Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: mlme: fix null-ptr deref on failed assoc<br /> <br /> If association to an AP without a link 0 fails, then we crash in<br /> tracing because it assumes that either ap_mld_addr or link 0 BSS<br /> is valid, since we clear sdata-&gt;vif.valid_links and then don&amp;#39;t<br /> add the ap_mld_addr to the struct.<br /> <br /> Since we clear also sdata-&gt;vif.cfg.ap_addr, keep a local copy of<br /> it and assign it earlier, before clearing valid_links, to fix<br /> this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix potential null-deref in dm_resume<br /> <br /> [Why]<br /> Fixing smatch error:<br /> dm_resume() error: we previously assumed &amp;#39;aconnector-&gt;dc_link&amp;#39; could be null<br /> <br /> [How]<br /> Check if dc_link null at the beginning of the loop,<br /> so further checks can be dropped.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm thin: Use last transaction&amp;#39;s pmd-&gt;root when commit failed<br /> <br /> Recently we found a softlock up problem in dm thin pool btree lookup<br /> code due to corrupted metadata:<br /> <br /> Kernel panic - not syncing: softlockup: hung tasks<br /> CPU: 7 PID: 2669225 Comm: kworker/u16:3<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br /> Workqueue: dm-thin do_worker [dm_thin_pool]<br /> Call Trace:<br /> <br /> dump_stack+0x9c/0xd3<br /> panic+0x35d/0x6b9<br /> watchdog_timer_fn.cold+0x16/0x25<br /> __run_hrtimer+0xa2/0x2d0<br /> <br /> RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]<br /> __bufio_new+0x11f/0x4f0 [dm_bufio]<br /> new_read+0xa3/0x1e0 [dm_bufio]<br /> dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]<br /> ro_step+0x63/0x100 [dm_persistent_data]<br /> btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]<br /> dm_btree_lookup+0x16f/0x210 [dm_persistent_data]<br /> dm_thin_find_block+0x12c/0x210 [dm_thin_pool]<br /> __process_bio_read_only+0xc5/0x400 [dm_thin_pool]<br /> process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]<br /> process_one_work+0x3c5/0x730<br /> <br /> Following process may generate a broken btree mixed with fresh and<br /> stale btree nodes, which could get dm thin trapped in an infinite loop<br /> while looking up data block:<br /> Transaction 1: pmd-&gt;root = A, A-&gt;B-&gt;C // One path in btree<br /> pmd-&gt;root = X, X-&gt;Y-&gt;Z // Copy-up<br /> Transaction 2: X,Z is updated on disk, Y write failed.<br /> // Commit failed, dm thin becomes read-only.<br /> process_bio_read_only<br /> dm_thin_find_block<br /> __find_block<br /> dm_btree_lookup(pmd-&gt;root)<br /> The pmd-&gt;root points to a broken btree, Y may contain stale node<br /> pointing to any block, for example X, which gets dm thin trapped into<br /> a dead loop while looking up Z.<br /> <br /> Fix this by setting pmd-&gt;root in __open_metadata(), so that dm thin<br /> will use the last transaction&amp;#39;s pmd-&gt;root if commit failed.<br /> <br /> Fetch a reproducer in [Link].<br /> <br /> Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mcb: mcb-parse: fix error handing in chameleon_parse_gdd()<br /> <br /> If mcb_device_register() returns error in chameleon_parse_gdd(), the refcount<br /> of bus and device name are leaked. Fix this by calling put_device() to give up<br /> the reference, so they can be released in mcb_release_dev() and kobject_cleanup().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/mediatek: Check return value after calling platform_get_resource()<br /> <br /> platform_get_resource() may return NULL pointer, we need check its<br /> return value to avoid null-ptr-deref in resource_size().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: rockchip: Fix memory leak in rockchip_clk_register_pll()<br /> <br /> If clk_register() fails, @pll-&gt;rate_table may have allocated memory by<br /> kmemdup(), so it needs to be freed, otherwise will cause memory leak<br /> issue, this patch fixes it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dp: fix memory corruption with too many bridges<br /> <br /> Add the missing sanity check on the bridge counter to avoid corrupting<br /> data beyond the fixed-sized bridge array in case there are ever more<br /> than eight bridges.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/502664/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()<br /> <br /> The fsl_pamu_probe() returns directly when create_csd() failed, leaving<br /> irq and memories unreleased.<br /> Fix by jumping to error if create_csd() returns error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix size validation for non-exclusive domains (v4)<br /> <br /> Fix amdgpu_bo_validate_size() to check whether the TTM domain manager for the<br /> requested memory exists, else we get a kernel oops when dereferencing "man".<br /> <br /> v2: Make the patch standalone, i.e. not dependent on local patches.<br /> v3: Preserve old behaviour and just check that the manager pointer is not<br /> NULL.<br /> v4: Complain if GTT domain requested and it is uninitialized--most likely a<br /> bug.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Fix memory leakage<br /> <br /> This patch fixes potential memory leakage and seg fault<br /> in _gpuvm_import_dmabuf() function

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> test_firmware: fix memory leak in test_firmware_init()<br /> <br /> When misc_register() failed in test_firmware_init(), the memory pointed<br /> by test_fw_config-&gt;name is not released. The memory leak information is<br /> as follows:<br /> unreferenced object 0xffff88810a34cb00 (size 32):<br /> comm "insmod", pid 7952, jiffies 4294948236 (age 49.060s)<br /> hex dump (first 32 bytes):<br /> 74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi<br /> 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............<br /> backtrace:<br /> [] __kmalloc_node_track_caller+0x4b/0xc0<br /> [] kstrndup+0x46/0xc0<br /> [] __test_firmware_config_init+0x29/0x380 [test_firmware]<br /> [] 0xffffffffa040f068<br /> [] do_one_initcall+0x141/0x780<br /> [] do_init_module+0x1c3/0x630<br /> [] load_module+0x623e/0x76a0<br /> [] __do_sys_finit_module+0x181/0x240<br /> [] do_syscall_64+0x39/0xb0<br /> [] entry_SYSCALL_64_after_hwframe+0x63/0xcd

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()<br /> <br /> If construction of the array of work queues to handle hpd_rx_irq offload<br /> work fails, we need to unwind. Destroy all the created workqueues and<br /> the allocated memory for the hpd_rx_irq_offload_work_queue struct array.