Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: imx-hdmi: Fix refcount leak in imx_hdmi_probe<br /> <br /> of_find_device_by_node() takes reference, we should use put_device()<br /> to release it. when devm_kzalloc() fails, it doesn&amp;#39;t have a<br /> put_device(), it will cause refcount leak.<br /> Add missing put_device() to fix this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt<br /> <br /> of_node_get() returns a node with refcount incremented.<br /> Calling of_node_put() to drop the reference when not needed anymore.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe<br /> <br /> of_parse_phandle() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when done.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/disp/dpu1: avoid clearing hw interrupts if hw_intr is null during drm uninit<br /> <br /> If edp modeset init is failed due to panel being not ready and<br /> probe defers during drm bind, avoid clearing irqs and dereference<br /> hw_intr when hw_intr is null.<br /> <br /> BUG: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> <br /> Call trace:<br /> dpu_core_irq_uninstall+0x50/0xb0<br /> dpu_irq_uninstall+0x18/0x24<br /> msm_drm_uninit+0xd8/0x16c<br /> msm_drm_bind+0x580/0x5fc<br /> try_to_bring_up_master+0x168/0x1c0<br /> __component_add+0xb4/0x178<br /> component_add+0x1c/0x28<br /> dp_display_probe+0x38c/0x400<br /> platform_probe+0xb0/0xd0<br /> really_probe+0xcc/0x2c8<br /> __driver_probe_device+0xbc/0xe8<br /> driver_probe_device+0x48/0xf0<br /> __device_attach_driver+0xa0/0xc8<br /> bus_for_each_drv+0x8c/0xd8<br /> __device_attach+0xc4/0x150<br /> device_initial_probe+0x1c/0x28<br /> <br /> Changes in V2:<br /> - Update commit message and coreect fixes tag.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/484430/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mt76: mt7915: fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector<br /> <br /> Fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector<br /> routine if the chip does not support dbdc and the hw reports band_idx<br /> set to 1.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/v3d: Fix null pointer dereference of pointer perfmon<br /> <br /> In the unlikely event that pointer perfmon is null the WARN_ON return path<br /> occurs after the pointer has already been deferenced. Fix this by only<br /> dereferencing perfmon after it has been null checked.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: fsl: Fix refcount leak in imx_sgtl5000_probe<br /> <br /> of_find_i2c_device_by_node() takes a reference,<br /> In error paths, we should call put_device() to drop<br /> the reference to aviod refount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: rawnand: intel: fix possible null-ptr-deref in ebu_nand_probe()<br /> <br /> It will cause null-ptr-deref when using &amp;#39;res&amp;#39;, if platform_get_resource()<br /> returns NULL, so move using &amp;#39;res&amp;#39; after devm_ioremap_resource() that<br /> will check it to avoid null-ptr-deref.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected<br /> <br /> There is a possibility for mdp5_get_global_state to return<br /> -EDEADLK when acquiring the modeset lock, but currently global_state in<br /> mdp5_mixer_release doesn&amp;#39;t check for if an error is returned.<br /> <br /> To avoid a NULL dereference error, let&amp;#39;s have mdp5_mixer_release<br /> check if an error is returned and propagate that error.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/485181/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/core: Fix memory leak in __thermal_cooling_device_register()<br /> <br /> I got memory leak as follows when doing fault injection test:<br /> <br /> unreferenced object 0xffff888010080000 (size 264312):<br /> comm "182", pid 102533, jiffies 4296434960 (age 10.100s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........<br /> ff ff ff ff ff ff ff ff 40 7f 1f b9 ff ff ff ff ........@.......<br /> backtrace:<br /> [] kmalloc_order_trace+0x1d/0x110 mm/slab_common.c:969<br /> [] __kmalloc+0x373/0x420 include/linux/slab.h:510<br /> [] thermal_cooling_device_setup_sysfs+0x15d/0x2d0 include/linux/slab.h:586<br /> [] __thermal_cooling_device_register+0x332/0xa60 drivers/thermal/thermal_core.c:927<br /> [] devm_thermal_of_cooling_device_register+0x6b/0xf0 drivers/thermal/thermal_core.c:1041<br /> [] max6650_probe.cold+0x557/0x6aa drivers/hwmon/max6650.c:211<br /> [] i2c_device_probe+0x472/0xac0 drivers/i2c/i2c-core-base.c:561<br /> <br /> If device_register() fails, thermal_cooling_device_destroy_sysfs() need be called<br /> to free the memory allocated in thermal_cooling_device_setup_sysfs().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix anon_dev leak in create_subvol()<br /> <br /> When btrfs_qgroup_inherit(), btrfs_alloc_tree_block, or<br /> btrfs_insert_root() fail in create_subvol(), we return without freeing<br /> anon_dev. Reorganize the error handling in create_subvol() to fix this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event<br /> <br /> We should not access skb buffer data anymore after hci_recv_frame was<br /> called.<br /> <br /> [ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0<br /> [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker<br /> [ 39.634962] Call trace:<br /> [ 39.634974] dump_backtrace+0x0/0x3b8<br /> [ 39.634999] show_stack+0x20/0x2c<br /> [ 39.635016] dump_stack_lvl+0x60/0x78<br /> [ 39.635040] print_address_description+0x70/0x2f0<br /> [ 39.635062] kasan_report+0x154/0x194<br /> [ 39.635079] __asan_report_load1_noabort+0x44/0x50<br /> [ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4<br /> [ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4<br /> [ 39.635157] process_one_work+0x560/0xc5c<br /> [ 39.635177] worker_thread+0x7ec/0xcc0<br /> [ 39.635195] kthread+0x2d0/0x3d0<br /> [ 39.635215] ret_from_fork+0x10/0x20<br /> [ 39.635247] Allocated by task 0:<br /> [ 39.635260] (stack is not available)<br /> [ 39.635281] Freed by task 2392:<br /> [ 39.635295] kasan_save_stack+0x38/0x68<br /> [ 39.635319] kasan_set_track+0x28/0x3c<br /> [ 39.635338] kasan_set_free_info+0x28/0x4c<br /> [ 39.635357] ____kasan_slab_free+0x104/0x150<br /> [ 39.635374] __kasan_slab_free+0x18/0x28<br /> [ 39.635391] slab_free_freelist_hook+0x114/0x248<br /> [ 39.635410] kfree+0xf8/0x2b4<br /> [ 39.635427] skb_free_head+0x58/0x98<br /> [ 39.635447] skb_release_data+0x2f4/0x410<br /> [ 39.635464] skb_release_all+0x50/0x60<br /> [ 39.635481] kfree_skb+0xc8/0x25c<br /> [ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth]<br /> [ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth]<br /> [ 39.635925] process_one_work+0x560/0xc5c<br /> [ 39.635951] worker_thread+0x7ec/0xcc0<br /> [ 39.635970] kthread+0x2d0/0x3d0<br /> [ 39.635990] ret_from_fork+0x10/0x20<br /> [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600<br /> which belongs to the cache kmalloc-512 of size 512<br /> [ 39.636039] The buggy address is located 13 bytes inside of<br /> 512-byte region [ffffff80cf28a600, ffffff80cf28a800)