Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: fix memory leak in smsc75xx_bind<br /> <br /> Syzbot reported memory leak in smsc75xx_bind().<br /> The problem was is non-freed memory in case of<br /> errors after memory allocation.<br /> <br /> backtrace:<br /> [] kmalloc include/linux/slab.h:556 [inline]<br /> [] kzalloc include/linux/slab.h:686 [inline]<br /> [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460<br /> [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers<br /> <br /> Channel numbering must start at 0 and then not have any holes, or<br /> it is possible to overflow the available storage. Note this bug was<br /> introduced as part of a fix to ensure we didn&amp;#39;t rely on the ordering<br /> of child nodes. So we need to support arbitrary ordering but they all<br /> need to be there somewhere.<br /> <br /> Note I hit this when using qemu to test the rest of this series.<br /> Arguably this isn&amp;#39;t the best fix, but it is probably the most minimal<br /> option for backporting etc.<br /> <br /> Alexandru&amp;#39;s sign-off is here because he carried this patch in a larger<br /> set that Jonathan then applied.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: sja1105: add error handling in sja1105_setup()<br /> <br /> If any of sja1105_static_config_load(), sja1105_clocking_setup() or<br /> sja1105_devlink_setup() fails, we can&amp;#39;t just return in the middle of<br /> sja1105_setup() or memory will leak. Add a cleanup path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mld: fix panic in mld_newpack()<br /> <br /> mld_newpack() doesn&amp;#39;t allow to allocate high order page,<br /> only order-0 allocation is allowed.<br /> If headroom size is too large, a kernel panic could occur in skb_put().<br /> <br /> Test commands:<br /> ip netns del A<br /> ip netns del B<br /> ip netns add A<br /> ip netns add B<br /> ip link add veth0 type veth peer name veth1<br /> ip link set veth0 netns A<br /> ip link set veth1 netns B<br /> <br /> ip netns exec A ip link set lo up<br /> ip netns exec A ip link set veth0 up<br /> ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0<br /> ip netns exec B ip link set lo up<br /> ip netns exec B ip link set veth1 up<br /> ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1<br /> for i in {1..99}<br /> do<br /> let A=$i-1<br /> ip netns exec A ip link add ip6gre$i type ip6gre \<br /> local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100<br /> ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i<br /> ip netns exec A ip link set ip6gre$i up<br /> <br /> ip netns exec B ip link add ip6gre$i type ip6gre \<br /> local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100<br /> ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i<br /> ip netns exec B ip link set ip6gre$i up<br /> done<br /> <br /> Splat looks like:<br /> kernel BUG at net/core/skbuff.c:110!<br /> invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI<br /> CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891<br /> Workqueue: ipv6_addrconf addrconf_dad_work<br /> RIP: 0010:skb_panic+0x15d/0x15f<br /> Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83<br /> 41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff 0b 48 8b 6c 24 20 89<br /> 34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20<br /> RSP: 0018:ffff88810091f820 EFLAGS: 00010282<br /> RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000<br /> RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb<br /> RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031<br /> R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028<br /> R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0<br /> FS: 0000000000000000(0000) GS:ffff888117c00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600<br /> ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600<br /> skb_put.cold.104+0x22/0x22<br /> ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600<br /> ? rcu_read_lock_sched_held+0x91/0xc0<br /> mld_newpack+0x398/0x8f0<br /> ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600<br /> ? lock_contended+0xc40/0xc40<br /> add_grhead.isra.33+0x280/0x380<br /> add_grec+0x5ca/0xff0<br /> ? mld_sendpack+0xf40/0xf40<br /> ? lock_downgrade+0x690/0x690<br /> mld_send_initial_cr.part.34+0xb9/0x180<br /> ipv6_mc_dad_complete+0x15d/0x1b0<br /> addrconf_dad_completed+0x8d2/0xbb0<br /> ? lock_downgrade+0x690/0x690<br /> ? addrconf_rs_timer+0x660/0x660<br /> ? addrconf_dad_work+0x73c/0x10e0<br /> addrconf_dad_work+0x73c/0x10e0<br /> <br /> Allowing high order page allocation could fix this problem.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-pf: fix a buffer overflow in otx2_set_rxfh_context()<br /> <br /> This function is called from ethtool_set_rxfh() and "*rss_context"<br /> comes from the user. Add some bounds checking to prevent memory<br /> corruption.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fujitsu: fix potential null-ptr-deref<br /> <br /> In fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer<br /> deref. To fix this, check the return value of ioremap and return -1<br /> to the caller in case of failure.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fec: fix the potential memory leak in fec_enet_init()<br /> <br /> If the memory allocated for cbd_base is failed, it should<br /> free the memory allocated for the queues, otherwise it causes<br /> memory leak.<br /> <br /> And if the memory allocated for the queues is failed, it can<br /> return error directly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> interconnect: qcom: bcm-voter: add a missing of_node_put()<br /> <br /> Add a missing of_node_put() in of_bcm_voter_get() to avoid the<br /> reference leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix data stream corruption<br /> <br /> Maxim reported several issues when forcing a TCP transparent proxy<br /> to use the MPTCP protocol for the inbound connections. He also<br /> provided a clean reproducer.<br /> <br /> The problem boils down to &amp;#39;mptcp_frag_can_collapse_to()&amp;#39; assuming<br /> that only MPTCP will use the given page_frag.<br /> <br /> If others - e.g. the plain TCP protocol - allocate page fragments,<br /> we can end-up re-using already allocated memory for mptcp_data_frag.<br /> <br /> Fix the issue ensuring that the to-be-expanded data fragment is<br /> located at the current page frag end.<br /> <br /> v1 -&gt; v2:<br /> - added missing fixes tag (Mat)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: i801: Don&amp;#39;t generate an interrupt on bus reset<br /> <br /> Now that the i2c-i801 driver supports interrupts, setting the KILL bit<br /> in a attempt to recover from a timed out transaction triggers an<br /> interrupt. Unfortunately, the interrupt handler (i801_isr) is not<br /> prepared for this situation and will try to process the interrupt as<br /> if it was signaling the end of a successful transaction. In the case<br /> of a block transaction, this can result in an out-of-range memory<br /> access.<br /> <br /> This condition was reproduced several times by syzbot:<br /> https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e<br /> https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e<br /> https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e<br /> https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb<br /> https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a<br /> https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79<br /> <br /> So disable interrupts while trying to reset the bus. Interrupts will<br /> be enabled again for the following transaction.

Dell PowerScale OneFS 9.5.0.x through 9.7.0.x contain a covert timing channel vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ptp: ocp: Fix a resource leak in an error handling path<br /> <br /> If an error occurs after a successful &amp;#39;pci_ioremap_bar()&amp;#39; call, it must be<br /> undone by a corresponding &amp;#39;pci_iounmap()&amp;#39; call, as already done in the<br /> remove function.