Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-mq: use quiesced elevator switch when reinitializing queues<br /> <br /> The hctx&amp;#39;s run_work may be racing with the elevator switch when<br /> reinitializing hardware queues. The queue is merely frozen in this<br /> context, but that only prevents requests from allocating and doesn&amp;#39;t<br /> stop the hctx work from running. The work may get an elevator pointer<br /> that&amp;#39;s being torn down, and can result in use-after-free errors and<br /> kernel panics (example below). Use the quiesced elevator switch instead,<br /> and make the previous one static since it is now only used locally.<br /> <br /> nvme nvme0: resetting controller<br /> nvme nvme0: 32/0/0 default/read/poll queues<br /> BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0<br /> Oops: 0000 [#1] SMP PTI<br /> Workqueue: kblockd blk_mq_run_work_fn<br /> RIP: 0010:kyber_has_work+0x29/0x70<br /> <br /> ...<br /> <br /> Call Trace:<br /> __blk_mq_do_dispatch_sched+0x83/0x2b0<br /> __blk_mq_sched_dispatch_requests+0x12e/0x170<br /> blk_mq_sched_dispatch_requests+0x30/0x60<br /> __blk_mq_run_hw_queue+0x2b/0x50<br /> process_one_work+0x1ef/0x380<br /> worker_thread+0x2d/0x3e0

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-iolatency: Fix memory leak on add_disk() failures<br /> <br /> When a gendisk is successfully initialized but add_disk() fails such as when<br /> a loop device has invalid number of minor device numbers specified,<br /> blkcg_init_disk() is called during init and then blkcg_exit_disk() during<br /> error handling. Unfortunately, iolatency gets initialized in the former but<br /> doesn&amp;#39;t get cleaned up in the latter.<br /> <br /> This is because, in non-error cases, the cleanup is performed by<br /> del_gendisk() calling rq_qos_exit(), the assumption being that rq_qos<br /> policies, iolatency being one of them, can only be activated once the disk<br /> is fully registered and visible. That assumption is true for wbt and iocost,<br /> but not so for iolatency as it gets initialized before add_disk() is called.<br /> <br /> It is desirable to lazy-init rq_qos policies because they are optional<br /> features and add to hot path overhead once initialized - each IO has to walk<br /> all the registered rq_qos policies. So, we want to switch iolatency to lazy<br /> init too. However, that&amp;#39;s a bigger change. As a fix for the immediate<br /> problem, let&amp;#39;s just add an extra call to rq_qos_exit() in blkcg_exit_disk().<br /> This is safe because duplicate calls to rq_qos_exit() become noop&amp;#39;s.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix uninititialized value in &amp;#39;ext4_evict_inode&amp;#39;<br /> <br /> Syzbot found the following issue:<br /> =====================================================<br /> BUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180<br /> ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180<br /> evict+0x365/0x9a0 fs/inode.c:664<br /> iput_final fs/inode.c:1747 [inline]<br /> iput+0x985/0xdd0 fs/inode.c:1773<br /> __ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361<br /> ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844<br /> vfs_mknod+0x79d/0x830 fs/namei.c:3914<br /> do_mknodat+0x47d/0xaa0<br /> __do_sys_mknodat fs/namei.c:3992 [inline]<br /> __se_sys_mknodat fs/namei.c:3989 [inline]<br /> __ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989<br /> do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]<br /> __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178<br /> do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203<br /> do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246<br /> entry_SYSENTER_compat_after_hwframe+0x70/0x82<br /> <br /> Uninit was created at:<br /> __alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578<br /> alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285<br /> alloc_slab_page mm/slub.c:1794 [inline]<br /> allocate_slab+0x1b5/0x1010 mm/slub.c:1939<br /> new_slab mm/slub.c:1992 [inline]<br /> ___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180<br /> __slab_alloc mm/slub.c:3279 [inline]<br /> slab_alloc_node mm/slub.c:3364 [inline]<br /> slab_alloc mm/slub.c:3406 [inline]<br /> __kmem_cache_alloc_lru mm/slub.c:3413 [inline]<br /> kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429<br /> alloc_inode_sb include/linux/fs.h:3117 [inline]<br /> ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321<br /> alloc_inode+0x83/0x440 fs/inode.c:259<br /> new_inode_pseudo fs/inode.c:1018 [inline]<br /> new_inode+0x3b/0x430 fs/inode.c:1046<br /> __ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959<br /> ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992<br /> vfs_mkdir+0x62a/0x870 fs/namei.c:4035<br /> do_mkdirat+0x466/0x7b0 fs/namei.c:4060<br /> __do_sys_mkdirat fs/namei.c:4075 [inline]<br /> __se_sys_mkdirat fs/namei.c:4073 [inline]<br /> __ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073<br /> do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]<br /> __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178<br /> do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203<br /> do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246<br /> entry_SYSENTER_compat_after_hwframe+0x70/0x82<br /> <br /> CPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022<br /> =====================================================<br /> <br /> Now, &amp;#39;ext4_alloc_inode()&amp;#39; didn&amp;#39;t init &amp;#39;ei-&gt;i_flags&amp;#39;. If new inode failed<br /> before set &amp;#39;ei-&gt;i_flags&amp;#39; in &amp;#39;__ext4_new_inode()&amp;#39;, then do &amp;#39;iput()&amp;#39;. As after<br /> 6bc0d63dad7f commit will access &amp;#39;ei-&gt;i_flags&amp;#39; in &amp;#39;ext4_evict_inode()&amp;#39; which<br /> will lead to access uninit-value.<br /> To solve above issue just init &amp;#39;ei-&gt;i_flags&amp;#39; in &amp;#39;ext4_alloc_inode()&amp;#39;.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: solo6x10: fix possible memory leak in solo_sysfs_init()<br /> <br /> If device_register() returns error in solo_sysfs_init(), the<br /> name allocated by dev_set_name() need be freed. As comment of<br /> device_register() says, it should use put_device() to give up<br /> the reference in the error path. So fix this by calling<br /> put_device(), then the name can be freed in kobject_cleanup().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: i2c: hi846: Fix memory leak in hi846_parse_dt()<br /> <br /> If any of the checks related to the supported link frequencies fail, then<br /> the V4L2 fwnode resources don&amp;#39;t get released before returning, which leads<br /> to a memleak. Fix this by properly freeing the V4L2 fwnode data in a<br /> designated label.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata<br /> <br /> Following concurrent processes:<br /> <br /> P1(drop cache) P2(kworker)<br /> drop_caches_sysctl_handler<br /> drop_slab<br /> shrink_slab<br /> down_read(&amp;shrinker_rwsem) - LOCK A<br /> do_shrink_slab<br /> super_cache_scan<br /> prune_icache_sb<br /> dispose_list<br /> evict<br /> ext4_evict_inode<br /> ext4_clear_inode<br /> ext4_discard_preallocations<br /> ext4_mb_load_buddy_gfp<br /> ext4_mb_init_cache<br /> ext4_read_block_bitmap_nowait<br /> ext4_read_bh_nowait<br /> submit_bh<br /> dm_submit_bio<br /> do_worker<br /> process_deferred_bios<br /> commit<br /> metadata_operation_failed<br /> dm_pool_abort_metadata<br /> down_write(&amp;pmd-&gt;root_lock) - LOCK B<br /> __destroy_persistent_data_objects<br /> dm_block_manager_destroy<br /> dm_bufio_client_destroy<br /> unregister_shrinker<br /> down_write(&amp;shrinker_rwsem)<br /> thin_map |<br /> dm_thin_find_block ↓<br /> down_read(&amp;pmd-&gt;root_lock) --&gt; ABBA deadlock<br /> <br /> , which triggers hung task:<br /> <br /> [ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds.<br /> [ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910<br /> [ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2<br /> [ 76.978534] Workqueue: dm-thin do_worker<br /> [ 76.978552] Call Trace:<br /> [ 76.978564] __schedule+0x6ba/0x10f0<br /> [ 76.978582] schedule+0x9d/0x1e0<br /> [ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0<br /> [ 76.978600] down_write+0xec/0x110<br /> [ 76.978607] unregister_shrinker+0x2c/0xf0<br /> [ 76.978616] dm_bufio_client_destroy+0x116/0x3d0<br /> [ 76.978625] dm_block_manager_destroy+0x19/0x40<br /> [ 76.978629] __destroy_persistent_data_objects+0x5e/0x70<br /> [ 76.978636] dm_pool_abort_metadata+0x8e/0x100<br /> [ 76.978643] metadata_operation_failed+0x86/0x110<br /> [ 76.978649] commit+0x6a/0x230<br /> [ 76.978655] do_worker+0xc6e/0xd90<br /> [ 76.978702] process_one_work+0x269/0x630<br /> [ 76.978714] worker_thread+0x266/0x630<br /> [ 76.978730] kthread+0x151/0x1b0<br /> [ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds.<br /> [ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910<br /> [ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459<br /> [ 76.982128] Call Trace:<br /> [ 76.982139] __schedule+0x6ba/0x10f0<br /> [ 76.982155] schedule+0x9d/0x1e0<br /> [ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910<br /> [ 76.982173] down_read+0x84/0x170<br /> [ 76.982177] dm_thin_find_block+0x4c/0xd0<br /> [ 76.982183] thin_map+0x201/0x3d0<br /> [ 76.982188] __map_bio+0x5b/0x350<br /> [ 76.982195] dm_submit_bio+0x2b6/0x930<br /> [ 76.982202] __submit_bio+0x123/0x2d0<br /> [ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0<br /> [ 76.982222] submit_bio_noacct+0x389/0x770<br /> [ 76.982227] submit_bio+0x50/0xc0<br /> [ 76.982232] submit_bh_wbc+0x15e/0x230<br /> [ 76.982238] submit_bh+0x14/0x20<br /> [ 76.982241] ext4_read_bh_nowait+0xc5/0x130<br /> [ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60<br /> [ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0<br /> [ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0<br /> [ 76.982263] ext4_discard_preallocations+0x45d/0x830<br /> [ 76.982274] ext4_clear_inode+0x48/0xf0<br /> [ 76.982280] ext4_evict_inode+0xcf/0xc70<br /> [ 76.982285] evict+0x119/0x2b0<br /> [ 76.982290] dispose_list+0x43/0xa0<br /> [ 76.982294] prune_icache_sb+0x64/0x90<br /> [ 76.982298] super_cache_scan+0x155/0x210<br /> [ 76.982303] do_shrink_slab+0x19e/0x4e0<br /> [ 76.982310] shrink_slab+0x2bd/0x450<br /> [ 76.982317] drop_slab+0xcc/0x1a0<br /> [ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0<br /> [ 76.982327] proc_sys_call_handler+0x1bc/0x300<br /> [ 76.982331] proc_sys_write+0x17/0x20<br /> [ 76.982334] vfs_write+0x3d3/0x570<br /> [ 76.982342] ksys_write+0x73/0x160<br /> [ 76.982347] __x64_sys_write+0x1e/0x30<br /> [ 76.982352] do_syscall_64+0x35/0x80<br /> [ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Funct<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()<br /> <br /> xhci_alloc_stream_info() allocates stream context array for stream_info<br /> -&gt;stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs,<br /> stream_info-&gt;stream_ctx_array is not released, which will lead to a<br /> memory leak.<br /> <br /> We can fix it by releasing the stream_info-&gt;stream_ctx_array with<br /> xhci_free_stream_ctx() on the error path to avoid the potential memory<br /> leak.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vme: Fix error not catched in fake_init()<br /> <br /> In fake_init(), __root_device_register() is possible to fail but it&amp;#39;s<br /> ignored, which can cause unregistering vme_root fail when exit.<br /> <br /> general protection fault,<br /> probably for non-canonical address 0xdffffc000000008c<br /> KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467]<br /> RIP: 0010:root_device_unregister+0x26/0x60<br /> Call Trace:<br /> <br /> __x64_sys_delete_module+0x34f/0x540<br /> do_syscall_64+0x38/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Return error when __root_device_register() fails.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ARM: OMAP2+: omap4-common: Fix refcount leak bug<br /> <br /> In omap4_sram_init(), of_find_compatible_node() will return a node<br /> pointer with refcount incremented. We should use of_node_put() when<br /> it is not used anymore.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: qcom-adm: fix wrong sizeof config in slave_config<br /> <br /> Fix broken slave_config function that uncorrectly compare the<br /> peripheral_size with the size of the config pointer instead of the size<br /> of the config struct. This cause the crci value to be ignored and cause<br /> a kernel panic on any slave that use adm driver.<br /> <br /> To fix this, compare to the size of the struct and NOT the size of the<br /> pointer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow<br /> <br /> UDMA_CHAN_RT_*BCNT_REG stores the real-time channel bytecount statistics.<br /> These registers are 32-bit hardware counters and the driver uses these<br /> counters to monitor the operational progress status for a channel, when<br /> transferring more than 4GB of data it was observed that these counters<br /> overflow and completion calculation of a operation gets affected and the<br /> transfer hangs indefinitely.<br /> <br /> This commit adds changes to decrease the byte count for every complete<br /> transaction so that these registers never overflow and the proper byte<br /> count statistics is maintained for ongoing transaction by the RT counters.<br /> <br /> Earlier uc-&gt;bcnt used to maintain a count of the completed bytes at driver<br /> side, since the RT counters maintain the statistics of current transaction<br /> now, the maintenance of uc-&gt;bcnt is not necessary.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: si470x: Fix use-after-free in si470x_int_in_callback()<br /> <br /> syzbot reported use-after-free in si470x_int_in_callback() [1]. This<br /> indicates that urb-&gt;context, which contains struct si470x_device<br /> object, is freed when si470x_int_in_callback() is called.<br /> <br /> The cause of this issue is that si470x_int_in_callback() is called for<br /> freed urb.<br /> <br /> si470x_usb_driver_probe() calls si470x_start_usb(), which then calls<br /> usb_submit_urb() and si470x_start(). If si470x_start_usb() fails,<br /> si470x_usb_driver_probe() doesn&amp;#39;t kill urb, but it just frees struct<br /> si470x_device object, as depicted below:<br /> <br /> si470x_usb_driver_probe()<br /> ...<br /> si470x_start_usb()<br /> ...<br /> usb_submit_urb()<br /> retval = si470x_start()<br /> return retval<br /> if (retval