Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: spi-fsl-qspi: check return value after calling platform_get_resource_byname()<br /> <br /> It will cause null-ptr-deref if platform_get_resource_byname() returns NULL,<br /> we need check the return value.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mt76: mt7921: fix kernel crash at mt7921_pci_remove<br /> <br /> The crash log shown it is possible that mt7921_irq_handler is called while<br /> devm_free_irq is being handled so mt76_free_device need to be postponed<br /> until devm_free_irq is completed to solve the crash we free the mt76 device<br /> too early.<br /> <br /> [ 9299.339655] BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> [ 9299.339705] #PF: supervisor read access in kernel mode<br /> [ 9299.339735] #PF: error_code(0x0000) - not-present page<br /> [ 9299.339768] PGD 0 P4D 0<br /> [ 9299.339786] Oops: 0000 [#1] SMP PTI<br /> [ 9299.339812] CPU: 1 PID: 1624 Comm: prepare-suspend Not tainted 5.15.14-1.fc32.qubes.x86_64 #1<br /> [ 9299.339863] Hardware name: Xen HVM domU, BIOS 4.14.3 01/20/2022<br /> [ 9299.339901] RIP: 0010:mt7921_irq_handler+0x1e/0x70 [mt7921e]<br /> [ 9299.340048] RSP: 0018:ffffa81b80c27cb0 EFLAGS: 00010082<br /> [ 9299.340081] RAX: 0000000000000000 RBX: ffff98a4cb752020 RCX: ffffffffa96211c5<br /> [ 9299.340123] RDX: 0000000000000000 RSI: 00000000000d4204 RDI: ffff98a4cb752020<br /> [ 9299.340165] RBP: ffff98a4c28a62a4 R08: ffff98a4c37a96c0 R09: 0000000080150011<br /> [ 9299.340207] R10: 0000000040000000 R11: 0000000000000000 R12: ffff98a4c4eaa080<br /> [ 9299.340249] R13: ffff98a4c28a6360 R14: ffff98a4cb752020 R15: ffff98a4c28a6228<br /> [ 9299.340297] FS: 00007260840d3740(0000) GS:ffff98a4ef700000(0000) knlGS:0000000000000000<br /> [ 9299.340345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 9299.340383] CR2: 0000000000000008 CR3: 0000000004c56001 CR4: 0000000000770ee0<br /> [ 9299.340432] PKRU: 55555554<br /> [ 9299.340449] Call Trace:<br /> [ 9299.340467] <br /> [ 9299.340485] __free_irq+0x221/0x350<br /> [ 9299.340527] free_irq+0x30/0x70<br /> [ 9299.340553] devm_free_irq+0x55/0x80<br /> [ 9299.340579] mt7921_pci_remove+0x2f/0x40 [mt7921e]<br /> [ 9299.340616] pci_device_remove+0x3b/0xa0<br /> [ 9299.340651] __device_release_driver+0x17a/0x240<br /> [ 9299.340686] device_driver_detach+0x3c/0xa0<br /> [ 9299.340714] unbind_store+0x113/0x130<br /> [ 9299.340740] kernfs_fop_write_iter+0x124/0x1b0<br /> [ 9299.340775] new_sync_write+0x15c/0x1f0<br /> [ 9299.340806] vfs_write+0x1d2/0x270<br /> [ 9299.340831] ksys_write+0x67/0xe0<br /> [ 9299.340857] do_syscall_64+0x3b/0x90<br /> [ 9299.340887] entry_SYSCALL_64_after_hwframe+0x44/0xae

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: samsung: Fix refcount leak in aries_audio_probe<br /> <br /> of_parse_phandle() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when done.<br /> If extcon_find_edev_by_node() fails, it doesn&amp;#39;t call of_node_put()<br /> Calling of_node_put() after extcon_find_edev_by_node() to fix this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ARM: versatile: Add missing of_node_put in dcscb_init<br /> <br /> The device_node pointer is returned by of_find_compatible_node<br /> with refcount incremented. We should use of_node_put() to avoid<br /> the refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm: don&amp;#39;t free the IRQ if it was not requested<br /> <br /> As msm_drm_uninit() is called from the msm_drm_init() error path,<br /> additional care should be necessary as not to call the free_irq() for<br /> the IRQ that was not requested before (because an error occured earlier<br /> than the request_irq() call).<br /> <br /> This fixed the issue reported with the following backtrace:<br /> <br /> [ 8.571329] Trying to free already-free IRQ 187<br /> [ 8.571339] WARNING: CPU: 0 PID: 76 at kernel/irq/manage.c:1895 free_irq+0x1e0/0x35c<br /> [ 8.588746] Modules linked in: pmic_glink pdr_interface fastrpc qrtr_smd snd_soc_hdmi_codec msm fsa4480 gpu_sched drm_dp_aux_bus qrtr i2c_qcom_geni crct10dif_ce qcom_stats qcom_q6v5_pas drm_display_helper gpi qcom_pil_info drm_kms_helper qcom_q6v5 qcom_sysmon qcom_common qcom_glink_smem qcom_rng mdt_loader qmi_helpers phy_qcom_qmp ufs_qcom typec qnoc_sm8350 socinfo rmtfs_mem fuse drm ipv6<br /> [ 8.624154] CPU: 0 PID: 76 Comm: kworker/u16:2 Not tainted 5.18.0-rc5-next-20220506-00033-g6cee8cab6089-dirty #419<br /> [ 8.624161] Hardware name: Qualcomm Technologies, Inc. SM8350 HDK (DT)<br /> [ 8.641496] Workqueue: events_unbound deferred_probe_work_func<br /> [ 8.647510] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 8.654681] pc : free_irq+0x1e0/0x35c<br /> [ 8.658454] lr : free_irq+0x1e0/0x35c<br /> [ 8.662228] sp : ffff800008ab3950<br /> [ 8.665642] x29: ffff800008ab3950 x28: 0000000000000000 x27: ffff16350f56a700<br /> [ 8.672994] x26: ffff1635025df080 x25: ffff16350251badc x24: ffff16350251bb90<br /> [ 8.680343] x23: 0000000000000000 x22: 00000000000000bb x21: ffff16350e8f9800<br /> [ 8.687690] x20: ffff16350251ba00 x19: ffff16350cbd5880 x18: ffffffffffffffff<br /> [ 8.695039] x17: 0000000000000000 x16: ffffa2dd12179434 x15: ffffa2dd1431d02d<br /> [ 8.702391] x14: 0000000000000000 x13: ffffa2dd1431d028 x12: 662d79646165726c<br /> [ 8.709740] x11: ffffa2dd13fd2438 x10: 000000000000000a x9 : 00000000000000bb<br /> [ 8.717111] x8 : ffffa2dd13fd23f0 x7 : ffff800008ab3750 x6 : 00000000fffff202<br /> [ 8.724487] x5 : ffff16377e870a18 x4 : 00000000fffff202 x3 : ffff735a6ae1b000<br /> [ 8.731851] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff1635015f8000<br /> [ 8.739217] Call trace:<br /> [ 8.741755] free_irq+0x1e0/0x35c<br /> [ 8.745198] msm_drm_uninit.isra.0+0x14c/0x294 [msm]<br /> [ 8.750548] msm_drm_bind+0x28c/0x5d0 [msm]<br /> [ 8.755081] try_to_bring_up_aggregate_device+0x164/0x1d0<br /> [ 8.760657] __component_add+0xa0/0x170<br /> [ 8.764626] component_add+0x14/0x20<br /> [ 8.768337] dp_display_probe+0x2a4/0x464 [msm]<br /> [ 8.773242] platform_probe+0x68/0xe0<br /> [ 8.777043] really_probe.part.0+0x9c/0x28c<br /> [ 8.781368] __driver_probe_device+0x98/0x144<br /> [ 8.785871] driver_probe_device+0x40/0x140<br /> [ 8.790191] __device_attach_driver+0xb4/0x120<br /> [ 8.794788] bus_for_each_drv+0x78/0xd0<br /> [ 8.798751] __device_attach+0xdc/0x184<br /> [ 8.802713] device_initial_probe+0x14/0x20<br /> [ 8.807031] bus_probe_device+0x9c/0xa4<br /> [ 8.810991] deferred_probe_work_func+0x88/0xc0<br /> [ 8.815667] process_one_work+0x1d0/0x320<br /> [ 8.819809] worker_thread+0x14c/0x444<br /> [ 8.823688] kthread+0x10c/0x110<br /> [ 8.827036] ret_from_fork+0x10/0x20<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/485422/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/drivers/broadcom: Fix potential NULL dereference in sr_thermal_probe<br /> <br /> platform_get_resource() may return NULL, add proper check to<br /> avoid potential NULL dereferencing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PM / devfreq: rk3399_dmc: Disable edev on remove()<br /> <br /> Otherwise we hit an unablanced enable-count when unbinding the DFI<br /> device:<br /> <br /> [ 1279.659119] ------------[ cut here ]------------<br /> [ 1279.659179] WARNING: CPU: 2 PID: 5638 at drivers/devfreq/devfreq-event.c:360 devfreq_event_remove_edev+0x84/0x8c<br /> ...<br /> [ 1279.659352] Hardware name: Google Kevin (DT)<br /> [ 1279.659363] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO BTYPE=--)<br /> [ 1279.659371] pc : devfreq_event_remove_edev+0x84/0x8c<br /> [ 1279.659380] lr : devm_devfreq_event_release+0x1c/0x28<br /> ...<br /> [ 1279.659571] Call trace:<br /> [ 1279.659582] devfreq_event_remove_edev+0x84/0x8c<br /> [ 1279.659590] devm_devfreq_event_release+0x1c/0x28<br /> [ 1279.659602] release_nodes+0x1cc/0x244<br /> [ 1279.659611] devres_release_all+0x44/0x60<br /> [ 1279.659621] device_release_driver_internal+0x11c/0x1ac<br /> [ 1279.659629] device_driver_detach+0x20/0x2c<br /> [ 1279.659641] unbind_store+0x7c/0xb0<br /> [ 1279.659650] drv_attr_store+0x2c/0x40<br /> [ 1279.659663] sysfs_kf_write+0x44/0x58<br /> [ 1279.659672] kernfs_fop_write_iter+0xf4/0x190<br /> [ 1279.659684] vfs_write+0x2b0/0x2e4<br /> [ 1279.659693] ksys_write+0x80/0xec<br /> [ 1279.659701] __arm64_sys_write+0x24/0x30<br /> [ 1279.659714] el0_svc_common+0xf0/0x1d8<br /> [ 1279.659724] do_el0_svc_compat+0x28/0x3c<br /> [ 1279.659738] el0_svc_compat+0x10/0x1c<br /> [ 1279.659746] el0_sync_compat_handler+0xa8/0xcc<br /> [ 1279.659758] el0_sync_compat+0x188/0x1c0<br /> [ 1279.659768] ---[ end trace cec200e5094155b4 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> amt: fix memory leak for advertisement message<br /> <br /> When a gateway receives an advertisement message, it extracts relay<br /> information and then it should be freed.<br /> But the advertisement handler doesn&amp;#39;t free it.<br /> So, memory leak would occur.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/a6xx: Fix refcount leak in a6xx_gpu_init<br /> <br /> of_parse_phandle() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when not need anymore.<br /> <br /> a6xx_gmu_init() passes the node to of_find_device_by_node()<br /> and of_dma_configure(), of_find_device_by_node() will takes its<br /> reference, of_dma_configure() doesn&amp;#39;t need the node after usage.<br /> <br /> Add missing of_node_put() to avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/drivers/imx_sc_thermal: Fix refcount leak in imx_sc_thermal_probe<br /> <br /> of_find_node_by_name() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when done.<br /> Add missing of_node_put() to avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix buffer copy overflow of ztailpacking feature<br /> <br /> I got some KASAN report as below:<br /> <br /> [ 46.959738] ==================================================================<br /> [ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370<br /> [ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188<br /> ...<br /> [ 46.960430] Call Trace:<br /> [ 46.960430] <br /> [ 46.960430] dump_stack_lvl+0x41/0x5e<br /> [ 46.960430] print_report.cold+0xb2/0x6b7<br /> [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370<br /> [ 46.960430] kasan_report+0x8a/0x140<br /> [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370<br /> [ 46.960430] kasan_check_range+0x14d/0x1d0<br /> [ 46.960430] memcpy+0x20/0x60<br /> [ 46.960430] z_erofs_shifted_transform+0x2bd/0x370<br /> [ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080<br /> <br /> The root cause is that the tail pcluster won&amp;#39;t be a complete filesystem<br /> block anymore. So if ztailpacking is used, the second part of an<br /> uncompressed tail pcluster may not be ``rq-&gt;pageofs_out``.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> regulator: scmi: Fix refcount leak in scmi_regulator_probe<br /> <br /> of_find_node_by_name() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when done.<br /> Add missing of_node_put() to avoid refcount leak.