Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: ISO: Check socket flag instead of hcon<br /> <br /> This fixes the following Smatch static checker warning:<br /> <br /> net/bluetooth/iso.c:1364 iso_sock_recvmsg()<br /> error: we previously assumed &amp;#39;pi-&gt;conn-&gt;hcon&amp;#39; could be null (line 1359)<br /> <br /> net/bluetooth/iso.c<br /> 1347 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,<br /> 1348 size_t len, int flags)<br /> 1349 {<br /> 1350 struct sock *sk = sock-&gt;sk;<br /> 1351 struct iso_pinfo *pi = iso_pi(sk);<br /> 1352<br /> 1353 BT_DBG("sk %p", sk);<br /> 1354<br /> 1355 if (test_and_clear_bit(BT_SK_DEFER_SETUP,<br /> &amp;bt_sk(sk)-&gt;flags)) {<br /> 1356 lock_sock(sk);<br /> 1357 switch (sk-&gt;sk_state) {<br /> 1358 case BT_CONNECT2:<br /> 1359 if (pi-&gt;conn-&gt;hcon &amp;&amp;<br /> ^^^^^^^^^^^^^^ If -&gt;hcon is NULL<br /> <br /> 1360 test_bit(HCI_CONN_PA_SYNC,<br /> &amp;pi-&gt;conn-&gt;hcon-&gt;flags)) {<br /> 1361 iso_conn_big_sync(sk);<br /> 1362 sk-&gt;sk_state = BT_LISTEN;<br /> 1363 } else {<br /> --&gt; 1364 iso_conn_defer_accept(pi-&gt;conn-&gt;hcon);<br /> ^^^^^^^^^^^^^^<br /> then we&amp;#39;re toast<br /> <br /> 1365 sk-&gt;sk_state = BT_CONFIG;<br /> 1366 }<br /> 1367 release_sock(sk);<br /> 1368 return 0;<br /> 1369 case BT_CONNECTED:<br /> 1370 if (test_bit(BT_SK_PA_SYNC,

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: avoid overflows in dirty throttling logic<br /> <br /> The dirty throttling logic is interspersed with assumptions that dirty<br /> limits in PAGE_SIZE units fit into 32-bit (so that various multiplications<br /> fit into 64-bits). If limits end up being larger, we will hit overflows,<br /> possible divisions by 0 etc. Fix these problems by never allowing so<br /> large dirty limits as they have dubious practical value anyway. For<br /> dirty_bytes / dirty_background_bytes interfaces we can just refuse to set<br /> so large limits. For dirty_ratio / dirty_background_ratio it isn&amp;#39;t so<br /> simple as the dirty limit is computed from the amount of available memory<br /> which can change due to memory hotplug etc. So when converting dirty<br /> limits from ratios to numbers of pages, we just don&amp;#39;t allow the result to<br /> exceed UINT_MAX.<br /> <br /> This is root-only triggerable problem which occurs when the operator<br /> sets dirty limits to &gt;16 TB.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cdrom: rearrange last_media_change check to avoid unintentional overflow<br /> <br /> When running syzkaller with the newly reintroduced signed integer wrap<br /> sanitizer we encounter this splat:<br /> <br /> [ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33<br /> [ 366.021089] -9223372036854775808 - 346321 cannot be represented in type &amp;#39;__s64&amp;#39; (aka &amp;#39;long long&amp;#39;)<br /> [ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO<br /> [ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1<br /> [ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 366.027518] Call Trace:<br /> [ 366.027523] <br /> [ 366.027533] dump_stack_lvl+0x93/0xd0<br /> [ 366.027899] handle_overflow+0x171/0x1b0<br /> [ 366.038787] ata1.00: invalid multi_count 32 ignored<br /> [ 366.043924] cdrom_ioctl+0x2c3f/0x2d10<br /> [ 366.063932] ? __pm_runtime_resume+0xe6/0x130<br /> [ 366.071923] sr_block_ioctl+0x15d/0x1d0<br /> [ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10<br /> [ 366.077642] blkdev_ioctl+0x419/0x500<br /> [ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10<br /> ...<br /> <br /> Historically, the signed integer overflow sanitizer did not work in the<br /> kernel due to its interaction with `-fwrapv` but this has since been<br /> changed [1] in the newest version of Clang. It was re-enabled in the<br /> kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow<br /> sanitizer").<br /> <br /> Let&amp;#39;s rearrange the check to not perform any arithmetic, thus not<br /> tripping the sanitizer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot<br /> <br /> Commit 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed<br /> serdev") will cause below regression issue:<br /> <br /> BT can&amp;#39;t be enabled after below steps:<br /> cold boot -&gt; enable BT -&gt; disable BT -&gt; warm reboot -&gt; BT enable failure<br /> if property enable-gpios is not configured within DT|ACPI for QCA6390.<br /> <br /> The commit is to fix a use-after-free issue within qca_serdev_shutdown()<br /> by adding condition to avoid the serdev is flushed or wrote after closed<br /> but also introduces this regression issue regarding above steps since the<br /> VSC is not sent to reset controller during warm reboot.<br /> <br /> Fixed by sending the VSC to reset controller within qca_serdev_shutdown()<br /> once BT was ever enabled, and the use-after-free issue is also fixed by<br /> this change since the serdev is still opened before it is flushed or wrote.<br /> <br /> Verified by the reported machine Dell XPS 13 9310 laptop over below two<br /> kernel commits:<br /> commit e00fc2700a3f ("Bluetooth: btusb: Fix triggering coredump<br /> implementation for QCA") of bluetooth-next tree.<br /> commit b23d98d46d28 ("Bluetooth: btusb: Fix triggering coredump<br /> implementation for QCA") of linus mainline tree.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file<br /> <br /> In case of invalid INI file mlxsw_linecard_types_init() deallocates memory<br /> but doesn&amp;#39;t reset pointer to NULL and returns 0. In case of any error<br /> occurred after mlxsw_linecard_types_init() call, mlxsw_linecards_init()<br /> calls mlxsw_linecard_types_fini() which performs memory deallocation again.<br /> <br /> Add pointer reset to NULL.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: kexec: Avoid deadlock in kexec crash path<br /> <br /> If the kexec crash code is called in the interrupt context, the<br /> machine_kexec_mask_interrupts() function will trigger a deadlock while<br /> trying to acquire the irqdesc spinlock and then deactivate irqchip in<br /> irq_set_irqchip_state() function.<br /> <br /> Unlike arm64, riscv only requires irq_eoi handler to complete EOI and<br /> keeping irq_set_irqchip_state() will only leave this possible deadlock<br /> without any use. So we simply remove it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: E-switch, Create ingress ACL when needed<br /> <br /> Currently, ingress acl is used for three features. It is created only<br /> when vport metadata match and prio tag are enabled. But active-backup<br /> lag mode also uses it. It is independent of vport metadata match and<br /> prio tag. And vport metadata match can be disabled using the<br /> following devlink command:<br /> <br /> # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \<br /> value false cmode runtime<br /> <br /> If ingress acl is not created, will hit panic when creating drop rule<br /> for active-backup lag mode. If always create it, there will be about<br /> 5% performance degradation.<br /> <br /> Fix it by creating ingress acl when needed. If esw_port_metadata is<br /> true, ingress acl exists, then create drop rule using existing<br /> ingress acl. If esw_port_metadata is false, create ingress acl and<br /> then create drop rule.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: ASSERT when failing to find index by plane/stream id<br /> <br /> [WHY]<br /> find_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns<br /> an array index and they return -1 when not found; however, -1 is not a<br /> valid index number.<br /> <br /> [HOW]<br /> When this happens, call ASSERT(), and return a positive number (which is<br /> fewer than callers&amp;#39; array size) instead.<br /> <br /> This fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Do not return negative stream id for array<br /> <br /> [WHY]<br /> resource_stream_to_stream_idx returns an array index and it return -1<br /> when not found; however, -1 is not a valid array index number.<br /> <br /> [HOW]<br /> When this happens, call ASSERT(), and return a zero instead.<br /> <br /> This fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix double free err_addr pointer warnings<br /> <br /> In amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages<br /> will be run many times so that double free err_addr in some special case.<br /> So set the err_addr to NULL to avoid the warnings.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband<br /> <br /> We have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz<br /> sband will be NULL even if it is WiFi 7 chip. So, add NULL handling here<br /> to avoid crash.