Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: qca: fix NULL-deref on non-serdev setup<br /> <br /> Qualcomm ROME controllers can be registered from the Bluetooth line<br /> discipline and in this case the HCI UART serdev pointer is NULL.<br /> <br /> Add the missing sanity check to prevent a NULL-pointer dereference when<br /> setup() is called for a non-serdev controller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: qca: fix NULL-deref on non-serdev suspend<br /> <br /> Qualcomm ROME controllers can be registered from the Bluetooth line<br /> discipline and in this case the HCI UART serdev pointer is NULL.<br /> <br /> Add the missing sanity check to prevent a NULL-pointer dereference when<br /> wakeup() is called for a non-serdev controller during suspend.<br /> <br /> Just return true for now to restore the original behaviour and address<br /> the crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657<br /> ("Bluetooth: hci_qca: only assign wakeup with serial port support") that<br /> causes the crash to happen already at setup() time.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: dbg-tlv: ensure NUL termination<br /> <br /> The iwl_fw_ini_debug_info_tlv is used as a string, so we must<br /> ensure the string is terminated correctly before using it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Use device rbtree in iopf reporting path<br /> <br /> The existing I/O page fault handler currently locates the PCI device by<br /> calling pci_get_domain_bus_and_slot(). This function searches the list<br /> of all PCI devices until the desired device is found. To improve lookup<br /> efficiency, replace it with device_rbtree_find() to search the device<br /> within the probed device rbtree.<br /> <br /> The I/O page fault is initiated by the device, which does not have any<br /> synchronization mechanism with the software to ensure that the device<br /> stays in the probed device tree. Theoretically, a device could be released<br /> by the IOMMU subsystem after device_rbtree_find() and before<br /> iopf_get_dev_fault_param(), which would cause a use-after-free problem.<br /> <br /> Add a mutex to synchronize the I/O page fault reporting path and the IOMMU<br /> release device path. This lock doesn&amp;#39;t introduce any performance overhead,<br /> as the conflict between I/O page fault reporting and device releasing is<br /> very rare.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/powernv: Add a null pointer check to scom_debug_init_one()<br /> <br /> kasprintf() returns a pointer to dynamically allocated memory<br /> which can be NULL upon failure.<br /> Add a null pointer check, and release &amp;#39;ent&amp;#39; to avoid memory leaks.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: video: check for error while searching for backlight device parent<br /> <br /> If acpi_get_parent() called in acpi_video_dev_register_backlight()<br /> fails, for example, because acpi_ut_acquire_mutex() fails inside<br /> acpi_get_parent), this can lead to incorrect (uninitialized)<br /> acpi_parent handle being passed to acpi_get_pci_dev() for detecting<br /> the parent pci device.<br /> <br /> Check acpi_get_parent() result and set parent device only in case of success.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function<br /> <br /> With tpd12s015_remove() marked with __exit this function is discarded<br /> when the driver is compiled as a built-in. The result is that when the<br /> driver unbinds there is no cleanup done which results in resource<br /> leakage or worse.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()<br /> <br /> scarlett2_usb_set_config() calls scarlett2_usb_get() but was not<br /> checking the result. Return the error if it fails rather than<br /> continuing with an invalid value.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Check writeback connectors in create_validate_stream_for_sink<br /> <br /> [WHY &amp; HOW]<br /> This is to check connector type to avoid<br /> unhandled null pointer for writeback connectors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx-&gt;headset_codec_dev = NULL<br /> <br /> sof_sdw_rt_sdca_jack_exit() are used by different codecs, and some of<br /> them use the same dai name.<br /> For example, rt712 and rt713 both use "rt712-sdca-aif1" and<br /> sof_sdw_rt_sdca_jack_exit().<br /> As a result, sof_sdw_rt_sdca_jack_exit() will be called twice by<br /> mc_dailink_exit_loop(). Set ctx-&gt;headset_codec_dev = NULL; after<br /> put_device(ctx-&gt;headset_codec_dev); to avoid ctx-&gt;headset_codec_dev<br /> being put twice.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> calipso: fix memory leak in netlbl_calipso_add_pass()<br /> <br /> If IPv6 support is disabled at boot (ipv6.disable=1),<br /> the calipso_init() -&gt; netlbl_calipso_ops_register() function isn&amp;#39;t called,<br /> and the netlbl_calipso_ops_get() function always returns NULL.<br /> In this case, the netlbl_calipso_add_pass() function allocates memory<br /> for the doi_def variable but doesn&amp;#39;t free it with the calipso_doi_free().<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff888011d68180 (size 64):<br /> comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc include/linux/slab.h:552 [inline]<br /> [] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]<br /> [] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111<br /> [] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739<br /> [] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]<br /> [] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800<br /> [] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515<br /> [] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811<br /> [] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]<br /> [] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339<br /> [] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934<br /> [] sock_sendmsg_nosec net/socket.c:651 [inline]<br /> [] sock_sendmsg+0x157/0x190 net/socket.c:671<br /> [] ____sys_sendmsg+0x712/0x870 net/socket.c:2342<br /> [] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396<br /> [] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429<br /> [] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46<br /> [] entry_SYSCALL_64_after_hwframe+0x61/0xc6<br /> <br /> Found by InfoTeCS on behalf of Linux Verification Center<br /> (linuxtesting.org) with Syzkaller<br /> <br /> [PM: merged via the LSM tree at Jakub Kicinski request]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/pm: fix a double-free in si_dpm_init<br /> <br /> When the allocation of<br /> adev-&gt;pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,<br /> amdgpu_free_extended_power_table is called to free some fields of adev.<br /> However, when the control flow returns to si_dpm_sw_init, it goes to<br /> label dpm_failed and calls si_dpm_fini, which calls<br /> amdgpu_free_extended_power_table again and free those fields again. Thus<br /> a double-free is triggered.