Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/raid10: fix wrong setting of max_corr_read_errors<br /> <br /> There is no input check when echo md/max_read_errors and overflow might<br /> occur. Add check of input number.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev/ep93xx-fb: Do not assign to struct fb_info.dev<br /> <br /> Do not assing the Linux device to struct fb_info.dev. The call to<br /> register_framebuffer() initializes the field to the fbdev device.<br /> Drivers should not override its value.<br /> <br /> Fixes a bug where the driver incorrectly decreases the hardware<br /> device&amp;#39;s reference counter and leaks the fbdev device.<br /> <br /> v2:<br /> * add Fixes tag (Dan)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: Fix SKB corruption in REO destination ring<br /> <br /> While running traffics for a long time, randomly an RX descriptor<br /> filled with value "0" from REO destination ring is received.<br /> This descriptor which is invalid causes the wrong SKB (SKB stored in<br /> the IDR lookup with buffer id "0") to be fetched which in turn<br /> causes SKB memory corruption issue and the same leads to crash<br /> after some time.<br /> <br /> Changed the start id for idr allocation to "1" and the buffer id "0"<br /> is reserved for error validation. Introduced Sanity check to validate<br /> the descriptor, before processing the SKB.<br /> <br /> Crash Signature :<br /> <br /> Unable to handle kernel paging request at virtual address 3f004900<br /> PC points to "b15_dma_inv_range+0x30/0x50"<br /> LR points to "dma_cache_maint_page+0x8c/0x128".<br /> The Backtrace obtained is as follows:<br /> [] (b15_dma_inv_range) from [] (dma_cache_maint_page+0x8c/0x128)<br /> [] (dma_cache_maint_page) from [] (__dma_page_dev_to_cpu+0x28/0xcc)<br /> [] (__dma_page_dev_to_cpu) from [] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])<br /> [] (ath11k_dp_process_rx [ath11k]) from [] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])<br /> [] (ath11k_dp_service_srng [ath11k]) from [] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])<br /> [] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [] (__napi_poll+0x28/0xb8)<br /> [] (__napi_poll) from [] (net_rx_action+0xf0/0x280)<br /> [] (net_rx_action) from [] (__do_softirq+0xd0/0x280)<br /> [] (__do_softirq) from [] (irq_exit+0x74/0xd4)<br /> [] (irq_exit) from [] (__handle_domain_irq+0x90/0xb4)<br /> [] (__handle_domain_irq) from [] (gic_handle_irq+0x58/0x90)<br /> [] (gic_handle_irq) from [] (__irq_svc+0x58/0x8c)<br /> <br /> Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dp: Free resources after unregistering them<br /> <br /> The DP component&amp;#39;s unbind operation walks through the submodules to<br /> unregister and clean things up. But if the unbind happens because the DP<br /> controller itself is being removed, all the memory for those submodules<br /> has just been freed.<br /> <br /> Change the order of these operations to avoid the many use-after-free<br /> that otherwise happens in this code path.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/542166/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix WARNING in mb_find_extent<br /> <br /> Syzbot found the following issue:<br /> <br /> EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!<br /> EXT4-fs (loop0): orphan cleanup on readonly fs<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 5067 at fs/ext4/mballoc.c:1869 mb_find_extent+0x8a1/0xe30<br /> Modules linked in:<br /> CPU: 1 PID: 5067 Comm: syz-executor307 Not tainted 6.2.0-rc1-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022<br /> RIP: 0010:mb_find_extent+0x8a1/0xe30 fs/ext4/mballoc.c:1869<br /> RSP: 0018:ffffc90003c9e098 EFLAGS: 00010293<br /> RAX: ffffffff82405731 RBX: 0000000000000041 RCX: ffff8880783457c0<br /> RDX: 0000000000000000 RSI: 0000000000000041 RDI: 0000000000000040<br /> RBP: 0000000000000040 R08: ffffffff82405723 R09: ffffed10053c9402<br /> R10: ffffed10053c9402 R11: 1ffff110053c9401 R12: 0000000000000000<br /> R13: ffffc90003c9e538 R14: dffffc0000000000 R15: ffffc90003c9e2cc<br /> FS: 0000555556665300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000056312f6796f8 CR3: 0000000022437000 CR4: 00000000003506e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ext4_mb_complex_scan_group+0x353/0x1100 fs/ext4/mballoc.c:2307<br /> ext4_mb_regular_allocator+0x1533/0x3860 fs/ext4/mballoc.c:2735<br /> ext4_mb_new_blocks+0xddf/0x3db0 fs/ext4/mballoc.c:5605<br /> ext4_ext_map_blocks+0x1868/0x6880 fs/ext4/extents.c:4286<br /> ext4_map_blocks+0xa49/0x1cc0 fs/ext4/inode.c:651<br /> ext4_getblk+0x1b9/0x770 fs/ext4/inode.c:864<br /> ext4_bread+0x2a/0x170 fs/ext4/inode.c:920<br /> ext4_quota_write+0x225/0x570 fs/ext4/super.c:7105<br /> write_blk fs/quota/quota_tree.c:64 [inline]<br /> get_free_dqblk+0x34a/0x6d0 fs/quota/quota_tree.c:130<br /> do_insert_tree+0x26b/0x1aa0 fs/quota/quota_tree.c:340<br /> do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375<br /> do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375<br /> do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375<br /> dq_insert_tree fs/quota/quota_tree.c:401 [inline]<br /> qtree_write_dquot+0x3b6/0x530 fs/quota/quota_tree.c:420<br /> v2_write_dquot+0x11b/0x190 fs/quota/quota_v2.c:358<br /> dquot_acquire+0x348/0x670 fs/quota/dquot.c:444<br /> ext4_acquire_dquot+0x2dc/0x400 fs/ext4/super.c:6740<br /> dqget+0x999/0xdc0 fs/quota/dquot.c:914<br /> __dquot_initialize+0x3d0/0xcf0 fs/quota/dquot.c:1492<br /> ext4_process_orphan+0x57/0x2d0 fs/ext4/orphan.c:329<br /> ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474<br /> __ext4_fill_super fs/ext4/super.c:5516 [inline]<br /> ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644<br /> get_tree_bdev+0x400/0x620 fs/super.c:1282<br /> vfs_get_tree+0x88/0x270 fs/super.c:1489<br /> do_new_mount+0x289/0xad0 fs/namespace.c:3145<br /> do_mount fs/namespace.c:3488 [inline]<br /> __do_sys_mount fs/namespace.c:3697 [inline]<br /> __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Add some debug information:<br /> mb_find_extent: mb_find_extent block=41, order=0 needed=64 next=0 ex=0/41/1@3735929054 64 64 7<br /> block_bitmap: ff 3f 0c 00 fc 01 00 00 d2 3d 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> <br /> Acctually, blocks per group is 64, but block bitmap indicate at least has<br /> 128 blocks. Now, ext4_validate_block_bitmap() didn&amp;#39;t check invalid block&amp;#39;s<br /> bitmap if set.<br /> To resolve above issue, add check like fsck "Padding at end of block bitmap is<br /> not set".

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> recordmcount: Fix memory leaks in the uwrite function<br /> <br /> Common realloc mistake: &amp;#39;file_append&amp;#39; nulled but not freed upon failure

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm<br /> <br /> Currently there is no synchronisation between finalize_pkvm() and<br /> kvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if<br /> kvm_arm_init() fails resulting in the following warning on all the CPUs<br /> and eventually a HYP panic:<br /> <br /> | kvm [1]: IPA Size Limit: 48 bits<br /> | kvm [1]: Failed to init hyp memory protection<br /> | kvm [1]: error initializing Hyp mode: -22<br /> |<br /> | <br /> |<br /> | WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50<br /> | Modules linked in:<br /> | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237<br /> | Hardware name: FVP Base RevC (DT)<br /> | pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)<br /> | pc : _kvm_host_prot_finalize+0x30/0x50<br /> | lr : __flush_smp_call_function_queue+0xd8/0x230<br /> |<br /> | Call trace:<br /> | _kvm_host_prot_finalize+0x3c/0x50<br /> | on_each_cpu_cond_mask+0x3c/0x6c<br /> | pkvm_drop_host_privileges+0x4c/0x78<br /> | finalize_pkvm+0x3c/0x5c<br /> | do_one_initcall+0xcc/0x240<br /> | do_initcall_level+0x8c/0xac<br /> | do_initcalls+0x54/0x94<br /> | do_basic_setup+0x1c/0x28<br /> | kernel_init_freeable+0x100/0x16c<br /> | kernel_init+0x20/0x1a0<br /> | ret_from_fork+0x10/0x20<br /> | Failed to finalize Hyp protection: -22<br /> | dtb=fvp-base-revc.dtb<br /> | kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540!<br /> | kvm [95]: nVHE call trace:<br /> | kvm [95]: [] __kvm_nvhe_hyp_panic+0xac/0xf8<br /> | kvm [95]: [] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac<br /> | kvm [95]: [] __kvm_nvhe_handle_trap+0x4c/0x160<br /> | kvm [95]: [] __kvm_nvhe___skip_pauth_save+0x4/0x4<br /> | kvm [95]: ---[ end nVHE call trace ]---<br /> | kvm [95]: Hyp Offset: 0xfffe8db00ffa0000<br /> | Kernel panic - not syncing: HYP panic:<br /> | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800<br /> | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000<br /> | VCPU:0000000000000000<br /> | CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G W 6.4.0 #237<br /> | Hardware name: FVP Base RevC (DT)<br /> | Workqueue: rpciod rpc_async_schedule<br /> | Call trace:<br /> | dump_backtrace+0xec/0x108<br /> | show_stack+0x18/0x2c<br /> | dump_stack_lvl+0x50/0x68<br /> | dump_stack+0x18/0x24<br /> | panic+0x138/0x33c<br /> | nvhe_hyp_panic_handler+0x100/0x184<br /> | new_slab+0x23c/0x54c<br /> | ___slab_alloc+0x3e4/0x770<br /> | kmem_cache_alloc_node+0x1f0/0x278<br /> | __alloc_skb+0xdc/0x294<br /> | tcp_stream_alloc_skb+0x2c/0xf0<br /> | tcp_sendmsg_locked+0x3d0/0xda4<br /> | tcp_sendmsg+0x38/0x5c<br /> | inet_sendmsg+0x44/0x60<br /> | sock_sendmsg+0x1c/0x34<br /> | xprt_sock_sendmsg+0xdc/0x274<br /> | xs_tcp_send_request+0x1ac/0x28c<br /> | xprt_transmit+0xcc/0x300<br /> | call_transmit+0x78/0x90<br /> | __rpc_execute+0x114/0x3d8<br /> | rpc_async_schedule+0x28/0x48<br /> | process_one_work+0x1d8/0x314<br /> | worker_thread+0x248/0x474<br /> | kthread+0xfc/0x184<br /> | ret_from_fork+0x10/0x20<br /> | SMP: stopping secondary CPUs<br /> | Kernel Offset: 0x57c5cb460000 from 0xffff800080000000<br /> | PHYS_OFFSET: 0x80000000<br /> | CPU features: 0x00000000,1035b7a3,ccfe773f<br /> | Memory Limit: none<br /> | ---[ end Kernel panic - not syncing: HYP panic:<br /> | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800<br /> | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000<br /> | VCPU:0000000000000000 ]---<br /> <br /> Fix it by checking for the successfull initialisation of kvm_arm_init()<br /> in finalize_pkvm() before proceeding any futher.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix use-after-free<br /> <br /> Fix potential use-after-free in l2cap_le_command_rej.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fsdax: force clear dirty mark if CoW<br /> <br /> XFS allows CoW on non-shared extents to combat fragmentation[1]. The old<br /> non-shared extent could be mwrited before, its dax entry is marked dirty. <br /> <br /> This results in a WARNing:<br /> <br /> [ 28.512349] ------------[ cut here ]------------<br /> [ 28.512622] WARNING: CPU: 2 PID: 5255 at fs/dax.c:390 dax_insert_entry+0x342/0x390<br /> [ 28.513050] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace fscache netfs nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables<br /> [ 28.515462] CPU: 2 PID: 5255 Comm: fsstress Kdump: loaded Not tainted 6.3.0-rc1-00001-g85e1481e19c1-dirty #117<br /> [ 28.515902] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.1-1-1 04/01/2014<br /> [ 28.516307] RIP: 0010:dax_insert_entry+0x342/0x390<br /> [ 28.516536] Code: 30 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 8b 45 20 48 83 c0 01 e9 e2 fe ff ff 48 8b 45 20 48 83 c0 01 e9 cd fe ff ff 0b e9 53 ff ff ff 48 8b 7c 24 08 31 f6 e8 1b 61 a1 00 eb 8c 48<br /> [ 28.517417] RSP: 0000:ffffc9000845fb18 EFLAGS: 00010086<br /> [ 28.517721] RAX: 0000000000000053 RBX: 0000000000000155 RCX: 000000000018824b<br /> [ 28.518113] RDX: 0000000000000000 RSI: ffffffff827525a6 RDI: 00000000ffffffff<br /> [ 28.518515] RBP: ffffea00062092c0 R08: 0000000000000000 R09: ffffc9000845f9c8<br /> [ 28.518905] R10: 0000000000000003 R11: ffffffff82ddb7e8 R12: 0000000000000155<br /> [ 28.519301] R13: 0000000000000000 R14: 000000000018824b R15: ffff88810cfa76b8<br /> [ 28.519703] FS: 00007f14a0c94740(0000) GS:ffff88817bd00000(0000) knlGS:0000000000000000<br /> [ 28.520148] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 28.520472] CR2: 00007f14a0c8d000 CR3: 000000010321c004 CR4: 0000000000770ee0<br /> [ 28.520863] PKRU: 55555554<br /> [ 28.521043] Call Trace:<br /> [ 28.521219] <br /> [ 28.521368] dax_fault_iter+0x196/0x390<br /> [ 28.521595] dax_iomap_pte_fault+0x19b/0x3d0<br /> [ 28.521852] __xfs_filemap_fault+0x234/0x2b0<br /> [ 28.522116] __do_fault+0x30/0x130<br /> [ 28.522334] do_fault+0x193/0x340<br /> [ 28.522586] __handle_mm_fault+0x2d3/0x690<br /> [ 28.522975] handle_mm_fault+0xe6/0x2c0<br /> [ 28.523259] do_user_addr_fault+0x1bc/0x6f0<br /> [ 28.523521] exc_page_fault+0x60/0x140<br /> [ 28.523763] asm_exc_page_fault+0x22/0x30<br /> [ 28.524001] RIP: 0033:0x7f14a0b589ca<br /> [ 28.524225] Code: c5 fe 7f 07 c5 fe 7f 47 20 c5 fe 7f 47 40 c5 fe 7f 47 60 c5 f8 77 c3 66 0f 1f 84 00 00 00 00 00 40 0f b6 c6 48 89 d1 48 89 fa aa 48 89 d0 c5 f8 77 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90<br /> [ 28.525198] RSP: 002b:00007fff1dea1c98 EFLAGS: 00010202<br /> [ 28.525505] RAX: 000000000000001e RBX: 000000000014a000 RCX: 0000000000006046<br /> [ 28.525895] RDX: 00007f14a0c82000 RSI: 000000000000001e RDI: 00007f14a0c8d000<br /> [ 28.526290] RBP: 000000000000006f R08: 0000000000000004 R09: 000000000014a000<br /> [ 28.526681] R10: 0000000000000008 R11: 0000000000000246 R12: 028f5c28f5c28f5c<br /> [ 28.527067] R13: 8f5c28f5c28f5c29 R14: 0000000000011046 R15: 00007f14a0c946c0<br /> [ 28.527449] <br /> [ 28.527600] ---[ end trace 0000000000000000 ]---<br /> <br /> <br /> To be able to delete this entry, clear its dirty mark before<br /> invalidate_inode_pages2_range().<br /> <br /> [1] https://lore.kernel.org/linux-xfs/20230321151339.GA11376@frogsfrogsfrogs/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails<br /> <br /> If getting an ID or setting up a work queue in rbd_dev_create() fails,<br /> use-after-free on rbd_dev-&gt;rbd_client, rbd_dev-&gt;spec and rbd_dev-&gt;opts<br /> is triggered in do_rbd_add(). The root cause is that the ownership of<br /> these structures is transfered to rbd_dev prematurely and they all end<br /> up getting freed when rbd_dev_create() calls rbd_dev_free() prior to<br /> returning to do_rbd_add().<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE, an<br /> incomplete patch submitted by Natalia Petrova .

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fec: Better handle pm_runtime_get() failing in .remove()<br /> <br /> In the (unlikely) event that pm_runtime_get() (disguised as<br /> pm_runtime_resume_and_get()) fails, the remove callback returned an<br /> error early. The problem with this is that the driver core ignores the<br /> error value and continues removing the device. This results in a<br /> resource leak. Worse the devm allocated resources are freed and so if a<br /> callback of the driver is called later the register mapping is already<br /> gone which probably results in a crash.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: Fix integer overflow in radeon_cs_parser_init<br /> <br /> The type of size is unsigned, if size is 0x40000000, there will be an<br /> integer overflow, size will be zero after size *= sizeof(uint32_t),<br /> will cause uninitialized memory to be referenced later