Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Fix throttle_groups memory leak<br /> <br /> Add a missing kfree().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: Fix deadlock during directory rename<br /> <br /> As lockdep properly warns, we should not be locking i_rwsem while having<br /> transactions started as the proper lock ordering used by all directory<br /> handling operations is i_rwsem -&gt; transaction start. Fix the lock<br /> ordering by moving the locking of the directory earlier in<br /> ext4_rename().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix wrong mode for blkdev_put() from disk_scan_partitions()<br /> <br /> If disk_scan_partitions() is called with &amp;#39;FMODE_EXCL&amp;#39;,<br /> blkdev_get_by_dev() will be called without &amp;#39;FMODE_EXCL&amp;#39;, however, follow<br /> blkdev_put() is still called with &amp;#39;FMODE_EXCL&amp;#39;, which will cause<br /> &amp;#39;bd_holders&amp;#39; counter to leak.<br /> <br /> Fix the problem by using the right mode for blkdev_put().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> loop: Fix use-after-free issues<br /> <br /> do_req_filebacked() calls blk_mq_complete_request() synchronously or<br /> asynchronously when using asynchronous I/O unless memory allocation fails.<br /> Hence, modify loop_handle_cmd() such that it does not dereference &amp;#39;cmd&amp;#39; nor<br /> &amp;#39;rq&amp;#39; after do_req_filebacked() finished unless we are sure that the request<br /> has not yet been completed. This patch fixes the following kernel crash:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054<br /> Call trace:<br /> css_put.42938+0x1c/0x1ac<br /> loop_process_work+0xc8c/0xfd4<br /> loop_rootcg_workfn+0x24/0x34<br /> process_one_work+0x244/0x558<br /> worker_thread+0x400/0x8fc<br /> kthread+0x16c/0x1e0<br /> ret_from_fork+0x10/0x20

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/sseu: fix max_subslices array-index-out-of-bounds access<br /> <br /> It seems that commit bc3c5e0809ae ("drm/i915/sseu: Don&amp;#39;t try to store EU<br /> mask internally in UAPI format") exposed a potential out-of-bounds<br /> access, reported by UBSAN as following on a laptop with a gen 11 i915<br /> card:<br /> <br /> UBSAN: array-index-out-of-bounds in drivers/gpu/drm/i915/gt/intel_sseu.c:65:27<br /> index 6 is out of range for type &amp;#39;u16 [6]&amp;#39;<br /> CPU: 2 PID: 165 Comm: systemd-udevd Not tainted 6.2.0-9-generic #9-Ubuntu<br /> Hardware name: Dell Inc. XPS 13 9300/077Y9N, BIOS 1.11.0 03/22/2022<br /> Call Trace:<br /> <br /> show_stack+0x4e/0x61<br /> dump_stack_lvl+0x4a/0x6f<br /> dump_stack+0x10/0x18<br /> ubsan_epilogue+0x9/0x3a<br /> __ubsan_handle_out_of_bounds.cold+0x42/0x47<br /> gen11_compute_sseu_info+0x121/0x130 [i915]<br /> intel_sseu_info_init+0x15d/0x2b0 [i915]<br /> intel_gt_init_mmio+0x23/0x40 [i915]<br /> i915_driver_mmio_probe+0x129/0x400 [i915]<br /> ? intel_gt_probe_all+0x91/0x2e0 [i915]<br /> i915_driver_probe+0xe1/0x3f0 [i915]<br /> ? drm_privacy_screen_get+0x16d/0x190 [drm]<br /> ? acpi_dev_found+0x64/0x80<br /> i915_pci_probe+0xac/0x1b0 [i915]<br /> ...<br /> <br /> According to the definition of sseu_dev_info, eu_mask-&gt;hsw is limited to<br /> a maximum of GEN_MAX_SS_PER_HSW_SLICE (6) sub-slices, but<br /> gen11_sseu_info_init() can potentially set 8 sub-slices, in the<br /> !IS_JSL_EHL(gt-&gt;i915) case.<br /> <br /> Fix this by reserving up to 8 slots for max_subslices in the eu_mask<br /> struct.<br /> <br /> (cherry picked from commit 3cba09a6ac86ea1d456909626eb2685596c07822)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: nl80211: fix NULL-ptr deref in offchan check<br /> <br /> If, e.g. in AP mode, the link was already created by userspace<br /> but not activated yet, it has a chandef but the chandef isn&amp;#39;t<br /> valid and has no channel. Check for this and ignore this link.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: Fix kernel crash during reboot when adapter is in recovery mode<br /> <br /> If the driver detects during probe that firmware is in recovery<br /> mode then i40e_init_recovery_mode() is called and the rest of<br /> probe function is skipped including pci_set_drvdata(). Subsequent<br /> i40e_shutdown() called during shutdown/reboot dereferences NULL<br /> pointer as pci_get_drvdata() returns NULL.<br /> <br /> To fix call pci_set_drvdata() also during entering to recovery mode.<br /> <br /> Reproducer:<br /> 1) Lets have i40e NIC with firmware in recovery mode<br /> 2) Run reboot<br /> <br /> Result:<br /> [ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver<br /> [ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation.<br /> [ 139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality.<br /> [ 139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.<br /> [ 139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]<br /> [ 139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0<br /> [ 139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality.<br /> [ 139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.<br /> [ 139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]<br /> [ 139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0<br /> ...<br /> [ 156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2<br /> [ 156.318330] #PF: supervisor write access in kernel mode<br /> [ 156.323546] #PF: error_code(0x0002) - not-present page<br /> [ 156.328679] PGD 0 P4D 0<br /> [ 156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI<br /> [ 156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G E 6.2.0+ #1<br /> [ 156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022<br /> [ 156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e]<br /> [ 156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00<br /> [ 156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282<br /> [ 156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001<br /> [ 156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000<br /> [ 156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40<br /> [ 156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000<br /> [ 156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000<br /> [ 156.418007] FS: 00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000<br /> [ 156.426083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0<br /> [ 156.438944] PKRU: 55555554<br /> [ 156.441647] Call Trace:<br /> [ 156.444096] <br /> [ 156.446199] pci_device_shutdown+0x38/0x60<br /> [ 156.450297] device_shutdown+0x163/0x210<br /> [ 156.454215] kernel_restart+0x12/0x70<br /> [ 156.457872] __do_sys_reboot+0x1ab/0x230<br /> [ 156.461789] ? vfs_writev+0xa6/0x1a0<br /> [ 156.465362] ? __pfx_file_free_rcu+0x10/0x10<br /> [ 156.469635] ? __call_rcu_common.constprop.85+0x109/0x5a0<br /> [ 156.475034] do_syscall_64+0x3e/0x90<br /> [ 156.478611] entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> [ 156.483658] RIP: 0033:0x7fe7bff37ab7

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Fix memory leaks in mpi3mr_init_ioc()<br /> <br /> Don&amp;#39;t allocate memory again when IOC is being reinitialized.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmet: avoid potential UAF in nvmet_req_complete()<br /> <br /> An nvme target -&gt;queue_response() operation implementation may free the<br /> request passed as argument. Such implementation potentially could result<br /> in a use after free of the request pointer when percpu_ref_put() is<br /> called in nvmet_req_complete().<br /> <br /> Avoid such problem by using a local variable to save the sq pointer<br /> before calling __nvmet_req_complete(), thus avoiding dereferencing the<br /> req pointer after that function call.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: prevent out-of-bounds array speculation when closing a file descriptor<br /> <br /> Google-Bug-Id: 114199369

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: core: Fix a procfs host directory removal regression<br /> <br /> scsi_proc_hostdir_rm() decreases a reference counter and hence must only be<br /> called once per host that is removed. This change does not require a<br /> scsi_add_host_with_dma() change since scsi_add_host_with_dma() will return<br /> 0 (success) if scsi_proc_host_add() is called.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfc: pn533: initialize struct pn533_out_arg properly<br /> <br /> struct pn533_out_arg used as a temporary context for out_urb is not<br /> initialized properly. Its uninitialized &amp;#39;phy&amp;#39; field can be dereferenced in<br /> error cases inside pn533_out_complete() callback function. It causes the<br /> following failure:<br /> <br /> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022<br /> RIP: 0010:pn533_out_complete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441<br /> Call Trace:<br /> <br /> __usb_hcd_giveback_urb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671<br /> usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754<br /> dummy_timer+0x1203/0x32d0 drivers/usb/gadget/udc/dummy_hcd.c:1988<br /> call_timer_fn+0x1da/0x800 kernel/time/timer.c:1700<br /> expire_timers+0x234/0x330 kernel/time/timer.c:1751<br /> __run_timers kernel/time/timer.c:2022 [inline]<br /> __run_timers kernel/time/timer.c:1995 [inline]<br /> run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035<br /> __do_softirq+0x1fb/0xaf6 kernel/softirq.c:571<br /> invoke_softirq kernel/softirq.c:445 [inline]<br /> __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650<br /> irq_exit_rcu+0x9/0x20 kernel/softirq.c:662<br /> sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107<br /> <br /> Initialize the field with the pn533_usb_phy currently used.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.