Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: codecs: rx-macro: fix accessing array out of bounds for enum type<br /> <br /> Accessing enums using integer would result in array out of bounds access<br /> on platforms like aarch64 where sizeof(long) is 8 compared to enum size<br /> which is 4 bytes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: usb: go7007: s2250-board: fix leak in probe()<br /> <br /> Call i2c_unregister_device(audio) on this error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()<br /> <br /> In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to<br /> ctx-&gt;active_fmt and there is a dereference of it after that, which could<br /> lead to NULL pointer dereference on failure of devm_kzalloc().<br /> <br /> Fix this bug by adding a NULL check of ctx-&gt;active_fmt.<br /> <br /> This bug was found by a static analyzer.<br /> <br /> Builds with &amp;#39;make allyesconfig&amp;#39; show no new warnings, and our static<br /> analyzer no longer warns about this code.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix missing free nid in f2fs_handle_failed_inode<br /> <br /> This patch fixes xfstests/generic/475 failure.<br /> <br /> [ 293.680694] F2FS-fs (dm-1): May loss orphan inode, run fsck to fix.<br /> [ 293.685358] Buffer I/O error on dev dm-1, logical block 8388592, async page read<br /> [ 293.691527] Buffer I/O error on dev dm-1, logical block 8388592, async page read<br /> [ 293.691764] sh (7615): drop_caches: 3<br /> [ 293.691819] sh (7616): drop_caches: 3<br /> [ 293.694017] Buffer I/O error on dev dm-1, logical block 1, async page read<br /> [ 293.695659] sh (7618): drop_caches: 3<br /> [ 293.696979] sh (7617): drop_caches: 3<br /> [ 293.700290] sh (7623): drop_caches: 3<br /> [ 293.708621] sh (7626): drop_caches: 3<br /> [ 293.711386] sh (7628): drop_caches: 3<br /> [ 293.711825] sh (7627): drop_caches: 3<br /> [ 293.716738] sh (7630): drop_caches: 3<br /> [ 293.719613] sh (7632): drop_caches: 3<br /> [ 293.720971] sh (7633): drop_caches: 3<br /> [ 293.727741] sh (7634): drop_caches: 3<br /> [ 293.730783] sh (7636): drop_caches: 3<br /> [ 293.732681] sh (7635): drop_caches: 3<br /> [ 293.732988] sh (7637): drop_caches: 3<br /> [ 293.738836] sh (7639): drop_caches: 3<br /> [ 293.740568] sh (7641): drop_caches: 3<br /> [ 293.743053] sh (7640): drop_caches: 3<br /> [ 293.821889] ------------[ cut here ]------------<br /> [ 293.824654] kernel BUG at fs/f2fs/node.c:3334!<br /> [ 293.826226] invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> [ 293.828713] CPU: 0 PID: 7653 Comm: umount Tainted: G OE 5.17.0-rc1-custom #1<br /> [ 293.830946] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> [ 293.832526] RIP: 0010:f2fs_destroy_node_manager+0x33f/0x350 [f2fs]<br /> [ 293.833905] Code: e8 d6 3d f9 f9 48 8b 45 d0 65 48 2b 04 25 28 00 00 00 75 1a 48 81 c4 28 03 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b<br /> [ 293.837783] RSP: 0018:ffffb04ec31e7a20 EFLAGS: 00010202<br /> [ 293.839062] RAX: 0000000000000001 RBX: ffff9df947db2eb8 RCX: 0000000080aa0072<br /> [ 293.840666] RDX: 0000000000000000 RSI: ffffe86c0432a140 RDI: ffffffffc0b72a21<br /> [ 293.842261] RBP: ffffb04ec31e7d70 R08: ffff9df94ca85780 R09: 0000000080aa0072<br /> [ 293.843909] R10: ffff9df94ca85700 R11: ffff9df94e1ccf58 R12: ffff9df947db2e00<br /> [ 293.845594] R13: ffff9df947db2ed0 R14: ffff9df947db2eb8 R15: ffff9df947db2eb8<br /> [ 293.847855] FS: 00007f5a97379800(0000) GS:ffff9dfa77c00000(0000) knlGS:0000000000000000<br /> [ 293.850647] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 293.852940] CR2: 00007f5a97528730 CR3: 000000010bc76005 CR4: 0000000000370ef0<br /> [ 293.854680] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 293.856423] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 293.858380] Call Trace:<br /> [ 293.859302] <br /> [ 293.860311] ? ttwu_do_wakeup+0x1c/0x170<br /> [ 293.861800] ? ttwu_do_activate+0x6d/0xb0<br /> [ 293.863057] ? _raw_spin_unlock_irqrestore+0x29/0x40<br /> [ 293.864411] ? try_to_wake_up+0x9d/0x5e0<br /> [ 293.865618] ? debug_smp_processor_id+0x17/0x20<br /> [ 293.866934] ? debug_smp_processor_id+0x17/0x20<br /> [ 293.868223] ? free_unref_page+0xbf/0x120<br /> [ 293.869470] ? __free_slab+0xcb/0x1c0<br /> [ 293.870614] ? preempt_count_add+0x7a/0xc0<br /> [ 293.871811] ? __slab_free+0xa0/0x2d0<br /> [ 293.872918] ? __wake_up_common_lock+0x8a/0xc0<br /> [ 293.874186] ? __slab_free+0xa0/0x2d0<br /> [ 293.875305] ? free_inode_nonrcu+0x20/0x20<br /> [ 293.876466] ? free_inode_nonrcu+0x20/0x20<br /> [ 293.877650] ? debug_smp_processor_id+0x17/0x20<br /> [ 293.878949] ? call_rcu+0x11a/0x240<br /> [ 293.880060] ? f2fs_destroy_stats+0x59/0x60 [f2fs]<br /> [ 293.881437] ? kfree+0x1fe/0x230<br /> [ 293.882674] f2fs_put_super+0x160/0x390 [f2fs]<br /> [ 293.883978] generic_shutdown_super+0x7a/0x120<br /> [ 293.885274] kill_block_super+0x27/0x50<br /> [ 293.886496] kill_f2fs_super+0x7f/0x100 [f2fs]<br /> [ 293.887806] deactivate_locked_super+0x35/0xa0<br /> [ 293.889271] deactivate_super+0x40/0x50<br /> [ 293.890513] cleanup_mnt+0x139/0x190<br /> [ 293.891689] __cleanup_mnt+0x12/0x20<br /> [ 293.892850] task_work_run+0x64/0xa0<br /> [ 293.894035] exit_to_user_mode_prepare+0x1b7/<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> watch_queue: Actually free the watch<br /> <br /> free_watch() does everything barring actually freeing the watch object. Fix<br /> this by adding the missing kfree.<br /> <br /> kmemleak produces a report something like the following. Note that as an<br /> address can be seen in the first word, the watch would appear to have gone<br /> through call_rcu().<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff88810ce4a200 (size 96):<br /> comm "syz-executor352", pid 3605, jiffies 4294947473 (age 13.720s)<br /> hex dump (first 32 bytes):<br /> e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H.............<br /> 80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc include/linux/slab.h:581 [inline]<br /> [] kzalloc include/linux/slab.h:714 [inline]<br /> [] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800<br /> [] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016<br /> [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> [] entry_SYSCALL_64_after_hwframe+0x44/0xae

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> watch_queue: Fix NULL dereference in error cleanup<br /> <br /> In watch_queue_set_size(), the error cleanup code doesn&amp;#39;t take account of<br /> the fact that __free_page() can&amp;#39;t handle a NULL pointer when trying to free<br /> up buffer pages that did get allocated.<br /> <br /> Fix this by only calling __free_page() on the pages actually allocated.<br /> <br /> Without the fix, this can lead to something like the following:<br /> <br /> BUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473<br /> Read of size 4 at addr 0000000000000034 by task syz-executor168/3599<br /> ...<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> __kasan_report mm/kasan/report.c:446 [inline]<br /> kasan_report.cold+0x66/0xdf mm/kasan/report.c:459<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189<br /> instrument_atomic_read include/linux/instrumented.h:71 [inline]<br /> atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]<br /> page_ref_count include/linux/page_ref.h:67 [inline]<br /> put_page_testzero include/linux/mm.h:717 [inline]<br /> __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473<br /> watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275<br /> pipe_ioctl+0xac/0x2b0 fs/pipe.c:632<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:874 [inline]<br /> __se_sys_ioctl fs/ioctl.c:860 [inline]<br /> __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccree - Fix use after free in cc_cipher_exit()<br /> <br /> kfree_sensitive(ctx_p-&gt;user.key) will free the ctx_p-&gt;user.key. But<br /> ctx_p-&gt;user.key is still used in the next line, which will lead to a<br /> use after free.<br /> <br /> We can call kfree_sensitive() after dev_dbg() to avoid the uaf.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: don&amp;#39;t delete queue kobject before its children<br /> <br /> kobjects aren&amp;#39;t supposed to be deleted before their child kobjects are<br /> deleted. Apparently this is usually benign; however, a WARN will be<br /> triggered if one of the child kobjects has a named attribute group:<br /> <br /> sysfs group &amp;#39;modes&amp;#39; not found for kobject &amp;#39;crypto&amp;#39;<br /> WARNING: CPU: 0 PID: 1 at fs/sysfs/group.c:278 sysfs_remove_group+0x72/0x80<br /> ...<br /> Call Trace:<br /> sysfs_remove_groups+0x29/0x40 fs/sysfs/group.c:312<br /> __kobject_del+0x20/0x80 lib/kobject.c:611<br /> kobject_cleanup+0xa4/0x140 lib/kobject.c:696<br /> kobject_release lib/kobject.c:736 [inline]<br /> kref_put include/linux/kref.h:65 [inline]<br /> kobject_put+0x53/0x70 lib/kobject.c:753<br /> blk_crypto_sysfs_unregister+0x10/0x20 block/blk-crypto-sysfs.c:159<br /> blk_unregister_queue+0xb0/0x110 block/blk-sysfs.c:962<br /> del_gendisk+0x117/0x250 block/genhd.c:610<br /> <br /> Fix this by moving the kobject_del() and the corresponding<br /> kobject_uevent() to the correct place.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: hisilicon/sec - fix the aead software fallback for engine<br /> <br /> Due to the subreq pointer misuse the private context memory. The aead<br /> soft crypto occasionally casues the OS panic as setting the 64K page.<br /> Here is fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe<br /> <br /> The device_node pointer is returned by of_parse_phandle() with refcount<br /> incremented. We should use of_node_put() on it when done.<br /> <br /> This function only calls of_node_put() in the regular path.<br /> And it will cause refcount leak in error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: mxs: Fix error handling in mxs_sgtl5000_probe<br /> <br /> This function only calls of_node_put() in the regular path.<br /> And it will cause refcount leak in error paths.<br /> For example, when codec_np is NULL, saif_np[0] and saif_np[1]<br /> are not NULL, it will cause leaks.<br /> <br /> of_node_put() will check if the node pointer is NULL, so we can<br /> call it directly to release the refcount of regular pointers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe<br /> <br /> This node pointer is returned by of_parse_phandle() with refcount<br /> incremented in this function.<br /> Calling of_node_put() to avoid the refcount leak.