Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix null ndlp ptr dereference in abnormal exit path for GFT_ID<br /> <br /> An error case exit from lpfc_cmpl_ct_cmd_gft_id() results in a call to<br /> lpfc_nlp_put() with a null pointer to a nodelist structure.<br /> <br /> Changed lpfc_cmpl_ct_cmd_gft_id() to initialize nodelist pointer upon<br /> entry.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()<br /> <br /> The following WARNING message was given when rmmod cros_usbpd_notify:<br /> <br /> Unexpected driver unregister!<br /> WARNING: CPU: 0 PID: 253 at drivers/base/driver.c:270 driver_unregister+0x8a/0xb0<br /> Modules linked in: cros_usbpd_notify(-)<br /> CPU: 0 PID: 253 Comm: rmmod Not tainted 6.1.0-rc3 #24<br /> ...<br /> Call Trace:<br /> <br /> cros_usbpd_notify_exit+0x11/0x1e [cros_usbpd_notify]<br /> __x64_sys_delete_module+0x3c7/0x570<br /> ? __ia32_sys_delete_module+0x570/0x570<br /> ? lock_is_held_type+0xe3/0x140<br /> ? syscall_enter_from_user_mode+0x17/0x50<br /> ? rcu_read_lock_sched_held+0xa0/0xd0<br /> ? syscall_enter_from_user_mode+0x1c/0x50<br /> do_syscall_64+0x37/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f333fe9b1b7<br /> <br /> The reason is that the cros_usbpd_notify_init() does not check the return<br /> value of platform_driver_register(), and the cros_usbpd_notify can<br /> install successfully even if platform_driver_register() failed.<br /> <br /> Fix by checking the return value of platform_driver_register() and<br /> unregister cros_usbpd_notify_plat_driver when it failed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()<br /> <br /> In rtw_init_drv_sw(), there are various init functions are called to<br /> populate the padapter structure and some checks for their return value.<br /> However, except for the first one error path, the other five error paths<br /> do not properly release the previous allocated resources, which leads to<br /> various memory leaks.<br /> <br /> This patch fixes them and keeps the success and error separate.<br /> Note that these changes keep the form of `rtw_init_drv_sw()` in<br /> "drivers/staging/r8188eu/os_dep/os_intfs.c". As there is no proper device<br /> to test with, no runtime testing was performed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix xid leak in cifs_flock()<br /> <br /> If not flock, before return -ENOLCK, should free the xid,<br /> otherwise, the xid will be leaked.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ti: am65-cpsw: Fix PM runtime leakage in am65_cpsw_nuss_ndo_slave_open()<br /> <br /> Ensure pm_runtime_put() is issued in error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> MIPS: vpe-mt: fix possible memory leak while module exiting<br /> <br /> Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device&amp;#39;s<br /> bus_id string array"), the name of device is allocated dynamically,<br /> it need be freed when module exiting, call put_device() to give up<br /> reference, so that it can be freed in kobject_cleanup() when the<br /> refcount hit to 0. The vpe_device is static, so remove kfree() from<br /> vpe_device_release().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/52xx: Fix a resource leak in an error handling path<br /> <br /> The error handling path of mpc52xx_lpbfifo_probe() has a request_irq()<br /> that is not balanced by a corresponding free_irq().<br /> <br /> Add the missing call, as already done in the remove function.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2()<br /> <br /> As comment of pci_get_device() says, it returns a pci_device with its<br /> refcount increased. We need to call pci_dev_put() to decrease the<br /> refcount. Save the return value of pci_get_device() and call<br /> pci_dev_put() to decrease the refcount.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: tegra: Fix refcount leak in tegra210_clock_init<br /> <br /> of_find_matching_node() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when not need anymore.<br /> Add missing of_node_put() to avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()<br /> <br /> Fix a NULL pointer crash that occurs when we are freeing the socket at the<br /> same time we access it via sysfs.<br /> <br /> The problem is that:<br /> <br /> 1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take<br /> the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()<br /> does a get on the "struct sock".<br /> <br /> 2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put<br /> on the "struct socket" and that does __sock_release() which sets the<br /> sock-&gt;ops to NULL.<br /> <br /> 3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then<br /> call kernel_getpeername() which accesses the NULL sock-&gt;ops.<br /> <br /> Above we do a get on the "struct sock", but we needed a get on the "struct<br /> socket". Originally, we just held the frwd_lock the entire time but in<br /> commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while<br /> calling getpeername()") we switched to refcount based because the network<br /> layer changed and started taking a mutex in that path, so we could no<br /> longer hold the frwd_lock.<br /> <br /> Instead of trying to maintain multiple refcounts, this just has us use a<br /> mutex for accessing the socket in the interface code paths.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Fix memory leak on ntfs_fill_super() error path<br /> <br /> syzbot reported kmemleak as below:<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff8880122f1540 (size 32):<br /> comm "a.out", pid 6664, jiffies 4294939771 (age 25.500s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00 ................<br /> backtrace:<br /> [] ntfs_init_fs_context+0x22/0x1c0<br /> [] alloc_fs_context+0x217/0x430<br /> [] path_mount+0x704/0x1080<br /> [] __x64_sys_mount+0x18c/0x1d0<br /> [] do_syscall_64+0x34/0xb0<br /> [] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> This patch fixes this issue by freeing mount options on error path of<br /> ntfs_fill_super().