Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: spi-mt65xx: Fix NULL pointer access in interrupt handler<br /> <br /> The TX buffer in spi_transfer can be a NULL pointer, so the interrupt<br /> handler may end up writing to the invalid memory and cause crashes.<br /> <br /> Add a check to trans-&gt;tx_buf before using it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix mmhub client id out-of-bounds access<br /> <br /> Properly handle cid 0x140.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-af: Use separate handlers for interrupts<br /> <br /> For PF to AF interrupt vector and VF to AF vector same<br /> interrupt handler is registered which is causing race condition.<br /> When two interrupts are raised to two CPUs at same time<br /> then two cores serve same event corrupting the data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt<br /> <br /> The loop inside nfs_netfs_issue_read() currently does not disable<br /> interrupts while iterating through pages in the xarray to submit<br /> for NFS read. This is not safe though since after taking xa_lock,<br /> another page in the mapping could be processed for writeback inside<br /> an interrupt, and deadlock can occur. The fix is simple and clean<br /> if we use xa_for_each_range(), which handles the iteration with RCU<br /> while reducing code complexity.<br /> <br /> The problem is easily reproduced with the following test:<br /> mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs<br /> dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1<br /> echo 3 &gt; /proc/sys/vm/drop_caches<br /> dd if=/mnt/nfs/file1.bin of=/dev/null<br /> umount /mnt/nfs<br /> <br /> On the console with a lockdep-enabled kernel a message similar to<br /> the following will be seen:<br /> <br /> ================================<br /> WARNING: inconsistent lock state<br /> 6.7.0-lockdbg+ #10 Not tainted<br /> --------------------------------<br /> inconsistent {IN-SOFTIRQ-W} -&gt; {SOFTIRQ-ON-W} usage.<br /> test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> ffff888127baa598 (&amp;xa-&gt;xa_lock#4){+.?.}-{3:3}, at:<br /> nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]<br /> {IN-SOFTIRQ-W} state was registered at:<br /> lock_acquire+0x144/0x380<br /> _raw_spin_lock_irqsave+0x4e/0xa0<br /> __folio_end_writeback+0x17e/0x5c0<br /> folio_end_writeback+0x93/0x1b0<br /> iomap_finish_ioend+0xeb/0x6a0<br /> blk_update_request+0x204/0x7f0<br /> blk_mq_end_request+0x30/0x1c0<br /> blk_complete_reqs+0x7e/0xa0<br /> __do_softirq+0x113/0x544<br /> __irq_exit_rcu+0xfe/0x120<br /> irq_exit_rcu+0xe/0x20<br /> sysvec_call_function_single+0x6f/0x90<br /> asm_sysvec_call_function_single+0x1a/0x20<br /> pv_native_safe_halt+0xf/0x20<br /> default_idle+0x9/0x20<br /> default_idle_call+0x67/0xa0<br /> do_idle+0x2b5/0x300<br /> cpu_startup_entry+0x34/0x40<br /> start_secondary+0x19d/0x1c0<br /> secondary_startup_64_no_verify+0x18f/0x19b<br /> irq event stamp: 176891<br /> hardirqs last enabled at (176891): []<br /> _raw_spin_unlock_irqrestore+0x44/0x60<br /> hardirqs last disabled at (176890): []<br /> _raw_spin_lock_irqsave+0x79/0xa0<br /> softirqs last enabled at (176646): []<br /> __irq_exit_rcu+0xfe/0x120<br /> softirqs last disabled at (176633): []<br /> __irq_exit_rcu+0xfe/0x120<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> <br /> CPU0<br /> ----<br /> lock(&amp;xa-&gt;xa_lock#4);<br /> <br /> lock(&amp;xa-&gt;xa_lock#4);<br /> <br /> *** DEADLOCK ***<br /> <br /> 2 locks held by test5/1708:<br /> #0: ffff888127baa498 (&amp;sb-&gt;s_type-&gt;i_mutex_key#22){++++}-{4:4}, at:<br /> nfs_start_io_read+0x28/0x90 [nfs]<br /> #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:<br /> page_cache_ra_unbounded+0xa4/0x280<br /> <br /> stack backtrace:<br /> CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39<br /> 04/01/2014<br /> Call Trace:<br /> dump_stack_lvl+0x5b/0x90<br /> mark_lock+0xb3f/0xd20<br /> __lock_acquire+0x77b/0x3360<br /> _raw_spin_lock+0x34/0x80<br /> nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]<br /> netfs_begin_read+0x77f/0x980 [netfs]<br /> nfs_netfs_readahead+0x45/0x60 [nfs]<br /> nfs_readahead+0x323/0x5a0 [nfs]<br /> read_pages+0xf3/0x5c0<br /> page_cache_ra_unbounded+0x1c8/0x280<br /> filemap_get_pages+0x38c/0xae0<br /> filemap_read+0x206/0x5e0<br /> nfs_file_read+0xb7/0x140 [nfs]<br /> vfs_read+0x2a9/0x460<br /> ksys_read+0xb7/0x140

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid potential panic during recovery<br /> <br /> During recovery, if FAULT_BLOCK is on, it is possible that<br /> f2fs_reserve_new_block() will return -ENOSPC during recovery,<br /> then it may trigger panic.<br /> <br /> Also, if fault injection rate is 1 and only FAULT_BLOCK fault<br /> type is on, it may encounter deadloop in loop of block reservation.<br /> <br /> Let&amp;#39;s change as below to fix these issues:<br /> - remove bug_on() to avoid panic.<br /> - limit the loop count of block reservation to avoid potential<br /> deadloop.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to remove unnecessary f2fs_bug_on() to avoid panic<br /> <br /> verify_blkaddr() will trigger panic once we inject fault into<br /> f2fs_is_valid_blkaddr(), fix to remove this unnecessary f2fs_bug_on().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: compress: fix to cover normal cluster write with cp_rwsem<br /> <br /> When we overwrite compressed cluster w/ normal cluster, we should<br /> not unlock cp_rwsem during f2fs_write_raw_pages(), otherwise data<br /> will be corrupted if partial blocks were persisted before CP &amp; SPOR,<br /> due to cluster metadata wasn&amp;#39;t updated atomically.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: compress: fix to guarantee persisting compressed blocks by CP<br /> <br /> If data block in compressed cluster is not persisted with metadata<br /> during checkpoint, after SPOR, the data may be corrupted, let&amp;#39;s<br /> guarantee to write compressed page by checkpoint.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix writeback data corruption<br /> <br /> cifs writeback doesn&amp;#39;t correctly handle the case where<br /> cifs_extend_writeback() hits a point where it is considering an additional<br /> folio, but this would overrun the wsize - at which point it drops out of<br /> the xarray scanning loop and calls xas_pause(). The problem is that<br /> xas_pause() advances the loop counter - thereby skipping that page.<br /> <br /> What needs to happen is for xas_reset() to be called any time we decide we<br /> don&amp;#39;t want to process the page we&amp;#39;re looking at, but rather send the<br /> request we are building and start a new one.<br /> <br /> Fix this by copying and adapting the netfslib writepages code as a<br /> temporary measure, with cifs writeback intending to be offloaded to<br /> netfslib in the near future.<br /> <br /> This also fixes the issue with the use of filemap_get_folios_tag() causing<br /> retry of a bunch of pages which the extender already dealt with.<br /> <br /> This can be tested by creating, say, a 64K file somewhere not on cifs<br /> (otherwise copy-offload may get underfoot), mounting a cifs share with a<br /> wsize of 64000, copying the file to it and then comparing the original file<br /> and the copy:<br /> <br /> dd if=/dev/urandom of=/tmp/64K bs=64k count=1<br /> mount //192.168.6.1/test /mnt -o user=...,pass=...,wsize=64000<br /> cp /tmp/64K /mnt/64K<br /> cmp /tmp/64K /mnt/64K<br /> <br /> Without the fix, the cmp fails at position 64000 (or shortly thereafter).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: zynq: Prevent null pointer dereference caused by kmalloc failure<br /> <br /> The kmalloc() in zynq_clk_setup() will return null if the<br /> physical memory has run out. As a result, if we use snprintf()<br /> to write data to the null address, the null pointer dereference<br /> bug will happen.<br /> <br /> This patch uses a stack variable to replace the kmalloc().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: Fix clk_core_get NULL dereference<br /> <br /> It is possible for clk_core_get to dereference a NULL in the following<br /> sequence:<br /> <br /> clk_core_get()<br /> of_clk_get_hw_from_clkspec()<br /> __of_clk_get_hw_from_provider()<br /> __clk_get_hw()<br /> <br /> __clk_get_hw() can return NULL which is dereferenced by clk_core_get() at<br /> hw-&gt;core.<br /> <br /> Prior to commit dde4eff47c82 ("clk: Look for parents with clkdev based<br /> clk_lookups") the check IS_ERR_OR_NULL() was performed which would have<br /> caught the NULL.<br /> <br /> Reading the description of this function it talks about returning NULL but<br /> that cannot be so at the moment.<br /> <br /> Update the function to check for hw before dereferencing it and return NULL<br /> if hw is NULL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: hisilicon: hi3559a: Fix an erroneous devm_kfree()<br /> <br /> &amp;#39;p_clk&amp;#39; is an array allocated just before the for loop for all clk that<br /> need to be registered.<br /> It is incremented at each loop iteration.<br /> <br /> If a clk_register() call fails, &amp;#39;p_clk&amp;#39; may point to something different<br /> from what should be freed.<br /> <br /> The best we can do, is to avoid this wrong release of memory.