Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc/tegra: pmc: Fix unsafe generic_handle_irq() call<br /> <br /> Currently, when resuming from system suspend on Tegra platforms,<br /> the following warning is observed:<br /> <br /> WARNING: CPU: 0 PID: 14459 at kernel/irq/irqdesc.c:666<br /> Call trace:<br /> handle_irq_desc+0x20/0x58 (P)<br /> tegra186_pmc_wake_syscore_resume+0xe4/0x15c<br /> syscore_resume+0x3c/0xb8<br /> suspend_devices_and_enter+0x510/0x540<br /> pm_suspend+0x16c/0x1d8<br /> <br /> The warning occurs because generic_handle_irq() is being called from<br /> a non-interrupt context which is considered as unsafe.<br /> <br /> Fix this warning by deferring generic_handle_irq() call to an IRQ work<br /> which gets executed in hard IRQ context where generic_handle_irq()<br /> can be called safely.<br /> <br /> When PREEMPT_RT kernels are used, regular IRQ work (initialized with<br /> init_irq_work) is deferred to run in per-CPU kthreads in preemptible<br /> context rather than hard IRQ context. Hence, use the IRQ_WORK_INIT_HARD<br /> variant so that with PREEMPT_RT kernels, the IRQ work is processed in<br /> hardirq context instead of being deferred to a thread which is required<br /> for calling generic_handle_irq().<br /> <br /> On non-PREEMPT_RT kernels, both init_irq_work() and IRQ_WORK_INIT_HARD()<br /> execute in IRQ context, so this change has no functional impact for<br /> standard kernel configurations.<br /> <br /> [treding@nvidia.com: miscellaneous cleanups]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC<br /> <br /> For the i.MX8MQ platform, there is a hardware limitation: the g1 VPU and<br /> g2 VPU cannot decode simultaneously; otherwise, it will cause below bus<br /> error and produce corrupted pictures, even potentially lead to system hang.<br /> <br /> [ 110.527986] hantro-vpu 38310000.video-codec: frame decode timed out.<br /> [ 110.583517] hantro-vpu 38310000.video-codec: bus error detected.<br /> <br /> Therefore, it is necessary to ensure that g1 and g2 operate alternately.<br /> This allows for successful multi-instance decoding of H.264 and HEVC.<br /> <br /> To achieve this, g1 and g2 share the same v4l2_m2m_dev, and then the<br /> v4l2_m2m_dev can handle the scheduling.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md raid: fix hang when stopping arrays with metadata through dm-raid<br /> <br /> When using device-mapper&amp;#39;s dm-raid target, stopping a RAID array can cause<br /> the system to hang under specific conditions.<br /> <br /> This occurs when:<br /> <br /> - A dm-raid managed device tree is suspended from top to bottom<br /> (the top-level RAID device is suspended first, followed by its<br /> underlying metadata and data devices)<br /> <br /> - The top-level RAID device is then removed<br /> <br /> Removing the top-level device triggers a hang in the following sequence:<br /> the dm-raid destructor calls md_stop(), which tries to flush the<br /> write-intent bitmap by writing to the metadata sub-devices. However, these<br /> devices are already suspended, making them unable to complete the write-intent<br /> operations and causing an indefinite block.<br /> <br /> Fix:<br /> <br /> - Prevent bitmap flushing when md_stop() is called from dm-raid<br /> destructor context<br /> and avoid a quiescing/unquescing cycle which could also cause I/O<br /> <br /> - Still allow write-intent bitmap flushing when called from dm-raid<br /> suspend context<br /> <br /> This ensures that RAID array teardown can complete successfully even when the<br /> underlying devices are in a suspended state.<br /> <br /> This second patch uses md_is_rdwr() to distinguish between suspend and<br /> destructor paths as elaborated on above.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: don&amp;#39;t BUG() on unexpected delayed ref type in run_one_delayed_ref()<br /> <br /> There is no need to BUG(), we can just return an error and log an error<br /> message.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: accel: adxl380: Avoid reading more entries than present in FIFO<br /> <br /> The interrupt handler reads FIFO entries in batches of N samples, where N<br /> is the number of scan elements that have been enabled. However, the sensor<br /> fills the FIFO one sample at a time, even when more than one channel is<br /> enabled. Therefore,the number of entries reported by the FIFO status<br /> registers may not be a multiple of N; if this number is not a multiple, the<br /> number of entries read from the FIFO may exceed the number of entries<br /> actually present.<br /> <br /> To fix the above issue, round down the number of FIFO entries read from the<br /> status registers so that it is always a multiple of N.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: crypto: Use the correct destructor kfunc type<br /> <br /> With CONFIG_CFI enabled, the kernel strictly enforces that indirect<br /> function calls use a function pointer type that matches the target<br /> function. I ran into the following type mismatch when running BPF<br /> self-tests:<br /> <br /> CFI failure at bpf_obj_free_fields+0x190/0x238 (target:<br /> bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)<br /> Internal error: Oops - CFI: 00000000f2008228 [#1] SMP<br /> ...<br /> <br /> As bpf_crypto_ctx_release() is also used in BPF programs and using<br /> a void pointer as the argument would make the verifier unhappy, add<br /> a simple stub function with the correct type and register it as the<br /> destructor kfunc instead.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path<br /> <br /> [Why]<br /> The evaluation for whether we need to use the DMUB HW lock isn&amp;#39;t the<br /> same as whether we need to unlock which results in a hang when the<br /> fast path is used for ASIC without FAMS support.<br /> <br /> [How]<br /> Store a flag that indicates whether we should use the lock and use<br /> that same flag to specify whether unlocking is needed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: define and enforce CEPH_MAX_KEY_LEN<br /> <br /> When decoding the key, verify that the key material would fit into<br /> a fixed-size buffer in process_auth_done() and generally has a sane<br /> length.<br /> <br /> The new CEPH_MAX_KEY_LEN check replaces the existing check for a key<br /> with no key material which is a) not universal since CEPH_CRYPTO_NONE<br /> has to be excluded and b) doesn&amp;#39;t provide much value since a smaller<br /> than needed key is just as invalid as no key -- this has to be handled<br /> elsewhere anyway.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/page_alloc: clear page-&gt;private in free_pages_prepare()<br /> <br /> Several subsystems (slub, shmem, ttm, etc.) use page-&gt;private but don&amp;#39;t<br /> clear it before freeing pages. When these pages are later allocated as<br /> high-order pages and split via split_page(), tail pages retain stale<br /> page-&gt;private values.<br /> <br /> This causes a use-after-free in the swap subsystem. The swap code uses<br /> page-&gt;private to track swap count continuations, assuming freshly<br /> allocated pages have page-&gt;private == 0. When stale values are present,<br /> swap_count_continued() incorrectly assumes the continuation list is valid<br /> and iterates over uninitialized page-&gt;lru containing LIST_POISON values,<br /> causing a crash:<br /> <br /> KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]<br /> RIP: 0010:__do_sys_swapoff+0x1151/0x1860<br /> <br /> Fix this by clearing page-&gt;private in free_pages_prepare(), ensuring all<br /> freed pages have clean state regardless of previous use.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/v3d: Set DMA segment size to avoid debug warnings<br /> <br /> When using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the<br /> kernel occasionally reports a segment size mismatch. This is because<br /> &amp;#39;max_seg_size&amp;#39; is not set. The kernel defaults to 64K. setting<br /> &amp;#39;max_seg_size&amp;#39; to the maximum will prevent &amp;#39;debug_dma_map_sg()&amp;#39;<br /> from complaining about the over-mapping of the V3D segment length.<br /> <br /> DMA-API: v3d 1002000000.v3d: mapping sg segment longer than device<br /> claims to support [len=8290304] [max=65536]<br /> WARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179 debug_dma_map_sg+0x330/0x388<br /> CPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1<br /> Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : debug_dma_map_sg+0x330/0x388<br /> lr : debug_dma_map_sg+0x330/0x388<br /> sp : ffff8000829a3ac0<br /> x29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000<br /> x26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000<br /> x23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002<br /> x20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffff<br /> x17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573<br /> x14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000<br /> x11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7c<br /> x8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001<br /> x5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280<br /> Call trace:<br /> debug_dma_map_sg+0x330/0x388<br /> __dma_map_sg_attrs+0xc0/0x278<br /> dma_map_sgtable+0x30/0x58<br /> drm_gem_shmem_get_pages_sgt+0xb4/0x140<br /> v3d_bo_create_finish+0x28/0x130 [v3d]<br /> v3d_create_bo_ioctl+0x54/0x180 [v3d]<br /> drm_ioctl_kernel+0xc8/0x140<br /> drm_ioctl+0x2d4/0x4d8

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: chips-media: wave5: Fix PM runtime usage count underflow<br /> <br /> Replace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in<br /> the remove path to properly pair with pm_runtime_use_autosuspend() from<br /> probe. This allows pm_runtime_disable() to handle reference count cleanup<br /> correctly regardless of current suspend state.<br /> <br /> The driver calls pm_runtime_put_sync() unconditionally in remove, but the<br /> device may already be suspended due to autosuspend configured in probe.<br /> When autosuspend has already suspended the device, the usage count is 0,<br /> and pm_runtime_put_sync() decrements it to -1.<br /> <br /> This causes the following warning on module unload:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430<br /> kthread_destroy_worker+0x84/0x98<br /> ...<br /> vdec 30210000.video-codec: Runtime PM usage count underflow!

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()<br /> <br /> In jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it<br /> may be NULL:<br /> <br /> if (!jdi)<br /> mipi_dsi_detach(dsi);<br /> <br /> However, when jdi is NULL, the function does not return and continues by<br /> calling jdi_panel_disable():<br /> <br /> err = jdi_panel_disable(&amp;jdi-&gt;base);<br /> <br /> Inside jdi_panel_disable(), jdi is dereferenced unconditionally, which can<br /> lead to a NULL-pointer dereference:<br /> <br /> struct jdi_panel *jdi = to_panel_jdi(panel);<br /> backlight_disable(jdi-&gt;backlight);<br /> <br /> To prevent such a potential NULL-pointer dereference, return early from<br /> jdi_panel_dsi_remove() when jdi is NULL.