Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> venus: pm_helpers: Fix warning in OPP during probe<br /> <br /> Fix the following WARN triggered during Venus driver probe on<br /> 5.19.0-rc8-next-20220728:<br /> <br /> WARNING: CPU: 7 PID: 339 at drivers/opp/core.c:2471 dev_pm_opp_set_config+0x49c/0x610<br /> Modules linked in: qcom_spmi_adc5 rtc_pm8xxx qcom_spmi_adc_tm5 leds_qcom_lpg led_class_multicolor<br /> qcom_pon qcom_vadc_common venus_core(+) qcom_spmi_temp_alarm v4l2_mem2mem videobuf2_v4l2 msm(+)<br /> videobuf2_common crct10dif_ce spi_geni_qcom snd_soc_sm8250 i2c_qcom_geni gpu_sched<br /> snd_soc_qcom_common videodev qcom_q6v5_pas soundwire_qcom drm_dp_aux_bus qcom_stats<br /> drm_display_helper qcom_pil_info soundwire_bus snd_soc_lpass_va_macro mc qcom_q6v5<br /> phy_qcom_snps_femto_v2 qcom_rng snd_soc_lpass_macro_common snd_soc_lpass_wsa_macro<br /> lpass_gfm_sm8250 slimbus qcom_sysmon qcom_common qcom_glink_smem qmi_helpers<br /> qcom_wdt mdt_loader socinfo icc_osm_l3 display_connector<br /> drm_kms_helper qnoc_sm8250 drm fuse ip_tables x_tables ipv6<br /> CPU: 7 PID: 339 Comm: systemd-udevd Not tainted 5.19.0-rc8-next-20220728 #4<br /> Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)<br /> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : dev_pm_opp_set_config+0x49c/0x610<br /> lr : dev_pm_opp_set_config+0x58/0x610<br /> sp : ffff8000093c3710<br /> x29: ffff8000093c3710 x28: ffffbca3959d82b8 x27: ffff8000093c3d00<br /> x26: ffffbca3959d8e08 x25: ffff4396cac98118 x24: ffff4396c0e24810<br /> x23: ffff4396c4272c40 x22: ffff4396c0e24810 x21: ffff8000093c3810<br /> x20: ffff4396cac36800 x19: ffff4396cac96800 x18: 0000000000000000<br /> x17: 0000000000000003 x16: ffffbca3f4edf198 x15: 0000001cba64a858<br /> x14: 0000000000000180 x13: 000000000000017e x12: 0000000000000000<br /> x11: 0000000000000002 x10: 0000000000000a60 x9 : ffff8000093c35c0<br /> x8 : ffff4396c4273700 x7 : ffff43983efca6c0 x6 : ffff43983efca640<br /> x5 : 00000000410fd0d0 x4 : ffff4396c4272c40 x3 : ffffbca3f5d1e008<br /> x2 : 0000000000000000 x1 : ffff4396c2421600 x0 : ffff4396cac96860<br /> Call trace:<br /> dev_pm_opp_set_config+0x49c/0x610<br /> devm_pm_opp_set_config+0x18/0x70<br /> vcodec_domains_get+0xb8/0x1638 [venus_core]<br /> core_get_v4+0x1d8/0x218 [venus_core]<br /> venus_probe+0xf4/0x468 [venus_core]<br /> platform_probe+0x68/0xd8<br /> really_probe+0xbc/0x2a8<br /> __driver_probe_device+0x78/0xe0<br /> driver_probe_device+0x3c/0xf0<br /> __driver_attach+0x70/0x120<br /> bus_for_each_dev+0x70/0xc0<br /> driver_attach+0x24/0x30<br /> bus_add_driver+0x150/0x200<br /> driver_register+0x64/0x120<br /> __platform_driver_register+0x28/0x38<br /> qcom_venus_driver_init+0x24/0x1000 [venus_core]<br /> do_one_initcall+0x54/0x1c8<br /> do_init_module+0x44/0x1d0<br /> load_module+0x16c8/0x1aa0<br /> __do_sys_finit_module+0xbc/0x110<br /> __arm64_sys_finit_module+0x20/0x30<br /> invoke_syscall+0x44/0x108<br /> el0_svc_common.constprop.0+0xcc/0xf0<br /> do_el0_svc+0x2c/0xb8<br /> el0_svc+0x2c/0x88<br /> el0t_64_sync_handler+0xb8/0xc0<br /> el0t_64_sync+0x18c/0x190<br /> qcom-venus: probe of aa00000.video-codec failed with error -16<br /> <br /> The fix is re-ordering the code related to OPP core. The OPP core<br /> expects all configuration options to be provided before the OPP<br /> table is added.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page()<br /> <br /> As Dipanjan Das reported, syzkaller<br /> found a f2fs bug as below:<br /> <br /> RIP: 0010:f2fs_new_node_page+0x19ac/0x1fc0 fs/f2fs/node.c:1295<br /> Call Trace:<br /> write_all_xattrs fs/f2fs/xattr.c:487 [inline]<br /> __f2fs_setxattr+0xe76/0x2e10 fs/f2fs/xattr.c:743<br /> f2fs_setxattr+0x233/0xab0 fs/f2fs/xattr.c:790<br /> f2fs_xattr_generic_set+0x133/0x170 fs/f2fs/xattr.c:86<br /> __vfs_setxattr+0x115/0x180 fs/xattr.c:182<br /> __vfs_setxattr_noperm+0x125/0x5f0 fs/xattr.c:216<br /> __vfs_setxattr_locked+0x1cf/0x260 fs/xattr.c:277<br /> vfs_setxattr+0x13f/0x330 fs/xattr.c:303<br /> setxattr+0x146/0x160 fs/xattr.c:611<br /> path_setxattr+0x1a7/0x1d0 fs/xattr.c:630<br /> __do_sys_lsetxattr fs/xattr.c:653 [inline]<br /> __se_sys_lsetxattr fs/xattr.c:649 [inline]<br /> __x64_sys_lsetxattr+0xbd/0x150 fs/xattr.c:649<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> NAT entry and nat bitmap can be inconsistent, e.g. one nid is free<br /> in nat bitmap, and blkaddr in its NAT entry is not NULL_ADDR, it<br /> may trigger BUG_ON() in f2fs_new_node_page(), fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: SOF: Intel: hda-ipc: Do not process IPC reply before firmware boot<br /> <br /> It is not yet clear, but it is possible to create a firmware so broken<br /> that it will send a reply message before a FW_READY message (it is not<br /> yet clear if FW_READY will arrive later).<br /> Since the reply_data is allocated only after the FW_READY message, this<br /> will lead to a NULL pointer dereference if not filtered out.<br /> <br /> The issue was reported with IPC4 firmware but the same condition is present<br /> for IPC3.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: SOF: Intel: cnl: Do not process IPC reply before firmware boot<br /> <br /> It is not yet clear, but it is possible to create a firmware so broken<br /> that it will send a reply message before a FW_READY message (it is not<br /> yet clear if FW_READY will arrive later).<br /> Since the reply_data is allocated only after the FW_READY message, this<br /> will lead to a NULL pointer dereference if not filtered out.<br /> <br /> The issue was reported with IPC4 firmware but the same condition is present<br /> for IPC3.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW<br /> <br /> Ever since the Dirty COW (CVE-2016-5195) security issue happened, we know<br /> that FOLL_FORCE can be possibly dangerous, especially if there are races<br /> that can be exploited by user space.<br /> <br /> Right now, it would be sufficient to have some code that sets a PTE of a<br /> R/O-mapped shared page dirty, in order for it to erroneously become<br /> writable by FOLL_FORCE. The implications of setting a write-protected PTE<br /> dirty might not be immediately obvious to everyone.<br /> <br /> And in fact ever since commit 9ae0f87d009c ("mm/shmem: unconditionally set<br /> pte dirty in mfill_atomic_install_pte"), we can use UFFDIO_CONTINUE to map<br /> a shmem page R/O while marking the pte dirty. This can be used by<br /> unprivileged user space to modify tmpfs/shmem file content even if the<br /> user does not have write permissions to the file, and to bypass memfd<br /> write sealing -- Dirty COW restricted to tmpfs/shmem (CVE-2022-2590).<br /> <br /> To fix such security issues for good, the insight is that we really only<br /> need that fancy retry logic (FOLL_COW) for COW mappings that are not<br /> writable (!VM_WRITE). And in a COW mapping, we really only broke COW if<br /> we have an exclusive anonymous page mapped. If we have something else<br /> mapped, or the mapped anonymous page might be shared (!PageAnonExclusive),<br /> we have to trigger a write fault to break COW. If we don&amp;#39;t find an<br /> exclusive anonymous page when we retry, we have to trigger COW breaking<br /> once again because something intervened.<br /> <br /> Let&amp;#39;s move away from this mandatory-retry + dirty handling and rely on our<br /> PageAnonExclusive() flag for making a similar decision, to use the same<br /> COW logic as in other kernel parts here as well. In case we stumble over<br /> a PTE in a COW mapping that does not map an exclusive anonymous page, COW<br /> was not properly broken and we have to trigger a fake write-fault to break<br /> COW.<br /> <br /> Just like we do in can_change_pte_writable() added via commit 64fe24a3e05e<br /> ("mm/mprotect: try avoiding write faults for exclusive anonymous pages<br /> when changing protection") and commit 76aefad628aa ("mm/mprotect: fix<br /> soft-dirty check in can_change_pte_writable()"), take care of softdirty<br /> and uffd-wp manually.<br /> <br /> For example, a write() via /proc/self/mem to a uffd-wp-protected range has<br /> to fail instead of silently granting write access and bypassing the<br /> userspace fault handler. Note that FOLL_FORCE is not only used for debug<br /> access, but also triggered by applications without debug intentions, for<br /> example, when pinning pages via RDMA.<br /> <br /> This fixes CVE-2022-2590. Note that only x86_64 and aarch64 are<br /> affected, because only those support CONFIG_HAVE_ARCH_USERFAULTFD_MINOR.<br /> <br /> Fortunately, FOLL_COW is no longer required to handle FOLL_FORCE. So<br /> let&amp;#39;s just get rid of it.<br /> <br /> Thanks to Nadav Amit for pointing out that the pte_dirty() check in<br /> FOLL_FORCE code is problematic and might be exploitable.<br /> <br /> Note 1: We don&amp;#39;t check for the PTE being dirty because it doesn&amp;#39;t matter<br /> for making a "was COWed" decision anymore, and whoever modifies the<br /> page has to set the page dirty either way.<br /> <br /> Note 2: Kernels before extended uffd-wp support and before<br /> PageAnonExclusive (

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/64: Init jump labels before parse_early_param()<br /> <br /> On 64-bit, calling jump_label_init() in setup_feature_keys() is too<br /> late because static keys may be used in subroutines of<br /> parse_early_param() which is again subroutine of early_init_devtree().<br /> <br /> For example booting with "threadirqs":<br /> <br /> static_key_enable_cpuslocked(): static key &amp;#39;0xc000000002953260&amp;#39; used before call to jump_label_init()<br /> WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpuslocked+0xfc/0x120<br /> ...<br /> NIP static_key_enable_cpuslocked+0xfc/0x120<br /> LR static_key_enable_cpuslocked+0xf8/0x120<br /> Call Trace:<br /> static_key_enable_cpuslocked+0xf8/0x120 (unreliable)<br /> static_key_enable+0x30/0x50<br /> setup_forced_irqthreads+0x28/0x40<br /> do_early_param+0xa0/0x108<br /> parse_args+0x290/0x4e0<br /> parse_early_options+0x48/0x5c<br /> parse_early_param+0x58/0x84<br /> early_init_devtree+0xd4/0x518<br /> early_setup+0xb4/0x214<br /> <br /> So call jump_label_init() just before parse_early_param() in<br /> early_init_devtree().<br /> <br /> [mpe: Add call trace to change log and minor wording edits.]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: policy: fix metadata dst-&gt;dev xmit null pointer dereference<br /> <br /> When we try to transmit an skb with metadata_dst attached (i.e. dst-&gt;dev<br /> == NULL) through xfrm interface we can hit a null pointer dereference[1]<br /> in xfrmi_xmit2() -&gt; xfrm_lookup_with_ifid() due to the check for a<br /> loopback skb device when there&amp;#39;s no policy which dereferences dst-&gt;dev<br /> unconditionally. Not having dst-&gt;dev can be interepreted as it not being<br /> a loopback device, so just add a check for a null dst_orig-&gt;dev.<br /> <br /> With this fix xfrm interface&amp;#39;s Tx error counters go up as usual.<br /> <br /> [1] net-next calltrace captured via netconsole:<br /> BUG: kernel NULL pointer dereference, address: 00000000000000c0<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014<br /> RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60<br /> Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02<br /> RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80<br /> RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000<br /> R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880<br /> R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000<br /> FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0<br /> Call Trace:<br /> <br /> xfrmi_xmit+0xde/0x460<br /> ? tcf_bpf_act+0x13d/0x2a0<br /> dev_hard_start_xmit+0x72/0x1e0<br /> __dev_queue_xmit+0x251/0xd30<br /> ip_finish_output2+0x140/0x550<br /> ip_push_pending_frames+0x56/0x80<br /> raw_sendmsg+0x663/0x10a0<br /> ? try_charge_memcg+0x3fd/0x7a0<br /> ? __mod_memcg_lruvec_state+0x93/0x110<br /> ? sock_sendmsg+0x30/0x40<br /> sock_sendmsg+0x30/0x40<br /> __sys_sendto+0xeb/0x130<br /> ? handle_mm_fault+0xae/0x280<br /> ? do_user_addr_fault+0x1e7/0x680<br /> ? kvm_read_and_reset_apf_flags+0x3b/0x50<br /> __x64_sys_sendto+0x20/0x30<br /> do_syscall_64+0x34/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> RIP: 0033:0x7ff35cac1366<br /> Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89<br /> RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c<br /> RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366<br /> RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003<br /> RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040<br /> R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001<br /> <br /> Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole]<br /> CR2: 00000000000000c0

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: xsk: prohibit usage of non-balanced queue id<br /> <br /> Fix the following scenario:<br /> 1. ethtool -L $IFACE rx 8 tx 96<br /> 2. xdpsock -q 10 -t -z<br /> <br /> Above refers to a case where user would like to attach XSK socket in<br /> txonly mode at a queue id that does not have a corresponding Rx queue.<br /> At this moment ice&amp;#39;s XSK logic is tightly bound to act on a "queue pair",<br /> e.g. both Tx and Rx queues at a given queue id are disabled/enabled and<br /> both of them will get XSK pool assigned, which is broken for the presented<br /> queue configuration. This results in the splat included at the bottom,<br /> which is basically an OOB access to Rx ring array.<br /> <br /> To fix this, allow using the ids only in scope of "combined" queues<br /> reported by ethtool. However, logic should be rewritten to allow such<br /> configurations later on, which would end up as a complete rewrite of the<br /> control path, so let us go with this temporary fix.<br /> <br /> [420160.558008] BUG: kernel NULL pointer dereference, address: 0000000000000082<br /> [420160.566359] #PF: supervisor read access in kernel mode<br /> [420160.572657] #PF: error_code(0x0000) - not-present page<br /> [420160.579002] PGD 0 P4D 0<br /> [420160.582756] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [420160.588396] CPU: 10 PID: 21232 Comm: xdpsock Tainted: G OE 5.19.0-rc7+ #10<br /> [420160.597893] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019<br /> [420160.609894] RIP: 0010:ice_xsk_pool_setup+0x44/0x7d0 [ice]<br /> [420160.616968] Code: f3 48 83 ec 40 48 8b 4f 20 48 8b 3f 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 48 8d 04 ed 00 00 00 00 48 01 c1 48 8b 11 b7 92 82 00 00 00 48 85 d2 0f 84 2d 75 00 00 48 8d 72 ff 48 85<br /> [420160.639421] RSP: 0018:ffffc9002d2afd48 EFLAGS: 00010282<br /> [420160.646650] RAX: 0000000000000050 RBX: ffff88811d8bdd00 RCX: ffff888112c14ff8<br /> [420160.655893] RDX: 0000000000000000 RSI: ffff88811d8bdd00 RDI: ffff888109861000<br /> [420160.665166] RBP: 000000000000000a R08: 000000000000000a R09: 0000000000000000<br /> [420160.674493] R10: 000000000000889f R11: 0000000000000000 R12: 000000000000000a<br /> [420160.683833] R13: 000000000000000a R14: 0000000000000000 R15: ffff888117611828<br /> [420160.693211] FS: 00007fa869fc1f80(0000) GS:ffff8897e0880000(0000) knlGS:0000000000000000<br /> [420160.703645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [420160.711783] CR2: 0000000000000082 CR3: 00000001d076c001 CR4: 00000000007706e0<br /> [420160.721399] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [420160.731045] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [420160.740707] PKRU: 55555554<br /> [420160.745960] Call Trace:<br /> [420160.750962] <br /> [420160.755597] ? kmalloc_large_node+0x79/0x90<br /> [420160.762703] ? __kmalloc_node+0x3f5/0x4b0<br /> [420160.769341] xp_assign_dev+0xfd/0x210<br /> [420160.775661] ? shmem_file_read_iter+0x29a/0x420<br /> [420160.782896] xsk_bind+0x152/0x490<br /> [420160.788943] __sys_bind+0xd0/0x100<br /> [420160.795097] ? exit_to_user_mode_prepare+0x20/0x120<br /> [420160.802801] __x64_sys_bind+0x16/0x20<br /> [420160.809298] do_syscall_64+0x38/0x90<br /> [420160.815741] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [420160.823731] RIP: 0033:0x7fa86a0dd2fb<br /> [420160.830264] Code: c3 66 0f 1f 44 00 00 48 8b 15 69 8b 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bc 0f 1f 44 00 00 f3 0f 1e fa b8 31 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d 8b 0c 00 f7 d8 64 89 01 48<br /> [420160.855410] RSP: 002b:00007ffc1146f618 EFLAGS: 00000246 ORIG_RAX: 0000000000000031<br /> [420160.866366] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa86a0dd2fb<br /> [420160.876957] RDX: 0000000000000010 RSI: 00007ffc1146f680 RDI: 0000000000000003<br /> [420160.887604] RBP: 000055d7113a0520 R08: 00007fa868fb8000 R09: 0000000080000000<br /> [420160.898293] R10: 0000000000008001 R11: 0000000000000246 R12: 000055d7113a04e0<br /> [420160.909038] R13: 000055d7113a0320 R14: 000000000000000a R15: 0000000000000000<br /> [420160.919817] <br /> [420160.925659] Modules linked in: ice(OE) af_packet binfmt_misc<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: LAG, fix logic over MLX5_LAG_FLAG_NDEVS_READY<br /> <br /> Only set MLX5_LAG_FLAG_NDEVS_READY if both netdevices are registered.<br /> Doing so guarantees that both ldev-&gt;pf[MLX5_LAG_P0].dev and<br /> ldev-&gt;pf[MLX5_LAG_P1].dev have valid pointers when<br /> MLX5_LAG_FLAG_NDEVS_READY is set.<br /> <br /> The core issue is asymmetry in setting MLX5_LAG_FLAG_NDEVS_READY and<br /> clearing it. Setting it is done wrongly when both<br /> ldev-&gt;pf[MLX5_LAG_P0].dev and ldev-&gt;pf[MLX5_LAG_P1].dev are set;<br /> clearing it is done right when either of ldev-&gt;pf[i].netdev is cleared.<br /> <br /> Consider the following scenario:<br /> 1. PF0 loads and sets ldev-&gt;pf[MLX5_LAG_P0].dev to a valid pointer<br /> 2. PF1 loads and sets both ldev-&gt;pf[MLX5_LAG_P1].dev and<br /> ldev-&gt;pf[MLX5_LAG_P1].netdev with valid pointers. This results in<br /> MLX5_LAG_FLAG_NDEVS_READY is set.<br /> 3. PF0 is unloaded before setting dev-&gt;pf[MLX5_LAG_P0].netdev.<br /> MLX5_LAG_FLAG_NDEVS_READY remains set.<br /> <br /> Further execution of mlx5_do_bond() will result in null pointer<br /> dereference when calling mlx5_lag_is_multipath()<br /> <br /> This patch fixes the following call trace actually encountered:<br /> <br /> [ 1293.475195] BUG: kernel NULL pointer dereference, address: 00000000000009a8<br /> [ 1293.478756] #PF: supervisor read access in kernel mode<br /> [ 1293.481320] #PF: error_code(0x0000) - not-present page<br /> [ 1293.483686] PGD 0 P4D 0<br /> [ 1293.484434] Oops: 0000 [#1] SMP PTI<br /> [ 1293.485377] CPU: 1 PID: 23690 Comm: kworker/u16:2 Not tainted 5.18.0-rc5_for_upstream_min_debug_2022_05_05_10_13 #1<br /> [ 1293.488039] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> [ 1293.490836] Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core]<br /> [ 1293.492448] RIP: 0010:mlx5_lag_is_multipath+0x5/0x50 [mlx5_core]<br /> [ 1293.494044] Code: e8 70 40 ff e0 48 8b 14 24 48 83 05 5c 1a 1b 00 01 e9 19 ff ff ff 48 83 05 47 1a 1b 00 01 eb d7 0f 1f 44 00 00 0f 1f 44 00 00 8b 87 a8 09 00 00 48 85 c0 74 26 48 83 05 a7 1b 1b 00 01 41 b8<br /> [ 1293.498673] RSP: 0018:ffff88811b2fbe40 EFLAGS: 00010202<br /> [ 1293.500152] RAX: ffff88818a94e1c0 RBX: ffff888165eca6c0 RCX: 0000000000000000<br /> [ 1293.501841] RDX: 0000000000000001 RSI: ffff88818a94e1c0 RDI: 0000000000000000<br /> [ 1293.503585] RBP: 0000000000000000 R08: ffff888119886740 R09: ffff888165eca73c<br /> [ 1293.505286] R10: 0000000000000018 R11: 0000000000000018 R12: ffff88818a94e1c0<br /> [ 1293.506979] R13: ffff888112729800 R14: 0000000000000000 R15: ffff888112729858<br /> [ 1293.508753] FS: 0000000000000000(0000) GS:ffff88852cc40000(0000) knlGS:0000000000000000<br /> [ 1293.510782] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1293.512265] CR2: 00000000000009a8 CR3: 00000001032d4002 CR4: 0000000000370ea0<br /> [ 1293.514001] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 1293.515806] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout<br /> <br /> When the pn532 uart device is detaching, the pn532_uart_remove()<br /> is called. But there are no functions in pn532_uart_remove() that<br /> could delete the cmd_timeout timer, which will cause use-after-free<br /> bugs. The process is shown below:<br /> <br /> (thread 1) | (thread 2)<br /> | pn532_uart_send_frame<br /> pn532_uart_remove | mod_timer(&amp;pn532-&gt;cmd_timeout,...)<br /> ... | (wait a time)<br /> kfree(pn532) //FREE | pn532_cmd_timeout<br /> | pn532_uart_send_frame<br /> | pn532-&gt;... //USE<br /> <br /> This patch adds del_timer_sync() in pn532_uart_remove() in order to<br /> prevent the use-after-free bugs. What&amp;#39;s more, the pn53x_unregister_nfc()<br /> is well synchronized, it sets nfc_dev-&gt;shutting_down to true and there<br /> are no syscalls could restart the cmd_timeout timer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSv4.2 fix problems with __nfs42_ssc_open<br /> <br /> A destination server while doing a COPY shouldn&amp;#39;t accept using the<br /> passed in filehandle if its not a regular filehandle.<br /> <br /> If alloc_file_pseudo() has failed, we need to decrement a reference<br /> on the newly created inode, otherwise it leaks.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: fix refcount leak in __xfrm_policy_check()<br /> <br /> The issue happens on an error path in __xfrm_policy_check(). When the<br /> fetching process of the object `pols[1]` fails, the function simply<br /> returns 0, forgetting to decrement the reference count of `pols[0]`,<br /> which is incremented earlier by either xfrm_sk_policy_lookup() or<br /> xfrm_policy_lookup(). This may result in memory leaks.<br /> <br /> Fix it by decreasing the reference count of `pols[0]` in that path.