Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: gpib: fix unset padding field copy back to userspace<br /> <br /> The introduction of a padding field in the gpib_board_info_ioctl is<br /> showing up as initialized data on the stack frame being copyied back<br /> to userspace in function board_info_ioctl. The simplest fix is to<br /> initialize the entire struct to zero to ensure all unassigned padding<br /> fields are zero&amp;#39;d before being copied back to userspace.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtl818x: Kill URBs before clearing tx status queue<br /> <br /> In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing<br /> b_tx_status.queue. This change prevents callbacks from using already freed<br /> skb due to anchor was not killed before freeing such skb.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000080<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015<br /> RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]<br /> Call Trace:<br /> <br /> rtl8187_tx_cb+0x116/0x150 [rtl8187]<br /> __usb_hcd_giveback_urb+0x9d/0x120<br /> usb_giveback_urb_bh+0xbb/0x140<br /> process_one_work+0x19b/0x3c0<br /> bh_worker+0x1a7/0x210<br /> tasklet_action+0x10/0x30<br /> handle_softirqs+0xf0/0x340<br /> __irq_exit_rcu+0xcd/0xf0<br /> common_interrupt+0x85/0xa0<br /> <br /> <br /> Tested on RTL8187BvE device.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iwlwifi: Add missing check for alloc_ordered_workqueue<br /> <br /> Add check for the return value of alloc_ordered_workqueue since it may<br /> return NULL pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: clear initialized flag for deinit-ed srng lists<br /> <br /> In a number of cases we see kernel panics on resume due<br /> to ath11k kernel page fault, which happens under the<br /> following circumstances:<br /> <br /> 1) First ath11k_hal_dump_srng_stats() call<br /> <br /> Last interrupt received for each group:<br /> ath11k_pci 0000:01:00.0: group_id 0 22511ms before<br /> ath11k_pci 0000:01:00.0: group_id 1 14440788ms before<br /> [..]<br /> ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..<br /> ath11k_pci 0000:01:00.0: Service connect timeout<br /> ath11k_pci 0000:01:00.0: failed to connect to HTT: -110<br /> ath11k_pci 0000:01:00.0: failed to start core: -110<br /> ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM<br /> ath11k_pci 0000:01:00.0: already resetting count 2<br /> ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110<br /> ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110<br /> ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery<br /> [..]<br /> <br /> 2) At this point reconfiguration fails (we have 2 resets) and<br /> ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()<br /> which destroys srng lists. However, it does not reset per-list<br /> -&gt;initialized flag.<br /> <br /> 3) Second ath11k_hal_dump_srng_stats() call sees stale -&gt;initialized<br /> flag and attempts to dump srng stats:<br /> <br /> Last interrupt received for each group:<br /> ath11k_pci 0000:01:00.0: group_id 0 66785ms before<br /> ath11k_pci 0000:01:00.0: group_id 1 14485062ms before<br /> ath11k_pci 0000:01:00.0: group_id 2 14485062ms before<br /> ath11k_pci 0000:01:00.0: group_id 3 14485062ms before<br /> ath11k_pci 0000:01:00.0: group_id 4 14780845ms before<br /> ath11k_pci 0000:01:00.0: group_id 5 14780845ms before<br /> ath11k_pci 0000:01:00.0: group_id 6 14485062ms before<br /> ath11k_pci 0000:01:00.0: group_id 7 66814ms before<br /> ath11k_pci 0000:01:00.0: group_id 8 68997ms before<br /> ath11k_pci 0000:01:00.0: group_id 9 67588ms before<br /> ath11k_pci 0000:01:00.0: group_id 10 69511ms before<br /> BUG: unable to handle page fault for address: ffffa007404eb010<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]<br /> Call Trace:<br /> <br /> ? __die_body+0xae/0xb0<br /> ? page_fault_oops+0x381/0x3e0<br /> ? exc_page_fault+0x69/0xa0<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]<br /> ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]<br /> worker_thread+0x389/0x930<br /> kthread+0x149/0x170<br /> <br /> Clear per-list -&gt;initialized flag in ath11k_hal_srng_deinit().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: Avoid accessing uninitialized arvif-&gt;ar during beacon miss<br /> <br /> During beacon miss handling, ath12k driver iterates over active virtual<br /> interfaces (vifs) and attempts to access the radio object (ar) via<br /> arvif-&gt;deflink-&gt;ar.<br /> <br /> However, after commit aa80f12f3bed ("wifi: ath12k: defer vdev creation for<br /> MLO"), arvif is linked to a radio only after vdev creation, typically when<br /> a channel is assigned or a scan is requested.<br /> For P2P capable devices, a default P2P interface is created by<br /> wpa_supplicant along with regular station interfaces, these serve as dummy<br /> interfaces for P2P-capable stations, lack an associated netdev and initiate<br /> frequent scans to discover neighbor p2p devices. When a scan is initiated<br /> on such P2P vifs, driver selects destination radio (ar) based on scan<br /> frequency, creates a scan vdev, and attaches arvif to the radio. Once the<br /> scan completes or is aborted, the scan vdev is deleted, detaching arvif<br /> from the radio and leaving arvif-&gt;ar uninitialized.<br /> <br /> While handling beacon miss for station interfaces, P2P interface is also<br /> encountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter()<br /> tries to dereference the uninitialized arvif-&gt;deflink-&gt;ar.<br /> <br /> Fix this by verifying that vdev is created for the arvif before accessing<br /> its ar during beacon miss handling and similar vif iterator callbacks.<br /> <br /> ==========================================================================<br /> wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing<br /> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]<br /> <br /> CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full)<br /> RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k]<br /> Call Trace:<br /> __iterate_interfaces+0x11a/0x410 [mac80211]<br /> ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211]<br /> ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k]<br /> ath12k_roam_event+0x393/0x560 [ath12k]<br /> ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k]<br /> ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k]<br /> ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k]<br /> ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k]<br /> ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k]<br /> ath12k_pci_ce_workqueue+0x69/0x120 [ath12k]<br /> process_one_work+0xe3a/0x1430<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1<br /> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7925: fix off by one in mt7925_mcu_hw_scan()<br /> <br /> The ssid-&gt;ssids[] and sreq-&gt;ssids[] arrays have MT7925_RNR_SCAN_MAX_BSSIDS<br /> elements so this &gt;= needs to be &gt; to prevent an out of bounds access.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type()<br /> <br /> In ath12k_dp_tx_get_encap_type(), the arvif parameter is only used to<br /> retrieve the ab pointer. In vdev delete sequence the arvif-&gt;ar could<br /> become NULL and that would trigger kernel panic.<br /> Since the caller ath12k_dp_tx() already has a valid ab pointer, pass it<br /> directly to avoid panic and unnecessary dereferencing.<br /> <br /> PC points to "ath12k_dp_tx+0x228/0x988 [ath12k]"<br /> LR points to "ath12k_dp_tx+0xc8/0x988 [ath12k]".<br /> The Backtrace obtained is as follows:<br /> ath12k_dp_tx+0x228/0x988 [ath12k]<br /> ath12k_mac_tx_check_max_limit+0x608/0x920 [ath12k]<br /> ieee80211_process_measurement_req+0x320/0x348 [mac80211]<br /> ieee80211_tx_dequeue+0x9ac/0x1518 [mac80211]<br /> ieee80211_tx_dequeue+0xb14/0x1518 [mac80211]<br /> ieee80211_tx_prepare_skb+0x224/0x254 [mac80211]<br /> ieee80211_xmit+0xec/0x100 [mac80211]<br /> __ieee80211_subif_start_xmit+0xc50/0xf40 [mac80211]<br /> ieee80211_subif_start_xmit+0x2e8/0x308 [mac80211]<br /> netdev_start_xmit+0x150/0x18c<br /> dev_hard_start_xmit+0x74/0xc0<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Fix UAF on sva unbind with pending IOPFs<br /> <br /> Commit 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach<br /> path") disables IOPF on device by removing the device from its IOMMU&amp;#39;s<br /> IOPF queue when the last IOPF-capable domain is detached from the device.<br /> Unfortunately, it did this in a wrong place where there are still pending<br /> IOPFs. As a result, a use-after-free error is potentially triggered and<br /> eventually a kernel panic with a kernel trace similar to the following:<br /> <br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0<br /> Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf<br /> Call Trace:<br /> <br /> iopf_free_group+0xe/0x20<br /> process_one_work+0x197/0x3d0<br /> worker_thread+0x23a/0x350<br /> ? rescuer_thread+0x4a0/0x4a0<br /> kthread+0xf8/0x230<br /> ? finish_task_switch.isra.0+0x81/0x260<br /> ? kthreads_online_cpu+0x110/0x110<br /> ? kthreads_online_cpu+0x110/0x110<br /> ret_from_fork+0x13b/0x170<br /> ? kthreads_online_cpu+0x110/0x110<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The intel_pasid_tear_down_entry() function is responsible for blocking<br /> hardware from generating new page faults and flushing all in-flight<br /> ones. Therefore, moving iopf_for_domain_remove() after this function<br /> should resolve this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xen: fix UAF in dmabuf_exp_from_pages()<br /> <br /> [dma_buf_fd() fixes; no preferences regarding the tree it goes through -<br /> up to xen folks]<br /> <br /> As soon as we&amp;#39;d inserted a file reference into descriptor table, another<br /> thread could close it. That&amp;#39;s fine for the case when all we are doing is<br /> returning that descriptor to userland (it&amp;#39;s a race, but it&amp;#39;s a userland<br /> race and there&amp;#39;s nothing the kernel can do about it). However, if we<br /> follow fd_install() with any kind of access to objects that would be<br /> destroyed on close (be it the struct file itself or anything destroyed<br /> by its -&gt;release()), we have a UAF.<br /> <br /> dma_buf_fd() is a combination of reserving a descriptor and fd_install().<br /> gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the<br /> objects destroyed on close - starting with gntdev_dmabuf itself.<br /> <br /> Fix that by doing reserving descriptor before anything else and do<br /> fd_install() only when everything had been set up.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code<br /> <br /> The object is potentially already gone after the drm_gem_object_put().<br /> In general the object should be fully constructed before calling<br /> drm_gem_handle_create(), except the debugfs tracking uses a separate<br /> lock and list and separate flag to denotate whether the object is<br /> actually initialized.<br /> <br /> Since I&amp;#39;m touching this all anyway simplify this by only adding the<br /> object to the debugfs when it&amp;#39;s ready for that, which allows us to<br /> delete that separate flag. panthor_gem_debugfs_bo_rm() already checks<br /> whether we&amp;#39;ve actually been added to the list or this is some error<br /> path cleanup.<br /> <br /> v2: Fix build issues for !CONFIG_DEBUGFS (Adrián)<br /> <br /> v3: Add linebreak and remove outdated comment (Liviu)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port<br /> <br /> Each window of a vop2 is usable by a specific set of video ports, so while<br /> binding the vop2, we look through the list of available windows trying to<br /> find one designated as primary-plane and usable by that specific port.<br /> <br /> The code later wants to use drm_crtc_init_with_planes with that found<br /> primary plane, but nothing has checked so far if a primary plane was<br /> actually found.<br /> <br /> For whatever reason, the rk3576 vp2 does not have a usable primary window<br /> (if vp0 is also in use) which brought the issue to light and ended in a<br /> null-pointer dereference further down.<br /> <br /> As we expect a primary-plane to exist for a video-port, add a check at<br /> the end of the window-iteration and fail probing if none was found.