 : dfff800000000000 x0 : 0000000000000118<br /> [ 677.893977] Call trace:<br /> [ 677.894297] destroy_workqueue+0x3c/0x770<br /> [ 677.894826] mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]<br /> [ 677.895677] devm_action_release+0x50/0x90<br /> [ 677.896211] release_nodes+0xe8/0x170<br /> [ 677.896688] devres_release_all+0xf8/0x178<br /> [ 677.897219] device_unbind_cleanup+0x24/0x170<br /> [ 677.897785] device_release_driver_internal+0x35c/0x480<br /> [ 677.898461] device_release_driver+0x20/0x38<br /> ...<br /> [ 677.912665] ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()<br /> <br /> The buffer in the loop should be released under the exception path,<br /> otherwise there may be a memory leak here.<br /> <br /> To mitigate this, free the buffer when allegro_alloc_buffer fails.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: ts2020: fix null-ptr-deref in ts2020_probe()<br /> <br /> KASAN reported a null-ptr-deref issue when executing the following<br /> command:<br /> <br /> # echo ts2020 0x20 &gt; /sys/bus/i2c/devices/i2c-0/new_device<br /> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]<br /> CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)<br /> RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020]<br /> RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202<br /> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809<br /> RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010<br /> RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6<br /> R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790<br /> R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001<br /> FS: 00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ts2020_probe+0xad/0xe10 [ts2020]<br /> i2c_device_probe+0x421/0xb40<br /> really_probe+0x266/0x850<br /> ...<br /> <br /> The cause of the problem is that when using sysfs to dynamically register<br /> an i2c device, there is no platform data, but the probe process of ts2020<br /> needs to use platform data, resulting in a null pointer being accessed.<br /> <br /> Solve this problem by adding checks to platform data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: imx-jpeg: Ensure power suppliers be suspended before detach them<br /> <br /> The power suppliers are always requested to suspend asynchronously,<br /> dev_pm_domain_detach() requires the caller to ensure proper<br /> synchronization of this function with power management callbacks.<br /> otherwise the detach may led to kernel panic, like below:<br /> <br /> [ 1457.107934] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040<br /> [ 1457.116777] Mem abort info:<br /> [ 1457.119589] ESR = 0x0000000096000004<br /> [ 1457.123358] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 1457.128692] SET = 0, FnV = 0<br /> [ 1457.131764] EA = 0, S1PTW = 0<br /> [ 1457.134920] FSC = 0x04: level 0 translation fault<br /> [ 1457.139812] Data abort info:<br /> [ 1457.142707] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> [ 1457.148196] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 1457.153256] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 1457.158563] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001138b6000<br /> [ 1457.165000] [0000000000000040] pgd=0000000000000000, p4d=0000000000000000<br /> [ 1457.171792] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> [ 1457.178045] Modules linked in: v4l2_jpeg wave6_vpu_ctrl(-) [last unloaded: mxc_jpeg_encdec]<br /> [ 1457.186383] CPU: 0 PID: 51938 Comm: kworker/0:3 Not tainted 6.6.36-gd23d64eea511 #66<br /> [ 1457.194112] Hardware name: NXP i.MX95 19X19 board (DT)<br /> [ 1457.199236] Workqueue: pm pm_runtime_work<br /> [ 1457.203247] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 1457.210188] pc : genpd_runtime_suspend+0x20/0x290<br /> [ 1457.214886] lr : __rpm_callback+0x48/0x1d8<br /> [ 1457.218968] sp : ffff80008250bc50<br /> [ 1457.222270] x29: ffff80008250bc50 x28: 0000000000000000 x27: 0000000000000000<br /> [ 1457.229394] x26: 0000000000000000 x25: 0000000000000008 x24: 00000000000f4240<br /> [ 1457.236518] x23: 0000000000000000 x22: ffff00008590f0e4 x21: 0000000000000008<br /> [ 1457.243642] x20: ffff80008099c434 x19: ffff00008590f000 x18: ffffffffffffffff<br /> [ 1457.250766] x17: 5300326563697665 x16: 645f676e696c6f6f x15: 63343a6d726f6674<br /> [ 1457.257890] x14: 0000000000000004 x13: 00000000000003a4 x12: 0000000000000002<br /> [ 1457.265014] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff80008250bbb0<br /> [ 1457.272138] x8 : ffff000092937200 x7 : ffff0003fdf6af80 x6 : 0000000000000000<br /> [ 1457.279262] x5 : 00000000410fd050 x4 : 0000000000200000 x3 : 0000000000000000<br /> [ 1457.286386] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008590f000<br /> [ 1457.293510] Call trace:<br /> [ 1457.295946] genpd_runtime_suspend+0x20/0x290<br /> [ 1457.300296] __rpm_callback+0x48/0x1d8<br /> [ 1457.304038] rpm_callback+0x6c/0x78<br /> [ 1457.307515] rpm_suspend+0x10c/0x570<br /> [ 1457.311077] pm_runtime_work+0xc4/0xc8<br /> [ 1457.314813] process_one_work+0x138/0x248<br /> [ 1457.318816] worker_thread+0x320/0x438<br /> [ 1457.322552] kthread+0x110/0x114<br /> [ 1457.325767] ret_from_fork+0x10/0x20

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: i2c: tc358743: Fix crash in the probe error path when using polling<br /> <br /> If an error occurs in the probe() function, we should remove the polling<br /> timer that was alarmed earlier, otherwise the timer is called with<br /> arguments that are already freed, which results in a crash.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268<br /> Modules linked in:<br /> CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226<br /> Hardware name: Diasom DS-RK3568-SOM-EVB (DT)<br /> pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : __run_timers+0x244/0x268<br /> lr : __run_timers+0x1d4/0x268<br /> sp : ffffff80eff2baf0<br /> x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00<br /> x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00<br /> x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000<br /> x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff<br /> x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e<br /> x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000<br /> x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009<br /> x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480<br /> x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240<br /> x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0<br /> Call trace:<br />  __run_timers+0x244/0x268<br />  timer_expire_remote+0x50/0x68<br />  tmigr_handle_remote+0x388/0x39c<br />  run_timer_softirq+0x38/0x44<br />  handle_softirqs+0x138/0x298<br />  __do_softirq+0x14/0x20<br />  ____do_softirq+0x10/0x1c<br />  call_on_irq_stack+0x24/0x4c<br />  do_softirq_own_stack+0x1c/0x2c<br />  irq_exit_rcu+0x9c/0xcc<br />  el1_interrupt+0x48/0xc0<br />  el1h_64_irq_handler+0x18/0x24<br />  el1h_64_irq+0x7c/0x80<br />  default_idle_call+0x34/0x68<br />  do_idle+0x23c/0x294<br />  cpu_startup_entry+0x38/0x3c<br />  secondary_start_kernel+0x128/0x160<br />  __secondary_switched+0xb8/0xbc<br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: imx-jpeg: Set video drvdata before register video device<br /> <br /> The video drvdata should be set before the video device is registered,<br /> otherwise video_drvdata() may return NULL in the open() file ops, and led<br /> to oops.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: amphion: Set video drvdata before register video device<br /> <br /> The video drvdata should be set before the video device is registered,<br /> otherwise video_drvdata() may return NULL in the open() file ops, and led<br /> to oops.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: fix cred leak in ceph_mds_check_access()<br /> <br /> get_current_cred() increments the reference counter, but the<br /> put_cred() call was missing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: pass cred pointer to ceph_mds_auth_match()<br /> <br /> This eliminates a redundant get_current_cred() call, because<br /> ceph_mds_check_access() has already obtained this pointer.<br /> <br /> As a side effect, this also fixes a reference leak in<br /> ceph_mds_auth_match(): by omitting the get_current_cred() call, no<br /> additional cred reference is taken.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to drop all discards after creating snapshot on lvm device<br /> <br /> Piergiorgio reported a bug in bugzilla as below:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 2 PID: 969 at fs/f2fs/segment.c:1330<br /> RIP: 0010:__submit_discard_cmd+0x27d/0x400 [f2fs]<br /> Call Trace:<br /> __issue_discard_cmd+0x1ca/0x350 [f2fs]<br /> issue_discard_thread+0x191/0x480 [f2fs]<br /> kthread+0xcf/0x100<br /> ret_from_fork+0x31/0x50<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> w/ below testcase, it can reproduce this bug quickly:<br /> - pvcreate /dev/vdb<br /> - vgcreate myvg1 /dev/vdb<br /> - lvcreate -L 1024m -n mylv1 myvg1<br /> - mount /dev/myvg1/mylv1 /mnt/f2fs<br /> - dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=20<br /> - sync<br /> - rm /mnt/f2fs/file<br /> - sync<br /> - lvcreate -L 1024m -s -n mylv1-snapshot /dev/myvg1/mylv1<br /> - umount /mnt/f2fs<br /> <br /> The root cause is: it will update discard_max_bytes of mounted lvm<br /> device to zero after creating snapshot on this lvm device, then,<br /> __submit_discard_cmd() will pass parameter @nr_sects w/ zero value<br /> to __blkdev_issue_discard(), it returns a NULL bio pointer, result<br /> in panic.<br /> <br /> This patch changes as below for fixing:<br /> 1. Let&amp;#39;s drop all remained discards in f2fs_unfreeze() if snapshot<br /> of lvm device is created.<br /> 2. Checking discard_max_bytes before submitting discard during<br /> __submit_discard_cmd().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/slub: Avoid list corruption when removing a slab from the full list<br /> <br /> Boot with slub_debug=UFPZ.<br /> <br /> If allocated object failed in alloc_consistency_checks, all objects of<br /> the slab will be marked as used, and then the slab will be removed from<br /> the partial list.<br /> <br /> When an object belonging to the slab got freed later, the remove_full()<br /> function is called. Because the slab is neither on the partial list nor<br /> on the full list, it eventually lead to a list corruption (actually a<br /> list poison being detected).<br /> <br /> So we need to mark and isolate the slab page with metadata corruption,<br /> do not put it back in circulation.<br /> <br /> Because the debug caches avoid all the fastpaths, reusing the frozen bit<br /> to mark slab page with metadata corruption seems to be fine.<br /> <br /> [ 4277.385669] list_del corruption, ffffea00044b3e50-&gt;next is LIST_POISON1 (dead000000000100)<br /> [ 4277.387023] ------------[ cut here ]------------<br /> [ 4277.387880] kernel BUG at lib/list_debug.c:56!<br /> [ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> [ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G OE 6.6.1-1 #1<br /> [ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs]<br /> [ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0<br /> [ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91<br /> [ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082<br /> [ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000<br /> [ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff<br /> [ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0<br /> [ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910<br /> [ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0<br /> [ 4277.404049] FS: 0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000<br /> [ 4277.405357] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0<br /> [ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 4277.410000] PKRU: 55555554<br /> [ 4277.410645] Call Trace:<br /> [ 4277.411234] <br /> [ 4277.411777] ? die+0x32/0x80<br /> [ 4277.412439] ? do_trap+0xd6/0x100<br /> [ 4277.413150] ? __list_del_entry_valid_or_report+0x7b/0xc0<br /> [ 4277.414158] ? do_error_trap+0x6a/0x90<br /> [ 4277.414948] ? __list_del_entry_valid_or_report+0x7b/0xc0<br /> [ 4277.415915] ? exc_invalid_op+0x4c/0x60<br /> [ 4277.416710] ? __list_del_entry_valid_or_report+0x7b/0xc0<br /> [ 4277.417675] ? asm_exc_invalid_op+0x16/0x20<br /> [ 4277.418482] ? __list_del_entry_valid_or_report+0x7b/0xc0<br /> [ 4277.419466] ? __list_del_entry_valid_or_report+0x7b/0xc0<br /> [ 4277.420410] free_to_partial_list+0x515/0x5e0<br /> [ 4277.421242] ? xfs_iext_remove+0x41a/0xa10 [xfs]<br /> [ 4277.422298] xfs_iext_remove+0x41a/0xa10 [xfs]<br /> [ 4277.423316] ? xfs_inodegc_worker+0xb4/0x1a0 [xfs]<br /> [ 4277.424383] xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs]<br /> [ 4277.425490] __xfs_bunmapi+0x50d/0x840 [xfs]<br /> [ 4277.426445] xfs_itruncate_extents_flags+0x13a/0x490 [xfs]<br /> [ 4277.427553] xfs_inactive_truncate+0xa3/0x120 [xfs]<br /> [ 4277.428567] xfs_inactive+0x22d/0x290 [xfs]<br /> [ 4277.429500] xfs_inodegc_worker+0xb4/0x1a0 [xfs]<br /> [ 4277.430479] process_one_work+0x171/0x340<br /> [ 4277.431227] worker_thread+0x277/0x390<br /> [ 4277.431962] ? __pfx_worker_thread+0x10/0x10<br /> [ 4277.432752] kthread+0xf0/0x120<br /> [ 4277.433382] ? __pfx_kthread+0x10/0x10<br /> [ 4277.434134] ret_from_fork+0x2d/0x50<br /> [ 4277.434837] ? __pfx_kthread+0x10/0x10<br /> [ 4277.435566] ret_from_fork_asm+0x1b/0x30<br /> [ 4277.436280]