Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/iommu: Add missing of_node_put in iommu_init_early_dart<br /> <br /> The device_node pointer is returned by of_find_compatible_node<br /> with refcount incremented. We should use of_node_put() to avoid<br /> the refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/xics: fix refcount leak in icp_opal_init()<br /> <br /> The of_find_compatible_node() function returns a node pointer with<br /> refcount incremented, use of_node_put() on it when done.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/hfi1: Prevent use of lock before it is initialized<br /> <br /> If there is a failure during probe of hfi1 before the sdma_map_lock is<br /> initialized, the call to hfi1_free_devdata() will attempt to use a lock<br /> that has not been initialized. If the locking correctness validator is on<br /> then an INFO message and stack trace resembling the following may be seen:<br /> <br /> INFO: trying to register non-static key.<br /> The code is fine but needs lockdep annotation, or maybe<br /> you didn&amp;#39;t initialize this object before use?<br /> turning off the locking correctness validator.<br /> Call Trace:<br /> register_lock_class+0x11b/0x880<br /> __lock_acquire+0xf3/0x7930<br /> lock_acquire+0xff/0x2d0<br /> _raw_spin_lock_irq+0x46/0x60<br /> sdma_clean+0x42a/0x660 [hfi1]<br /> hfi1_free_devdata+0x3a7/0x420 [hfi1]<br /> init_one+0x867/0x11a0 [hfi1]<br /> pci_device_probe+0x40e/0x8d0<br /> <br /> The use of sdma_map_lock in sdma_clean() is for freeing the sdma_map<br /> memory, and sdma_map is not allocated/initialized until after<br /> sdma_map_lock has been initialized. This code only needs to be run if<br /> sdma_map is not NULL, and so checking for that condition will avoid trying<br /> to use the lock before it is initialized.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()<br /> <br /> The sysfs sriov_numvfs_store() path acquires the device lock before the<br /> config space access lock:<br /> <br /> sriov_numvfs_store<br /> device_lock # A (1) acquire device lock<br /> sriov_configure<br /> vfio_pci_sriov_configure # (for example)<br /> vfio_pci_core_sriov_configure<br /> pci_disable_sriov<br /> sriov_disable<br /> pci_cfg_access_lock<br /> pci_wait_cfg # B (4) wait for dev-&gt;block_cfg_access == 0<br /> <br /> Previously, pci_dev_lock() acquired the config space access lock before the<br /> device lock:<br /> <br /> pci_dev_lock<br /> pci_cfg_access_lock<br /> dev-&gt;block_cfg_access = 1 # B (2) set dev-&gt;block_cfg_access = 1<br /> device_lock # A (3) wait for device lock<br /> <br /> Any path that uses pci_dev_lock(), e.g., pci_reset_function(), may<br /> deadlock with sriov_numvfs_store() if the operations occur in the sequence<br /> (1) (2) (3) (4).<br /> <br /> Avoid the deadlock by reversing the order in pci_dev_lock() so it acquires<br /> the device lock before the config space access lock, the same as the<br /> sriov_numvfs_store() path.<br /> <br /> [bhelgaas: combined and adapted commit log from Jay Zhou&amp;#39;s independent<br /> subsequent posting:<br /> https://lore.kernel.org/r/20220404062539.1710-1-jianjay.zhou@huawei.com]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mfd: davinci_voicecodec: Fix possible null-ptr-deref davinci_vc_probe()<br /> <br /> It will cause null-ptr-deref when using &amp;#39;res&amp;#39;, if platform_get_resource()<br /> returns NULL, so move using &amp;#39;res&amp;#39; after devm_ioremap_resource() that<br /> will check it to avoid null-ptr-deref.<br /> And use devm_platform_get_and_ioremap_resource() to simplify code.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: fix use-after-free in chanctx code<br /> <br /> In ieee80211_vif_use_reserved_context(), when we have an<br /> old context and the new context&amp;#39;s replace_state is set to<br /> IEEE80211_CHANCTX_REPLACE_NONE, we free the old context<br /> in ieee80211_vif_use_reserved_reassign(). Therefore, we<br /> cannot check the old_ctx anymore, so we should set it to<br /> NULL after this point.<br /> <br /> However, since the new_ctx replace state is clearly not<br /> IEEE80211_CHANCTX_REPLACES_OTHER, we&amp;#39;re not going to do<br /> anything else in this function and can just return to<br /> avoid accessing the freed old_ctx.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> video: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup<br /> <br /> Commit b3c9a924aab6 ("fbdev: vesafb: Cleanup fb_info in .fb_destroy rather<br /> than .remove") fixed a use-after-free error due the vesafb driver freeing<br /> the fb_info in the .remove handler instead of doing it in .fb_destroy.<br /> <br /> This can happen if the .fb_destroy callback is executed after the .remove<br /> callback, since the former tries to access a pointer freed by the latter.<br /> <br /> But that change didn&amp;#39;t take into account that another possible scenario is<br /> that .fb_destroy is called before the .remove callback. For example, if no<br /> process has the fbdev chardev opened by the time the driver is removed.<br /> <br /> If that&amp;#39;s the case, fb_info will be freed when unregister_framebuffer() is<br /> called, making the fb_info pointer accessed in vesafb_remove() after that<br /> to no longer be valid.<br /> <br /> To prevent that, move the expression containing the info-&gt;par to happen<br /> before the unregister_framebuffer() function call.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iwlwifi: mei: fix potential NULL-ptr deref<br /> <br /> If SKB allocation fails, continue rather than using the NULL<br /> pointer.<br /> <br /> Coverity CID: 1497650

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: annotate races around sk-&gt;sk_bound_dev_if<br /> <br /> UDP sendmsg() is lockless, and reads sk-&gt;sk_bound_dev_if while<br /> this field can be changed by another thread.<br /> <br /> Adds minimal annotations to avoid KCSAN splats for UDP.<br /> Following patches will add more annotations to potential lockless readers.<br /> <br /> BUG: KCSAN: data-race in __ip6_datagram_connect / udpv6_sendmsg<br /> <br /> write to 0xffff888136d47a94 of 4 bytes by task 7681 on cpu 0:<br /> __ip6_datagram_connect+0x6e2/0x930 net/ipv6/datagram.c:221<br /> ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272<br /> inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576<br /> __sys_connect_file net/socket.c:1900 [inline]<br /> __sys_connect+0x197/0x1b0 net/socket.c:1917<br /> __do_sys_connect net/socket.c:1927 [inline]<br /> __se_sys_connect net/socket.c:1924 [inline]<br /> __x64_sys_connect+0x3d/0x50 net/socket.c:1924<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> read to 0xffff888136d47a94 of 4 bytes by task 7670 on cpu 1:<br /> udpv6_sendmsg+0xc60/0x16e0 net/ipv6/udp.c:1436<br /> inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:652<br /> sock_sendmsg_nosec net/socket.c:705 [inline]<br /> sock_sendmsg net/socket.c:725 [inline]<br /> ____sys_sendmsg+0x39a/0x510 net/socket.c:2413<br /> ___sys_sendmsg net/socket.c:2467 [inline]<br /> __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553<br /> __do_sys_sendmmsg net/socket.c:2582 [inline]<br /> __se_sys_sendmmsg net/socket.c:2579 [inline]<br /> __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> value changed: 0x00000000 -&gt; 0xffffff9b<br /> <br /> Reported by Kernel Concurrency Sanitizer on:<br /> CPU: 1 PID: 7670 Comm: syz-executor.3 Tainted: G W 5.18.0-rc1-syzkaller-dirty #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> <br /> I chose to not add Fixes: tag because race has minor consequences<br /> and stable teams busy enough.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup<br /> <br /> of_parse_phandle() returns a node pointer with refcount incremented, we should<br /> use of_node_put() on it when not need anymore. Add missing of_node_put() to<br /> avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: idxd: Fix the error handling path in idxd_cdev_register()<br /> <br /> If a call to alloc_chrdev_region() fails, the already allocated resources<br /> are leaking.<br /> <br /> Add the needed error handling path to fix the leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rtla: Avoid record NULL pointer dereference<br /> <br /> Fix the following null/deref_null.cocci errors:<br /> ./tools/tracing/rtla/src/osnoise_hist.c:870:31-36: ERROR: record is NULL but dereferenced.<br /> ./tools/tracing/rtla/src/osnoise_top.c:650:31-36: ERROR: record is NULL but dereferenced.<br /> ./tools/tracing/rtla/src/timerlat_hist.c:905:31-36: ERROR: record is NULL but dereferenced.<br /> ./tools/tracing/rtla/src/timerlat_top.c:700:31-36: ERROR: record is NULL but dereferenced.<br /> <br /> "record" is NULL before calling osnoise_init_trace_tool.<br /> Add a tag "out_free" to avoid dereferring a NULL pointer.