Vulnerabilities

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: host: ohci-ppc-of: Fix refcount leak bug<br /> <br /> In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return<br /> a node pointer with refcount incremented. We should use of_node_put()<br /> when it is not used anymore.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: cdns3 fix use-after-free at workaround 2<br /> <br /> BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xac<br /> <br /> cdns3_wa2_remove_old_request()<br /> {<br /> ...<br /> kfree(priv_req-&gt;request.buf);<br /> cdns3_gadget_ep_free_request(&amp;priv_ep-&gt;endpoint, &amp;priv_req-&gt;request);<br /> list_del_init(&amp;priv_req-&gt;list);<br /> ^^^ use after free<br /> ...<br /> }<br /> <br /> cdns3_gadget_ep_free_request() free the space pointed by priv_req,<br /> but priv_req is used in the following list_del_init().<br /> <br /> This patch move list_del_init() before cdns3_gadget_ep_free_request().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix use-after-free on amdgpu_bo_list mutex<br /> <br /> If amdgpu_cs_vm_handling returns r != 0, then it will unlock the<br /> bo_list_mutex inside the function amdgpu_cs_vm_handling and again on<br /> amdgpu_cs_parser_fini. This problem results in the following<br /> use-after-free problem:<br /> <br /> [ 220.280990] ------------[ cut here ]------------<br /> [ 220.281000] refcount_t: underflow; use-after-free.<br /> [ 220.281019] WARNING: CPU: 1 PID: 3746 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110<br /> [ 220.281029] ------------[ cut here ]------------<br /> [ 220.281415] CPU: 1 PID: 3746 Comm: chrome:cs0 Tainted: G W L ------- --- 5.20.0-0.rc0.20220812git7ebfc85e2cd7.10.fc38.x86_64 #1<br /> [ 220.281421] Hardware name: System manufacturer System Product Name/ROG STRIX X570-I GAMING, BIOS 4403 04/27/2022<br /> [ 220.281426] RIP: 0010:refcount_warn_saturate+0xba/0x110<br /> [ 220.281431] Code: 01 01 e8 79 4a 6f 00 0f 0b e9 42 47 a5 00 80 3d de<br /> 7e be 01 00 75 85 48 c7 c7 f8 98 8e 98 c6 05 ce 7e be 01 01 e8 56 4a<br /> 6f 00 0b e9 1f 47 a5 00 80 3d b9 7e be 01 00 0f 85 5e ff ff ff 48<br /> c7<br /> [ 220.281437] RSP: 0018:ffffb4b0d18d7a80 EFLAGS: 00010282<br /> [ 220.281443] RAX: 0000000000000026 RBX: 0000000000000003 RCX: 0000000000000000<br /> [ 220.281448] RDX: 0000000000000001 RSI: ffffffff988d06dc RDI: 00000000ffffffff<br /> [ 220.281452] RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffb4b0d18d7930<br /> [ 220.281457] R10: 0000000000000003 R11: ffffa0672e2fffe8 R12: ffffa058ca360400<br /> [ 220.281461] R13: ffffa05846c50a18 R14: 00000000fffffe00 R15: 0000000000000003<br /> [ 220.281465] FS: 00007f82683e06c0(0000) GS:ffffa066e2e00000(0000) knlGS:0000000000000000<br /> [ 220.281470] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 220.281475] CR2: 00003590005cc000 CR3: 00000001fca46000 CR4: 0000000000350ee0<br /> [ 220.281480] Call Trace:<br /> [ 220.281485] <br /> [ 220.281490] amdgpu_cs_ioctl+0x4e2/0x2070 [amdgpu]<br /> [ 220.281806] ? amdgpu_cs_find_mapping+0xe0/0xe0 [amdgpu]<br /> [ 220.282028] drm_ioctl_kernel+0xa4/0x150<br /> [ 220.282043] drm_ioctl+0x21f/0x420<br /> [ 220.282053] ? amdgpu_cs_find_mapping+0xe0/0xe0 [amdgpu]<br /> [ 220.282275] ? lock_release+0x14f/0x460<br /> [ 220.282282] ? _raw_spin_unlock_irqrestore+0x30/0x60<br /> [ 220.282290] ? _raw_spin_unlock_irqrestore+0x30/0x60<br /> [ 220.282297] ? lockdep_hardirqs_on+0x7d/0x100<br /> [ 220.282305] ? _raw_spin_unlock_irqrestore+0x40/0x60<br /> [ 220.282317] amdgpu_drm_ioctl+0x4a/0x80 [amdgpu]<br /> [ 220.282534] __x64_sys_ioctl+0x90/0xd0<br /> [ 220.282545] do_syscall_64+0x5b/0x80<br /> [ 220.282551] ? futex_wake+0x6c/0x150<br /> [ 220.282568] ? lock_is_held_type+0xe8/0x140<br /> [ 220.282580] ? do_syscall_64+0x67/0x80<br /> [ 220.282585] ? lockdep_hardirqs_on+0x7d/0x100<br /> [ 220.282592] ? do_syscall_64+0x67/0x80<br /> [ 220.282597] ? do_syscall_64+0x67/0x80<br /> [ 220.282602] ? lockdep_hardirqs_on+0x7d/0x100<br /> [ 220.282609] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [ 220.282616] RIP: 0033:0x7f8282a4f8bf<br /> [ 220.282639] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10<br /> 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00<br /> 0f 05 c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00<br /> 00<br /> [ 220.282644] RSP: 002b:00007f82683df410 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> [ 220.282651] RAX: ffffffffffffffda RBX: 00007f82683df588 RCX: 00007f8282a4f8bf<br /> [ 220.282655] RDX: 00007f82683df4d0 RSI: 00000000c0186444 RDI: 0000000000000018<br /> [ 220.282659] RBP: 00007f82683df4d0 R08: 00007f82683df5e0 R09: 00007f82683df4b0<br /> [ 220.282663] R10: 00001d04000a0600 R11: 0000000000000246 R12: 00000000c0186444<br /> [ 220.282667] R13: 0000000000000018 R14: 00007f82683df588 R15: 0000000000000003<br /> [ 220.282689] <br /> [ 220.282693] irq event stamp: 6232311<br /> [ 220.282697] hardirqs last enabled at (6232319): [] __up_console_sem+0x5e/0x70<br /> [ 220.282704] hardirqs last disabled at (6232326): [] __up_console_sem+0x43/0x70<br /> [ 220.282709] softirqs last enabled at (6232072): [] __irq_exit_rcu+0xf9/0x170<br /> [ 220.282716] softirqs last disabled at (6232061): [

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gadgetfs: ep_io - wait until IRQ finishes<br /> <br /> after usb_ep_queue() if wait_for_completion_interruptible() is<br /> interrupted we need to wait until IRQ gets finished.<br /> <br /> Otherwise complete() from epio_complete() can corrupt stack.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: ipq8074: dont disable gcc_sleep_clk_src<br /> <br /> Once the usb sleep clocks are disabled, clock framework is trying to<br /> disable the sleep clock source also.<br /> <br /> However, it seems that it cannot be disabled and trying to do so produces:<br /> [ 245.436390] ------------[ cut here ]------------<br /> [ 245.441233] gcc_sleep_clk_src status stuck at &amp;#39;on&amp;#39;<br /> [ 245.441254] WARNING: CPU: 2 PID: 223 at clk_branch_wait+0x130/0x140<br /> [ 245.450435] Modules linked in: xhci_plat_hcd xhci_hcd dwc3 dwc3_qcom leds_gpio<br /> [ 245.456601] CPU: 2 PID: 223 Comm: sh Not tainted 5.18.0-rc4 #215<br /> [ 245.463889] Hardware name: Xiaomi AX9000 (DT)<br /> [ 245.470050] pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 245.474307] pc : clk_branch_wait+0x130/0x140<br /> [ 245.481073] lr : clk_branch_wait+0x130/0x140<br /> [ 245.485588] sp : ffffffc009f2bad0<br /> [ 245.489838] x29: ffffffc009f2bad0 x28: ffffff8003e6c800 x27: 0000000000000000<br /> [ 245.493057] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800226ef20<br /> [ 245.500175] x23: ffffffc0089ff550 x22: 0000000000000000 x21: ffffffc008476ad0<br /> [ 245.507294] x20: 0000000000000000 x19: ffffffc00965ac70 x18: fffffffffffc51a7<br /> [ 245.514413] x17: 68702e3030303837 x16: 3a6d726f6674616c x15: ffffffc089f2b777<br /> [ 245.521531] x14: ffffffc0095c9d18 x13: 0000000000000129 x12: 0000000000000129<br /> [ 245.528649] x11: 00000000ffffffea x10: ffffffc009621d18 x9 : 0000000000000001<br /> [ 245.535767] x8 : 0000000000000001 x7 : 0000000000017fe8 x6 : 0000000000000001<br /> [ 245.542885] x5 : ffffff803fdca6d8 x4 : 0000000000000000 x3 : 0000000000000027<br /> [ 245.550002] x2 : 0000000000000027 x1 : 0000000000000023 x0 : 0000000000000026<br /> [ 245.557122] Call trace:<br /> [ 245.564229] clk_branch_wait+0x130/0x140<br /> [ 245.566490] clk_branch2_disable+0x2c/0x40<br /> [ 245.570656] clk_core_disable+0x60/0xb0<br /> [ 245.574561] clk_core_disable+0x68/0xb0<br /> [ 245.578293] clk_disable+0x30/0x50<br /> [ 245.582113] dwc3_qcom_remove+0x60/0xc0 [dwc3_qcom]<br /> [ 245.585588] platform_remove+0x28/0x60<br /> [ 245.590361] device_remove+0x4c/0x80<br /> [ 245.594179] device_release_driver_internal+0x1dc/0x230<br /> [ 245.597914] device_driver_detach+0x18/0x30<br /> [ 245.602861] unbind_store+0xec/0x110<br /> [ 245.607027] drv_attr_store+0x24/0x40<br /> [ 245.610847] sysfs_kf_write+0x44/0x60<br /> [ 245.614405] kernfs_fop_write_iter+0x128/0x1c0<br /> [ 245.618052] new_sync_write+0xc0/0x130<br /> [ 245.622391] vfs_write+0x1d4/0x2a0<br /> [ 245.626123] ksys_write+0x58/0xe0<br /> [ 245.629508] __arm64_sys_write+0x1c/0x30<br /> [ 245.632895] invoke_syscall.constprop.0+0x5c/0x110<br /> [ 245.636890] do_el0_svc+0xa0/0x150<br /> [ 245.641488] el0_svc+0x18/0x60<br /> [ 245.644872] el0t_64_sync_handler+0xa4/0x130<br /> [ 245.647914] el0t_64_sync+0x174/0x178<br /> [ 245.652340] ---[ end trace 0000000000000000 ]---<br /> <br /> So, add CLK_IS_CRITICAL flag to the clock so that the kernel won&amp;#39;t try<br /> to disable the sleep clock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input<br /> <br /> Malformed user input to debugfs results in buffer overflow crashes. Adapt<br /> input string lengths to fit within internal buffers, leaving space for NULL<br /> terminators.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: renesas: Fix refcount leak bug<br /> <br /> In usbhs_rza1_hardware_init(), of_find_node_by_name() will return<br /> a node pointer with refcount incremented. We should use of_node_put()<br /> when it is not used anymore.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: dw-axi-dmac: do not print NULL LLI during error<br /> <br /> During debugging we have seen an issue where axi_chan_dump_lli()<br /> is passed a NULL LLI pointer which ends up causing an OOPS due<br /> to trying to get fields from it. Simply print NULL LLI and exit<br /> to avoid this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl: Fix a memory leak in an error handling path<br /> <br /> A bitmap_zalloc() must be balanced by a corresponding bitmap_free() in the<br /> error handling path of afu_allocate_irqs().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> habanalabs/gaudi: fix shift out of bounds<br /> <br /> When validating NIC queues, queue offset calculation must be<br /> performed only for NIC queues.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix possible memory leak when failing to issue CMF WQE<br /> <br /> There is no corresponding free routine if lpfc_sli4_issue_wqe fails to<br /> issue the CMF WQE in lpfc_issue_cmf_sync_wqe.<br /> <br /> If ret_val is non-zero, then free the iocbq request structure.