Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: ipu6: Fix RPM reference leak in probe error paths<br /> <br /> Several error paths in ipu6_pci_probe() were jumping directly to<br /> out_ipu6_bus_del_devices without releasing the runtime PM reference.<br /> Add pm_runtime_put_sync() before cleaning up other resources.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> procfs: fix possible double mmput() in do_procmap_query()<br /> <br /> When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY<br /> we return with -ENAMETOOLONG error. After recent changes this condition<br /> happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(),<br /> so original goto out is now wrong and will double-mmput() mm_struct. Fix<br /> by jumping further to clean up only vm_file and name_buf.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix incorrect early exits for invalid metabox-enabled images<br /> <br /> Crafted EROFS images with metadata compression enabled can trigger<br /> incorrect early returns, leading to folio reference leaks.<br /> <br /> However, this does not cause system crashes or other severe issues.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode<br /> <br /> kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls<br /> netif_stop_queue() and netif_wake_queue(). These are TX queue flow<br /> control functions unrelated to RX multicast configuration.<br /> <br /> The premature netif_wake_queue() can re-enable TX while tx_urb is still<br /> in-flight, leading to a double usb_submit_urb() on the same URB:<br /> <br /> kaweth_start_xmit() {<br /> netif_stop_queue();<br /> usb_submit_urb(kaweth-&gt;tx_urb);<br /> }<br /> <br /> kaweth_set_rx_mode() {<br /> netif_stop_queue();<br /> netif_wake_queue(); // wakes TX queue before URB is done<br /> }<br /> <br /> kaweth_start_xmit() {<br /> netif_stop_queue();<br /> usb_submit_urb(kaweth-&gt;tx_urb); // URB submitted while active<br /> }<br /> <br /> This triggers the WARN in usb_submit_urb():<br /> <br /> "URB submitted while active"<br /> <br /> This is a similar class of bug fixed in rtl8150 by<br /> <br /> - commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast").<br /> <br /> Also kaweth_set_rx_mode() is already functionally broken, the<br /> real set_rx_mode action is performed by kaweth_async_set_rx_mode(),<br /> which in turn is not a no-op only at ndo_open() time.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: sysfs: fix chip removal with GPIOs exported over sysfs<br /> <br /> Currently if we export a GPIO over sysfs and unbind the parent GPIO<br /> controller, the exported attribute will remain under /sys/class/gpio<br /> because once we remove the parent device, we can no longer associate the<br /> descriptor with it in gpiod_unexport() and never drop the final<br /> reference.<br /> <br /> Rework the teardown code: provide an unlocked variant of<br /> gpiod_unexport() and remove all exported GPIOs with the sysfs_lock taken<br /> before unregistering the parent device itself. This is done to prevent<br /> any new exports happening before we unregister the device completely.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: ccs: Avoid possible division by zero<br /> <br /> Calculating maximum M for scaler configuration involves dividing by<br /> MIN_X_OUTPUT_SIZE limit register&amp;#39;s value. Albeit the value is presumably<br /> non-zero, the driver was missing the check it in fact was. Fix this.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: cx25821: Fix a resource leak in cx25821_dev_setup()<br /> <br /> Add release_mem_region() if ioremap() fails to release the memory<br /> region obtained by cx25821_get_resources().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix reflink preserve cleanup issue<br /> <br /> commit c06c303832ec ("ocfs2: fix xattr array entry __counted_by error")<br /> doesn&amp;#39;t handle all cases and the cleanup job for preserved xattr entries<br /> still has bug:<br /> - the &amp;#39;last&amp;#39; pointer should be shifted by one unit after cleanup<br /> an array entry.<br /> - current code logic doesn&amp;#39;t cleanup the first entry when xh_count is 1.<br /> <br /> Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/buddy: Prevent BUG_ON by validating rounded allocation<br /> <br /> When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is<br /> rounded up to the next power-of-two via roundup_pow_of_two().<br /> Similarly, for non-contiguous allocations with large min_block_size,<br /> the size is aligned up via round_up(). Both operations can produce a<br /> rounded size that exceeds mm-&gt;size, which later triggers<br /> BUG_ON(order &gt; mm-&gt;max_order).<br /> <br /> Example scenarios:<br /> - 9G CONTIGUOUS allocation on 10G VRAM memory:<br /> roundup_pow_of_two(9G) = 16G &gt; 10G<br /> - 9G allocation with 8G min_block_size on 10G VRAM memory:<br /> round_up(9G, 8G) = 16G &gt; 10G<br /> <br /> Fix this by checking the rounded size against mm-&gt;size. For<br /> non-contiguous or range allocations where size &gt; mm-&gt;size is invalid,<br /> return -EINVAL immediately. For contiguous allocations without range<br /> restrictions, allow the request to fall through to the existing<br /> __alloc_contig_try_harder() fallback.<br /> <br /> This ensures invalid user input returns an error or uses the fallback<br /> path instead of hitting BUG_ON.<br /> <br /> v2: (Matt A)<br /> - Add Fixes, Cc stable, and Closes tags for context

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3: gadget: Move vbus draw to workqueue context<br /> <br /> Currently dwc3_gadget_vbus_draw() can be called from atomic<br /> context, which in turn invokes power-supply-core APIs. And<br /> some these PMIC APIs have operations that may sleep, leading<br /> to kernel panic.<br /> <br /> Fix this by moving the vbus_draw into a workqueue context.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> EFI/CPER: don&amp;#39;t dump the entire memory region<br /> <br /> The current logic at cper_print_fw_err() doesn&amp;#39;t check if the<br /> error record length is big enough to handle offset. On a bad firmware,<br /> if the ofset is above the actual record, length -= offset will<br /> underflow, making it dump the entire memory.<br /> <br /> The end result can be:<br /> <br /> - the logic taking a lot of time dumping large regions of memory;<br /> - data disclosure due to the memory dumps;<br /> - an OOPS, if it tries to dump an unmapped memory region.<br /> <br /> Fix it by checking if the section length is too small before doing<br /> a hex dump.<br /> <br /> [ rjw: Subject tweaks ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: fix 22000 series SMEM parsing<br /> <br /> If the firmware were to report three LMACs (which doesn&amp;#39;t<br /> exist in hardware) then using "fwrt-&gt;smem_cfg.lmac[2]" is<br /> an overrun of the array. Reject such and use IWL_FW_CHECK<br /> instead of WARN_ON in this function.