Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pstore: inode: Only d_invalidate() is needed<br /> <br /> Unloading a modular pstore backend with records in pstorefs would<br /> trigger the dput() double-drop warning:<br /> <br /> WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410<br /> <br /> Using the combo of d_drop()/dput() (as mentioned in<br /> Documentation/filesystems/vfs.rst) isn&amp;#39;t the right approach here, and<br /> leads to the reference counting problem seen above. Use d_invalidate()<br /> and update the code to not bother checking for error codes that can<br /> never happen.<br /> <br /> ---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: mcast: remove one synchronize_net() barrier in ipv6_mc_down()<br /> <br /> As discussed in the past (commit 2d3916f31891 ("ipv6: fix skb drops<br /> in igmp6_event_query() and igmp6_event_report()")) I think the<br /> synchronize_net() call in ipv6_mc_down() is not needed.<br /> <br /> Under load, synchronize_net() can last between 200 usec and 5 ms.<br /> <br /> KASAN seems to agree as well.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wilc1000: do not realloc workqueue everytime an interface is added<br /> <br /> Commit 09ed8bfc5215 ("wilc1000: Rename workqueue from "WILC_wq" to<br /> "NETDEV-wq"") moved workqueue creation in wilc_netdev_ifc_init in order to<br /> set the interface name in the workqueue name. However, while the driver<br /> needs only one workqueue, the wilc_netdev_ifc_init is called each time we<br /> add an interface over a phy, which in turns overwrite the workqueue with a<br /> new one. This can be observed with the following commands:<br /> <br /> for i in $(seq 0 10)<br /> do<br /> iw phy phy0 interface add wlan1 type managed<br /> iw dev wlan1 del<br /> done<br /> ps -eo pid,comm|grep wlan<br /> <br /> 39 kworker/R-wlan0<br /> 98 kworker/R-wlan1<br /> 102 kworker/R-wlan1<br /> 105 kworker/R-wlan1<br /> 108 kworker/R-wlan1<br /> 111 kworker/R-wlan1<br /> 114 kworker/R-wlan1<br /> 117 kworker/R-wlan1<br /> 120 kworker/R-wlan1<br /> 123 kworker/R-wlan1<br /> 126 kworker/R-wlan1<br /> 129 kworker/R-wlan1<br /> <br /> Fix this leakage by putting back hif_workqueue allocation in<br /> wilc_cfg80211_init. Regarding the workqueue name, it is indeed relevant to<br /> set it lowercase, however it is not attached to a specific netdev, so<br /> enforcing netdev name in the name is not so relevant. Still, enrich the<br /> name with the wiphy name to make it clear which phy is using the workqueue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse()<br /> <br /> When nvme_identify_ns() fails, it frees the pointer to the struct<br /> nvme_id_ns before it returns. However, ns_update_nuse() calls kfree()<br /> for the pointer even when nvme_identify_ns() fails. This results in<br /> KASAN double-free, which was observed with blktests nvme/045 with<br /> proposed patches [1] on the kernel v6.8-rc7. Fix the double-free by<br /> skipping kfree() when nvme_identify_ns() fails.

IBM WebSphere Automation 1.7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 285648.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: dvb-frontends: avoid stack overflow warnings with clang<br /> <br /> A previous patch worked around a KASAN issue in stv0367, now a similar<br /> problem showed up with clang:<br /> <br /> drivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in &amp;#39;stv0367ter_set_frontend&amp;#39; [-Werror,-Wframe-larger-than]<br /> 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)<br /> <br /> Rework the stv0367_writereg() function to be simpler and mark both<br /> register access functions as noinline_for_stack so the temporary<br /> i2c_msg structures do not get duplicated on the stack when KASAN_STACK<br /> is enabled.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: usbtv: Remove useless locks in usbtv_video_free()<br /> <br /> Remove locks calls in usbtv_video_free() because<br /> are useless and may led to a deadlock as reported here:<br /> https://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000<br /> Also remove usbtv_stop() call since it will be called when<br /> unregistering the device.<br /> <br /> Before &amp;#39;c838530d230b&amp;#39; this issue would only be noticed if you<br /> disconnect while streaming and now it is noticeable even when<br /> disconnecting while not streaming.<br /> <br /> <br /> [hverkuil: fix minor spelling mistake in log message]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7925e: fix use-after-free in free_irq()<br /> <br /> From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test<br /> to make sure the shared irq handler should be able to handle the unexpected<br /> event after deregistration. For this case, let&amp;#39;s apply MT76_REMOVED flag to<br /> indicate the device was removed and do not run into the resource access<br /> anymore.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libbpf: Use OPTS_SET() macro in bpf_xdp_query()<br /> <br /> When the feature_flags and xdp_zc_max_segs fields were added to the libbpf<br /> bpf_xdp_query_opts, the code writing them did not use the OPTS_SET() macro.<br /> This causes libbpf to write to those fields unconditionally, which means<br /> that programs compiled against an older version of libbpf (with a smaller<br /> size of the bpf_xdp_query_opts struct) will have its stack corrupted by<br /> libbpf writing out of bounds.<br /> <br /> The patch adding the feature_flags field has an early bail out if the<br /> feature_flags field is not part of the opts struct (via the OPTS_HAS)<br /> macro, but the patch adding xdp_zc_max_segs does not. For consistency, this<br /> fix just changes the assignments to both fields to use the OPTS_SET()<br /> macro.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get&amp;#39;s return value<br /> <br /> cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it<br /> and return 0 in case of error.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work<br /> <br /> The workqueue might still be running, when the driver is stopped. To<br /> avoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wilc1000: fix RCU usage in connect path<br /> <br /> With lockdep enabled, calls to the connect function from cfg802.11 layer<br /> lead to the following warning:<br /> <br /> =============================<br /> WARNING: suspicious RCU usage<br /> 6.7.0-rc1-wt+ #333 Not tainted<br /> -----------------------------<br /> drivers/net/wireless/microchip/wilc1000/hif.c:386<br /> suspicious rcu_dereference_check() usage!<br /> [...]<br /> stack backtrace:<br /> CPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333<br /> Hardware name: Atmel SAMA5<br /> unwind_backtrace from show_stack+0x18/0x1c<br /> show_stack from dump_stack_lvl+0x34/0x48<br /> dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4<br /> wilc_parse_join_bss_param from connect+0x2c4/0x648<br /> connect from cfg80211_connect+0x30c/0xb74<br /> cfg80211_connect from nl80211_connect+0x860/0xa94<br /> nl80211_connect from genl_rcv_msg+0x3fc/0x59c<br /> genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8<br /> netlink_rcv_skb from genl_rcv+0x2c/0x3c<br /> genl_rcv from netlink_unicast+0x3b0/0x550<br /> netlink_unicast from netlink_sendmsg+0x368/0x688<br /> netlink_sendmsg from ____sys_sendmsg+0x190/0x430<br /> ____sys_sendmsg from ___sys_sendmsg+0x110/0x158<br /> ___sys_sendmsg from sys_sendmsg+0xe8/0x150<br /> sys_sendmsg from ret_fast_syscall+0x0/0x1c<br /> <br /> This warning is emitted because in the connect path, when trying to parse<br /> target BSS parameters, we dereference a RCU pointer whithout being in RCU<br /> critical section.<br /> Fix RCU dereference usage by moving it to a RCU read critical section. To<br /> avoid wrapping the whole wilc_parse_join_bss_param under the critical<br /> section, just use the critical section to copy ies data