Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Can&amp;#39;t set dst buffer to done when lat decode error<br /> <br /> Core thread will call v4l2_m2m_buf_done to set dst buffer done for<br /> lat architecture. If lat call v4l2_m2m_buf_done_and_job_finish to<br /> free dst buffer when lat decode error, core thread will access kernel<br /> NULL pointer dereference, then crash.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: vme_user: Fix possible UAF in tsi148_dma_list_add<br /> <br /> Smatch report warning as follows:<br /> <br /> drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:<br /> &amp;#39;&amp;entry-&gt;list&amp;#39; not removed from list<br /> <br /> In tsi148_dma_list_add(), the error path "goto err_dma" will not<br /> remove entry-&gt;list from list-&gt;entries, but entry will be freed,<br /> then list traversal may cause UAF.<br /> <br /> Fix by removeing it from list-&gt;entries before free().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFS: Fix an Oops in nfs_d_automount()<br /> <br /> When mounting from a NFSv4 referral, path-&gt;dentry can end up being a<br /> negative dentry, so derive the struct nfs_server from the dentry<br /> itself instead.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix user-after-free<br /> <br /> This uses l2cap_chan_hold_unless_zero() after calling<br /> __l2cap_get_chan_blah() to prevent the following trace:<br /> <br /> Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref<br /> *kref)<br /> Bluetooth: chan 0000000023c4974d<br /> Bluetooth: parent 00000000ae861c08<br /> ==================================================================<br /> BUG: KASAN: use-after-free in __mutex_waiter_is_first<br /> kernel/locking/mutex.c:191 [inline]<br /> BUG: KASAN: use-after-free in __mutex_lock_common<br /> kernel/locking/mutex.c:671 [inline]<br /> BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400<br /> kernel/locking/mutex.c:729<br /> Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hinic: fix the issue of CMDQ memory leaks<br /> <br /> When hinic_set_cmdq_depth() fails in hinic_init_cmdqs(), the cmdq memory is<br /> not released correctly. Fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme: fix multipath crash caused by flush request when blktrace is enabled<br /> <br /> The flush request initialized by blk_kick_flush has NULL bio,<br /> and it may be dealt with nvme_end_req during io completion.<br /> When blktrace is enabled, nvme_trace_bio_complete with multipath<br /> activated trying to access NULL pointer bio from flush request<br /> results in the following crash:<br /> <br /> [ 2517.831677] BUG: kernel NULL pointer dereference, address: 000000000000001a<br /> [ 2517.835213] #PF: supervisor read access in kernel mode<br /> [ 2517.838724] #PF: error_code(0x0000) - not-present page<br /> [ 2517.842222] PGD 7b2d51067 P4D 0<br /> [ 2517.845684] Oops: 0000 [#1] SMP NOPTI<br /> [ 2517.849125] CPU: 2 PID: 732 Comm: kworker/2:1H Kdump: loaded Tainted: G S 5.15.67-0.cl9.x86_64 #1<br /> [ 2517.852723] Hardware name: XFUSION 2288H V6/BC13MBSBC, BIOS 1.13 07/27/2022<br /> [ 2517.856358] Workqueue: nvme_tcp_wq nvme_tcp_io_work [nvme_tcp]<br /> [ 2517.859993] RIP: 0010:blk_add_trace_bio_complete+0x6/0x30<br /> [ 2517.863628] Code: 1f 44 00 00 48 8b 46 08 31 c9 ba 04 00 10 00 48 8b 80 50 03 00 00 48 8b 78 50 e9 e5 fe ff ff 0f 1f 44 00 00 41 54 49 89 f4 55 b6 7a 1a 48 89 d5 e8 3e 1c 2b 00 48 89 ee 4c 89 e7 5d 89 c1 ba<br /> [ 2517.871269] RSP: 0018:ff7f6a008d9dbcd0 EFLAGS: 00010286<br /> [ 2517.875081] RAX: ff3d5b4be00b1d50 RBX: 0000000002040002 RCX: ff3d5b0a270f2000<br /> [ 2517.878966] RDX: 0000000000000000 RSI: ff3d5b0b021fb9f8 RDI: 0000000000000000<br /> [ 2517.882849] RBP: ff3d5b0b96a6fa00 R08: 0000000000000001 R09: 0000000000000000<br /> [ 2517.886718] R10: 000000000000000c R11: 000000000000000c R12: ff3d5b0b021fb9f8<br /> [ 2517.890575] R13: 0000000002000000 R14: ff3d5b0b021fb1b0 R15: 0000000000000018<br /> [ 2517.894434] FS: 0000000000000000(0000) GS:ff3d5b42bfc80000(0000) knlGS:0000000000000000<br /> [ 2517.898299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 2517.902157] CR2: 000000000000001a CR3: 00000004f023e005 CR4: 0000000000771ee0<br /> [ 2517.906053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 2517.909930] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 2517.913761] PKRU: 55555554<br /> [ 2517.917558] Call Trace:<br /> [ 2517.921294] <br /> [ 2517.924982] nvme_complete_rq+0x1c3/0x1e0 [nvme_core]<br /> [ 2517.928715] nvme_tcp_recv_pdu+0x4d7/0x540 [nvme_tcp]<br /> [ 2517.932442] nvme_tcp_recv_skb+0x4f/0x240 [nvme_tcp]<br /> [ 2517.936137] ? nvme_tcp_recv_pdu+0x540/0x540 [nvme_tcp]<br /> [ 2517.939830] tcp_read_sock+0x9c/0x260<br /> [ 2517.943486] nvme_tcp_try_recv+0x65/0xa0 [nvme_tcp]<br /> [ 2517.947173] nvme_tcp_io_work+0x64/0x90 [nvme_tcp]<br /> [ 2517.950834] process_one_work+0x1e8/0x390<br /> [ 2517.954473] worker_thread+0x53/0x3c0<br /> [ 2517.958069] ? process_one_work+0x390/0x390<br /> [ 2517.961655] kthread+0x10c/0x130<br /> [ 2517.965211] ? set_kthread_struct+0x40/0x40<br /> [ 2517.968760] ret_from_fork+0x1f/0x30<br /> [ 2517.972285] <br /> <br /> To avoid this situation, add a NULL check for req-&gt;bio before<br /> calling trace_block_bio_complete.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak<br /> <br /> In crb_acpi_add(), we get the TPM2 table to retrieve information<br /> like start method, and then assign them to the priv data, so the<br /> TPM2 table is not used after the init, should be freed, call<br /> acpi_put_table() to fix the memory leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED<br /> <br /> Shifting signed 32-bit value by 31 bits is undefined, so changing<br /> significant bit to unsigned. The UBSAN warning calltrace like below:<br /> <br /> UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26<br /> left shift of 1 by 31 places cannot be represented in type &amp;#39;int&amp;#39;<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x7d/0xa5<br /> dump_stack+0x15/0x1b<br /> ubsan_epilogue+0xe/0x4e<br /> __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c<br /> ttm_bo_move_memcpy+0x3b4/0x460 [ttm]<br /> bo_driver_move+0x32/0x40 [drm_vram_helper]<br /> ttm_bo_handle_move_mem+0x118/0x200 [ttm]<br /> ttm_bo_validate+0xfa/0x220 [ttm]<br /> drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper]<br /> drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper]<br /> drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper]<br /> drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper]<br /> drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper]<br /> drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper]<br /> drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper]<br /> drm_atomic_commit+0x9c/0x160 [drm]<br /> drm_client_modeset_commit_atomic+0x33a/0x380 [drm]<br /> drm_client_modeset_commit_locked+0x77/0x220 [drm]<br /> drm_client_modeset_commit+0x31/0x60 [drm]<br /> __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper]<br /> drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper]<br /> fbcon_init+0x316/0x790<br /> visual_init+0x113/0x1d0<br /> do_bind_con_driver+0x2a3/0x5c0<br /> do_take_over_console+0xa9/0x270<br /> do_fbcon_takeover+0xa1/0x170<br /> do_fb_registered+0x2a8/0x340<br /> fbcon_fb_registered+0x47/0xe0<br /> register_framebuffer+0x294/0x4a0<br /> __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]<br /> drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]<br /> drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]<br /> drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]<br /> bochs_pci_probe+0x6ca/0x772 [bochs]<br /> local_pci_probe+0x4d/0xb0<br /> pci_device_probe+0x119/0x320<br /> really_probe+0x181/0x550<br /> __driver_probe_device+0xc6/0x220<br /> driver_probe_device+0x32/0x100<br /> __driver_attach+0x195/0x200<br /> bus_for_each_dev+0xbb/0x120<br /> driver_attach+0x27/0x30<br /> bus_add_driver+0x22e/0x2f0<br /> driver_register+0xa9/0x190<br /> __pci_register_driver+0x90/0xa0<br /> bochs_pci_driver_init+0x52/0x1000 [bochs]<br /> do_one_initcall+0x76/0x430<br /> do_init_module+0x61/0x28a<br /> load_module+0x1f82/0x2e50<br /> __do_sys_finit_module+0xf8/0x190<br /> __x64_sys_finit_module+0x23/0x30<br /> do_syscall_64+0x58/0x80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown<br /> <br /> lpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can<br /> still occur which in turn tries to access dma apis if lpuart_dma_tx_use<br /> flag is true. At this point since dma is torn down, these dma apis can<br /> abort. Set lpuart_dma_tx_use and the corresponding rx flag<br /> lpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not<br /> accessed after they are relinquished.<br /> <br /> Otherwise, when try to kill btattach, kernel may panic. This patch may<br /> fix this issue.<br /> root@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200<br /> ^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP<br /> [ 90.189806] Modules linked in: moal(O) mlan(O)<br /> [ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37<br /> [ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT)<br /> [ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 90.215470] pc : fsl_edma3_disable_request+0x8/0x60<br /> [ 90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c<br /> [ 90.225237] sp : ffff800013f0bac0<br /> [ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800<br /> [ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00<br /> [ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000<br /> [ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000<br /> [ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> [ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040<br /> [ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090<br /> [ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804<br /> [ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480<br /> [ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800<br /> [ 90.299876] Call trace:<br /> [ 90.302321] fsl_edma3_disable_request+0x8/0x60<br /> [ 90.306851] lpuart_flush_buffer+0x40/0x160<br /> [ 90.311037] uart_flush_buffer+0x88/0x120<br /> [ 90.315050] tty_driver_flush_buffer+0x20/0x30<br /> [ 90.319496] hci_uart_flush+0x44/0x90<br /> [ 90.323162] +0x34/0x12c<br /> [ 90.327253] tty_ldisc_close+0x38/0x70<br /> [ 90.331005] tty_ldisc_release+0xa8/0x190<br /> [ 90.335018] tty_release_struct+0x24/0x8c<br /> [ 90.339022] tty_release+0x3ec/0x4c0<br /> [ 90.342593] __fput+0x70/0x234<br /> [ 90.345652] ____fput+0x14/0x20<br /> [ 90.348790] task_work_run+0x84/0x17c<br /> [ 90.352455] do_exit+0x310/0x96c<br /> [ 90.355688] do_group_exit+0x3c/0xa0<br /> [ 90.359259] __arm64_sys_exit_group+0x1c/0x20<br /> [ 90.363609] invoke_syscall+0x48/0x114<br /> [ 90.367362] el0_svc_common.constprop.0+0xd4/0xfc<br /> [ 90.372068] do_el0_svc+0x2c/0x94<br /> [ 90.375379] el0_svc+0x28/0x80<br /> [ 90.378438] el0t_64_sync_handler+0xa8/0x130<br /> [ 90.382711] el0t_64_sync+0x1a0/0x1a4<br /> [ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041)<br /> [ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]---<br /> [ 90.397073] note: btattach[503] exited with preempt_count 1<br /> [ 90.402636] Fixing recursive fault but reboot is needed!

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()<br /> <br /> When insert and remove the orangefs module, there are memory leaked<br /> as below:<br /> <br /> unreferenced object 0xffff88816b0cc000 (size 2048):<br /> comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)<br /> hex dump (first 32 bytes):<br /> 6e 6f 6e 65 0a 00 00 00 00 00 00 00 00 00 00 00 none............<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_debugfs_init.cold+0xaf/0x17f<br /> [] 0xffffffffa02780f9<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> Use the golbal variable as the buffer rather than dynamic allocate to<br /> slove the problem.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/meson: reorder driver deinit sequence to fix use-after-free bug<br /> <br /> Unloading the driver triggers the following KASAN warning:<br /> <br /> [ +0.006275] =============================================================<br /> [ +0.000029] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0x1a0<br /> [ +0.000026] Read of size 8 at addr ffff000020c395e0 by task rmmod/2695<br /> <br /> [ +0.000019] CPU: 5 PID: 2695 Comm: rmmod Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1<br /> [ +0.000013] Hardware name: Hardkernel ODROID-N2Plus (DT)<br /> [ +0.000008] Call trace:<br /> [ +0.000007] dump_backtrace+0x1ec/0x280<br /> [ +0.000013] show_stack+0x24/0x80<br /> [ +0.000008] dump_stack_lvl+0x98/0xd4<br /> [ +0.000011] print_address_description.constprop.0+0x80/0x520<br /> [ +0.000011] print_report+0x128/0x260<br /> [ +0.000007] kasan_report+0xb8/0xfc<br /> [ +0.000008] __asan_report_load8_noabort+0x3c/0x50<br /> [ +0.000010] __list_del_entry_valid+0xe0/0x1a0<br /> [ +0.000009] drm_atomic_private_obj_fini+0x30/0x200 [drm]<br /> [ +0.000172] drm_bridge_detach+0x94/0x260 [drm]<br /> [ +0.000145] drm_encoder_cleanup+0xa4/0x290 [drm]<br /> [ +0.000144] drm_mode_config_cleanup+0x118/0x740 [drm]<br /> [ +0.000143] drm_mode_config_init_release+0x1c/0x2c [drm]<br /> [ +0.000144] drm_managed_release+0x170/0x414 [drm]<br /> [ +0.000142] drm_dev_put.part.0+0xc0/0x124 [drm]<br /> [ +0.000143] drm_dev_put+0x20/0x30 [drm]<br /> [ +0.000142] meson_drv_unbind+0x1d8/0x2ac [meson_drm]<br /> [ +0.000028] take_down_aggregate_device+0xb0/0x160<br /> [ +0.000016] component_del+0x18c/0x360<br /> [ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi]<br /> [ +0.000015] platform_remove+0x64/0xb0<br /> [ +0.000009] device_remove+0xb8/0x154<br /> [ +0.000009] device_release_driver_internal+0x398/0x5b0<br /> [ +0.000009] driver_detach+0xac/0x1b0<br /> [ +0.000009] bus_remove_driver+0x158/0x29c<br /> [ +0.000009] driver_unregister+0x70/0xb0<br /> [ +0.000008] platform_driver_unregister+0x20/0x2c<br /> [ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi]<br /> [ +0.000012] __do_sys_delete_module+0x288/0x400<br /> [ +0.000011] __arm64_sys_delete_module+0x5c/0x80<br /> [ +0.000009] invoke_syscall+0x74/0x260<br /> [ +0.000009] el0_svc_common.constprop.0+0xcc/0x260<br /> [ +0.000009] do_el0_svc+0x50/0x70<br /> [ +0.000007] el0_svc+0x68/0x1a0<br /> [ +0.000012] el0t_64_sync_handler+0x11c/0x150<br /> [ +0.000008] el0t_64_sync+0x18c/0x190<br /> <br /> [ +0.000018] Allocated by task 0:<br /> [ +0.000007] (stack is not available)<br /> <br /> [ +0.000011] Freed by task 2695:<br /> [ +0.000008] kasan_save_stack+0x2c/0x5c<br /> [ +0.000011] kasan_set_track+0x2c/0x40<br /> [ +0.000008] kasan_set_free_info+0x28/0x50<br /> [ +0.000009] ____kasan_slab_free+0x128/0x1d4<br /> [ +0.000008] __kasan_slab_free+0x18/0x24<br /> [ +0.000007] slab_free_freelist_hook+0x108/0x230<br /> [ +0.000011] kfree+0x110/0x35c<br /> [ +0.000008] release_nodes+0xf0/0x16c<br /> [ +0.000009] devres_release_group+0x180/0x270<br /> [ +0.000008] component_unbind+0x128/0x1e0<br /> [ +0.000010] component_unbind_all+0x1b8/0x264<br /> [ +0.000009] meson_drv_unbind+0x1a0/0x2ac [meson_drm]<br /> [ +0.000025] take_down_aggregate_device+0xb0/0x160<br /> [ +0.000009] component_del+0x18c/0x360<br /> [ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi]<br /> [ +0.000012] platform_remove+0x64/0xb0<br /> [ +0.000008] device_remove+0xb8/0x154<br /> [ +0.000009] device_release_driver_internal+0x398/0x5b0<br /> [ +0.000009] driver_detach+0xac/0x1b0<br /> [ +0.000009] bus_remove_driver+0x158/0x29c<br /> [ +0.000008] driver_unregister+0x70/0xb0<br /> [ +0.000008] platform_driver_unregister+0x20/0x2c<br /> [ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi]<br /> [ +0.000011] __do_sys_delete_module+0x288/0x400<br /> [ +0.000010] __arm64_sys_delete_module+0x5c/0x80<br /> [ +0.000008] invoke_syscall+0x74/0x260<br /> [ +0.000008] el0_svc_common.constprop.0+0xcc/0x260<br /> [ +0.000008] do_el0_svc+0x50/0x70<br /> [ +0.000007] el0_svc+0x68/0x1a0<br /> [ +0.000009] el0t_64_sync_handler+0x11c/0x150<br /> [ +0.000009] el0t_64_sync+0x18c/0x190<br /> <br /> [ +0.000014] The buggy address belongs to the object at ffff000020c39000<br /> ---truncated---