Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed<br /> <br /> There is a null-ptr-deref when mount.cifs over rdma:<br /> <br /> BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]<br /> Read of size 8 at addr 0000000000000018 by task mount.cifs/3046<br /> <br /> CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x44<br /> kasan_report+0xad/0x130<br /> rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]<br /> execute_in_process_context+0x25/0x90<br /> __rxe_cleanup+0x101/0x1d0 [rdma_rxe]<br /> rxe_create_qp+0x16a/0x180 [rdma_rxe]<br /> create_qp.part.0+0x27d/0x340<br /> ib_create_qp_kernel+0x73/0x160<br /> rdma_create_qp+0x100/0x230<br /> _smbd_get_connection+0x752/0x20f0<br /> smbd_get_connection+0x21/0x40<br /> cifs_get_tcp_session+0x8ef/0xda0<br /> mount_get_conns+0x60/0x750<br /> cifs_mount+0x103/0xd00<br /> cifs_smb3_do_mount+0x1dd/0xcb0<br /> smb3_get_tree+0x1d5/0x300<br /> vfs_get_tree+0x41/0xf0<br /> path_mount+0x9b3/0xdd0<br /> __x64_sys_mount+0x190/0x1d0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> The root cause of the issue is the socket create failed in<br /> rxe_qp_init_req().<br /> <br /> So move the reset rxe_qp_do_cleanup() after the NULL ptr check.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: toshsd: fix return value check of mmc_add_host()<br /> <br /> mmc_add_host() may return error, if we ignore its return value, the memory<br /> that allocated in mmc_alloc_host() will be leaked and it will lead a kernel<br /> crash because of deleting not added device in the remove path.<br /> <br /> So fix this by checking the return value and goto error path which will call<br /> mmc_free_host(), besides, free_irq() also needs be called.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()<br /> <br /> I got the the following report:<br /> <br /> OF: ERROR: memory leak, expected refcount 1 instead of 2,<br /> of_node_get()/of_node_put() unbalanced - destroy cset entry:<br /> attach overlay node /i2c/pmic@62/regulators/exten<br /> <br /> In of_get_regulator(), the node is returned from of_parse_phandle()<br /> with refcount incremented, after using it, of_node_put() need be called.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()<br /> <br /> q6v5_wcss_init_mmio() will call platform_get_resource_byname() that may<br /> fail and return NULL. devm_ioremap() will use res-&gt;start as input, which<br /> may causes null-ptr-deref. Check the ret value of<br /> platform_get_resource_byname() to avoid the null-ptr-deref.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Prevent decl_tag from being referenced in func_proto arg<br /> <br /> Syzkaller managed to hit another decl_tag issue:<br /> <br /> btf_func_proto_check kernel/bpf/btf.c:4506 [inline]<br /> btf_check_all_types kernel/bpf/btf.c:4734 [inline]<br /> btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763<br /> btf_parse kernel/bpf/btf.c:5042 [inline]<br /> btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709<br /> bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342<br /> __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034<br /> __do_sys_bpf kernel/bpf/syscall.c:5093 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5091 [inline]<br /> __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091<br /> do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48<br /> <br /> This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being<br /> referenced in func_proto") but for the argument.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: Fix qmi_msg_handler data structure initialization<br /> <br /> qmi_msg_handler is required to be null terminated by QMI module.<br /> There might be a case where a handler for a msg id is not present in the<br /> handlers array which can lead to infinite loop while searching the handler<br /> and therefore out of bound access in qmi_invoke_handler().<br /> Hence update the initialization in qmi_msg_handler data structure.<br /> <br /> Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ARM: OMAP2+: Fix memory leak in realtime_counter_init()<br /> <br /> The "sys_clk" resource is malloced by clk_get(),<br /> it is not released when the function return.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove<br /> <br /> In vp_vdpa_remove(), the code kfree(&amp;vp_vdpa_mgtdev-&gt;mgtdev.id_table) uses<br /> a reference of pointer as the argument of kfree, which is the wrong pointer<br /> and then may hit crash like this:<br /> <br /> Unable to handle kernel paging request at virtual address 00ffff003363e30c<br /> Internal error: Oops: 96000004 [#1] SMP<br /> Call trace:<br /> rb_next+0x20/0x5c<br /> ext4_readdir+0x494/0x5c4 [ext4]<br /> iterate_dir+0x168/0x1b4<br /> __se_sys_getdents64+0x68/0x170<br /> __arm64_sys_getdents64+0x24/0x30<br /> el0_svc_common.constprop.0+0x7c/0x1bc<br /> do_el0_svc+0x2c/0x94<br /> el0_svc+0x20/0x30<br /> el0_sync_handler+0xb0/0xb4<br /> el0_sync+0x160/0x180<br /> Code: 54000220 f9400441 b4000161 aa0103e0 (f9400821)<br /> SMP: stopping secondary CPUs<br /> Starting crashdump kernel...

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/erdma: Fix refcount leak in erdma_mmap<br /> <br /> rdma_user_mmap_entry_get() take reference, we should release it when not<br /> need anymore, add the missing rdma_user_mmap_entry_put() in the error<br /> path to fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop()<br /> <br /> When kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will<br /> be NULL, and strcmp() will cause null pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: musb: Fix musb_gadget.c rxstate overflow bug<br /> <br /> The usb function device call musb_gadget_queue() adds the passed<br /> request to musb_ep::req_list,If the (request-&gt;length &gt; musb_ep-&gt;packet_sz)<br /> and (is_buffer_mapped(req) return false),the rxstate() will copy all data<br /> in fifo to request-&gt;buf which may cause request-&gt;buf out of bounds.<br /> <br /> Fix it by add the length check :<br /> fifocnt = min_t(unsigned, request-&gt;length - request-&gt;actual, fifocnt);

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: broadcom: bcm4908_enet: update TX stats after actual transmission<br /> <br /> Queueing packets doesn&amp;#39;t guarantee their transmission. Update TX stats<br /> after hardware confirms consuming submitted data.<br /> <br /> This also fixes a possible race and NULL dereference.<br /> bcm4908_enet_start_xmit() could try to access skb after freeing it in<br /> the bcm4908_enet_poll_tx().