Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()<br /> <br /> scarlett2_usb_set_config() calls scarlett2_usb_get() but was not<br /> checking the result. Return the error if it fails rather than<br /> continuing with an invalid value.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Check writeback connectors in create_validate_stream_for_sink<br /> <br /> [WHY &amp; HOW]<br /> This is to check connector type to avoid<br /> unhandled null pointer for writeback connectors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/powernv: Add a null pointer check in opal_powercap_init()<br /> <br /> kasprintf() returns a pointer to dynamically allocated memory<br /> which can be NULL upon failure.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx-&gt;headset_codec_dev = NULL<br /> <br /> sof_sdw_rt_sdca_jack_exit() are used by different codecs, and some of<br /> them use the same dai name.<br /> For example, rt712 and rt713 both use "rt712-sdca-aif1" and<br /> sof_sdw_rt_sdca_jack_exit().<br /> As a result, sof_sdw_rt_sdca_jack_exit() will be called twice by<br /> mc_dailink_exit_loop(). Set ctx-&gt;headset_codec_dev = NULL; after<br /> put_device(ctx-&gt;headset_codec_dev); to avoid ctx-&gt;headset_codec_dev<br /> being put twice.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> calipso: fix memory leak in netlbl_calipso_add_pass()<br /> <br /> If IPv6 support is disabled at boot (ipv6.disable=1),<br /> the calipso_init() -&gt; netlbl_calipso_ops_register() function isn&amp;#39;t called,<br /> and the netlbl_calipso_ops_get() function always returns NULL.<br /> In this case, the netlbl_calipso_add_pass() function allocates memory<br /> for the doi_def variable but doesn&amp;#39;t free it with the calipso_doi_free().<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff888011d68180 (size 64):<br /> comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc include/linux/slab.h:552 [inline]<br /> [] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]<br /> [] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111<br /> [] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739<br /> [] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]<br /> [] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800<br /> [] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515<br /> [] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811<br /> [] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]<br /> [] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339<br /> [] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934<br /> [] sock_sendmsg_nosec net/socket.c:651 [inline]<br /> [] sock_sendmsg+0x157/0x190 net/socket.c:671<br /> [] ____sys_sendmsg+0x712/0x870 net/socket.c:2342<br /> [] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396<br /> [] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429<br /> [] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46<br /> [] entry_SYSCALL_64_after_hwframe+0x61/0xc6<br /> <br /> Found by InfoTeCS on behalf of Linux Verification Center<br /> (linuxtesting.org) with Syzkaller<br /> <br /> [PM: merged via the LSM tree at Jakub Kicinski request]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function<br /> <br /> With tpd12s015_remove() marked with __exit this function is discarded<br /> when the driver is compiled as a built-in. The result is that when the<br /> driver unbinds there is no cleanup done which results in resource<br /> leakage or worse.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: video: check for error while searching for backlight device parent<br /> <br /> If acpi_get_parent() called in acpi_video_dev_register_backlight()<br /> fails, for example, because acpi_ut_acquire_mutex() fails inside<br /> acpi_get_parent), this can lead to incorrect (uninitialized)<br /> acpi_parent handle being passed to acpi_get_pci_dev() for detecting<br /> the parent pci device.<br /> <br /> Check acpi_get_parent() result and set parent device only in case of success.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c<br /> <br /> Before using list_first_entry, make sure to check that list is not<br /> empty, if list is empty return -ENODATA.<br /> <br /> Fixes the below:<br /> drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1347 kfd_create_indirect_link_prop() warn: can &amp;#39;gpu_link&amp;#39; even be NULL?<br /> drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1428 kfd_add_peer_prop() warn: can &amp;#39;iolink1&amp;#39; even be NULL?<br /> drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1433 kfd_add_peer_prop() warn: can &amp;#39;iolink2&amp;#39; even be NULL?

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> of: Fix double free in of_parse_phandle_with_args_map<br /> <br /> In of_parse_phandle_with_args_map() the inner loop that<br /> iterates through the map entries calls of_node_put(new)<br /> to free the reference acquired by the previous iteration<br /> of the inner loop. This assumes that the value of "new" is<br /> NULL on the first iteration of the inner loop.<br /> <br /> Make sure that this is true in all iterations of the outer<br /> loop by setting "new" to NULL after its value is assigned to "cur".<br /> <br /> Extend the unittest to detect the double free and add an additional<br /> test case that actually triggers this path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: scarlett2: Add missing error checks to *_ctl_get()<br /> <br /> The *_ctl_get() functions which call scarlett2_update_*() were not<br /> checking the return value. Fix to check the return value and pass to<br /> the caller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> efivarfs: Free s_fs_info on unmount<br /> <br /> Now that we allocate a s_fs_info struct on fs context creation, we<br /> should ensure that we free it again when the superblock goes away.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to wait on block writeback for post_read case<br /> <br /> If inode is compressed, but not encrypted, it missed to call<br /> f2fs_wait_on_block_writeback() to wait for GCed page writeback<br /> in IPU write path.<br /> <br /> Thread A GC-Thread<br /> - f2fs_gc<br /> - do_garbage_collect<br /> - gc_data_segment<br /> - move_data_block<br /> - f2fs_submit_page_write<br /> migrate normal cluster&amp;#39;s block via<br /> meta_inode&amp;#39;s page cache<br /> - f2fs_write_single_data_page<br /> - f2fs_do_write_data_page<br /> - f2fs_inplace_write_data<br /> - f2fs_submit_page_bio<br /> <br /> IRQ<br /> - f2fs_read_end_io<br /> IRQ<br /> old data overrides new data due to<br /> out-of-order GC and common IO.<br /> - f2fs_read_end_io