Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> irqchip/gic-v3-its: Prevent double free on error<br /> <br /> The error handling path in its_vpe_irq_domain_alloc() causes a double free<br /> when its_vpe_init() fails after successfully allocating at least one<br /> interrupt. This happens because its_vpe_irq_domain_free() frees the<br /> interrupts along with the area bitmap and the vprop_page and<br /> its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the<br /> vprop_page again.<br /> <br /> Fix this by unconditionally invoking its_vpe_irq_domain_free() which<br /> handles all cases correctly and by removing the bitmap/vprop_page freeing<br /> from its_vpe_irq_domain_alloc().<br /> <br /> [ tglx: Massaged change log ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix information leak in btrfs_ioctl_logical_to_ino()<br /> <br /> Syzbot reported the following information leak for in<br /> btrfs_ioctl_logical_to_ino():<br /> <br /> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br /> BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40<br /> instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br /> _copy_to_user+0xbc/0x110 lib/usercopy.c:40<br /> copy_to_user include/linux/uaccess.h:191 [inline]<br /> btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499<br /> btrfs_ioctl+0x714/0x1260<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:904 [inline]<br /> __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890<br /> __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890<br /> x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was created at:<br /> __kmalloc_large_node+0x231/0x370 mm/slub.c:3921<br /> __do_kmalloc_node mm/slub.c:3954 [inline]<br /> __kmalloc_node+0xb07/0x1060 mm/slub.c:3973<br /> kmalloc_node include/linux/slab.h:648 [inline]<br /> kvmalloc_node+0xc0/0x2d0 mm/util.c:634<br /> kvmalloc include/linux/slab.h:766 [inline]<br /> init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779<br /> btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480<br /> btrfs_ioctl+0x714/0x1260<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:904 [inline]<br /> __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890<br /> __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890<br /> x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Bytes 40-65535 of 65536 are uninitialized<br /> Memory access of size 65536 starts at ffff888045a40000<br /> <br /> This happens, because we&amp;#39;re copying a &amp;#39;struct btrfs_data_container&amp;#39; back<br /> to user-space. This btrfs_data_container is allocated in<br /> &amp;#39;init_data_container()&amp;#39; via kvmalloc(), which does not zero-fill the<br /> memory.<br /> <br /> Fix this by using kvzalloc() which zeroes out the memory on allocation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: qca: fix NULL-deref on non-serdev setup<br /> <br /> Qualcomm ROME controllers can be registered from the Bluetooth line<br /> discipline and in this case the HCI UART serdev pointer is NULL.<br /> <br /> Add the missing sanity check to prevent a NULL-pointer dereference when<br /> setup() is called for a non-serdev controller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: qca: fix NULL-deref on non-serdev suspend<br /> <br /> Qualcomm ROME controllers can be registered from the Bluetooth line<br /> discipline and in this case the HCI UART serdev pointer is NULL.<br /> <br /> Add the missing sanity check to prevent a NULL-pointer dereference when<br /> wakeup() is called for a non-serdev controller during suspend.<br /> <br /> Just return true for now to restore the original behaviour and address<br /> the crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657<br /> ("Bluetooth: hci_qca: only assign wakeup with serial port support") that<br /> causes the crash to happen already at setup() time.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eeprom: at24: fix memory corruption race condition<br /> <br /> If the eeprom is not accessible, an nvmem device will be registered, the<br /> read will fail, and the device will be torn down. If another driver<br /> accesses the nvmem device after the teardown, it will reference<br /> invalid memory.<br /> <br /> Move the failure point before registering the nvmem device.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/powernv: Add a null pointer check to scom_debug_init_one()<br /> <br /> kasprintf() returns a pointer to dynamically allocated memory<br /> which can be NULL upon failure.<br /> Add a null pointer check, and release &amp;#39;ent&amp;#39; to avoid memory leaks.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/pm: fix a double-free in si_dpm_init<br /> <br /> When the allocation of<br /> adev-&gt;pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,<br /> amdgpu_free_extended_power_table is called to free some fields of adev.<br /> However, when the control flow returns to si_dpm_sw_init, it goes to<br /> label dpm_failed and calls si_dpm_fini, which calls<br /> amdgpu_free_extended_power_table again and free those fields again. Thus<br /> a double-free is triggered.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()<br /> <br /> scarlett2_usb_set_config() calls scarlett2_usb_get() but was not<br /> checking the result. Return the error if it fails rather than<br /> continuing with an invalid value.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Check writeback connectors in create_validate_stream_for_sink<br /> <br /> [WHY &amp; HOW]<br /> This is to check connector type to avoid<br /> unhandled null pointer for writeback connectors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/powernv: Add a null pointer check in opal_powercap_init()<br /> <br /> kasprintf() returns a pointer to dynamically allocated memory<br /> which can be NULL upon failure.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx-&gt;headset_codec_dev = NULL<br /> <br /> sof_sdw_rt_sdca_jack_exit() are used by different codecs, and some of<br /> them use the same dai name.<br /> For example, rt712 and rt713 both use "rt712-sdca-aif1" and<br /> sof_sdw_rt_sdca_jack_exit().<br /> As a result, sof_sdw_rt_sdca_jack_exit() will be called twice by<br /> mc_dailink_exit_loop(). Set ctx-&gt;headset_codec_dev = NULL; after<br /> put_device(ctx-&gt;headset_codec_dev); to avoid ctx-&gt;headset_codec_dev<br /> being put twice.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> calipso: fix memory leak in netlbl_calipso_add_pass()<br /> <br /> If IPv6 support is disabled at boot (ipv6.disable=1),<br /> the calipso_init() -&gt; netlbl_calipso_ops_register() function isn&amp;#39;t called,<br /> and the netlbl_calipso_ops_get() function always returns NULL.<br /> In this case, the netlbl_calipso_add_pass() function allocates memory<br /> for the doi_def variable but doesn&amp;#39;t free it with the calipso_doi_free().<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff888011d68180 (size 64):<br /> comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc include/linux/slab.h:552 [inline]<br /> [] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]<br /> [] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111<br /> [] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739<br /> [] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]<br /> [] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800<br /> [] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515<br /> [] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811<br /> [] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]<br /> [] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339<br /> [] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934<br /> [] sock_sendmsg_nosec net/socket.c:651 [inline]<br /> [] sock_sendmsg+0x157/0x190 net/socket.c:671<br /> [] ____sys_sendmsg+0x712/0x870 net/socket.c:2342<br /> [] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396<br /> [] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429<br /> [] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46<br /> [] entry_SYSCALL_64_after_hwframe+0x61/0xc6<br /> <br /> Found by InfoTeCS on behalf of Linux Verification Center<br /> (linuxtesting.org) with Syzkaller<br /> <br /> [PM: merged via the LSM tree at Jakub Kicinski request]