Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()<br /> <br /> Yang Jihing reported a race between perf_event_set_output() and<br /> perf_mmap_close():<br /> <br /> CPU1 CPU2<br /> <br /> perf_mmap_close(e2)<br /> if (atomic_dec_and_test(&amp;e2-&gt;rb-&gt;mmap_count)) // 1 - &gt; 0<br /> detach_rest = true<br /> <br /> ioctl(e1, IOC_SET_OUTPUT, e2)<br /> perf_event_set_output(e1, e2)<br /> <br /> ...<br /> list_for_each_entry_rcu(e, &amp;e2-&gt;rb-&gt;event_list, rb_entry)<br /> ring_buffer_attach(e, NULL);<br /> // e1 isn&amp;#39;t yet added and<br /> // therefore not detached<br /> <br /> ring_buffer_attach(e1, e2-&gt;rb)<br /> list_add_rcu(&amp;e1-&gt;rb_entry,<br /> &amp;e2-&gt;rb-&gt;event_list)<br /> <br /> After this; e1 is attached to an unmapped rb and a subsequent<br /> perf_mmap() will loop forever more:<br /> <br /> again:<br /> mutex_lock(&amp;e-&gt;mmap_mutex);<br /> if (event-&gt;rb) {<br /> ...<br /> if (!atomic_inc_not_zero(&amp;e-&gt;rb-&gt;mmap_count)) {<br /> ...<br /> mutex_unlock(&amp;e-&gt;mmap_mutex);<br /> goto again;<br /> }<br /> }<br /> <br /> The loop in perf_mmap_close() holds e2-&gt;mmap_mutex, while the attach<br /> in perf_event_set_output() holds e1-&gt;mmap_mutex. As such there is no<br /> serialization to avoid this race.<br /> <br /> Change perf_event_set_output() to take both e1-&gt;mmap_mutex and<br /> e2-&gt;mmap_mutex to alleviate that problem. Additionally, have the loop<br /> in perf_mmap() detach the rb directly, this avoids having to wait for<br /> the concurrent perf_mmap_close() to get around to doing it to make<br /> progress.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: ralink: Check for null return of devm_kcalloc<br /> <br /> Because of the possible failure of the allocation, data-&gt;domains might<br /> be NULL pointer and will cause the dereference of the NULL pointer<br /> later.<br /> Therefore, it might be better to check it and directly return -ENOMEM<br /> without releasing data manually if fails, because the comment of the<br /> devm_kmalloc() says "Memory allocated with this function is<br /> automatically freed on driver detach.".

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe<br /> <br /> of_find_matching_node_and_match() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when not need anymore.<br /> Add missing of_node_put() to avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: VMX: Prevent RSB underflow before vmenter<br /> <br /> On VMX, there are some balanced returns between the time the guest&amp;#39;s<br /> SPEC_CTRL value is written, and the vmenter.<br /> <br /> Balanced returns (matched by a preceding call) are usually ok, but it&amp;#39;s<br /> at least theoretically possible an NMI with a deep call stack could<br /> empty the RSB before one of the returns.<br /> <br /> For maximum paranoia, don&amp;#39;t allow *any* returns (balanced or otherwise)<br /> between the SPEC_CTRL write and the vmenter.<br /> <br /> [ bp: Fix 32-bit build. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/speculation: Fill RSB on vmexit for IBRS<br /> <br /> Prevent RSB underflow/poisoning attacks with RSB. While at it, add a<br /> bunch of comments to attempt to document the current state of tribal<br /> knowledge about RSB attacks and what exactly is being mitigated.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> power: supply: core: Fix boundary conditions in interpolation<br /> <br /> The functions power_supply_temp2resist_simple and power_supply_ocv2cap_simple<br /> handle boundary conditions incorrectly.<br /> The change was introduced in a4585ba2050f460f749bbaf2b67bd56c41e30283<br /> ("power: supply: core: Use library interpolation").<br /> There are two issues: First, the lines "high = i - 1" and "high = i" in ocv2cap<br /> have the wrong order compared to temp2resist. As a consequence, ocv2cap<br /> sets high=-1 if ocv&gt;table[0].ocv, which causes an out-of-bounds read.<br /> Second, the logic of temp2resist is also not correct.<br /> Consider the case table[] = {{20, 100}, {10, 80}, {0, 60}}.<br /> For temp=5, we expect a resistance of 70% by interpolation.<br /> However, temp2resist sets high=low=2 and returns 60.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> serial: 8250: Fix PM usage_count for console handover<br /> <br /> When console is enabled, univ8250_console_setup() calls<br /> serial8250_console_setup() before .dev is set to uart_port. Therefore,<br /> it will not call pm_runtime_get_sync(). Later, when the actual driver<br /> is going to take over univ8250_console_exit() is called. As .dev is<br /> already set, serial8250_console_exit() makes pm_runtime_put_sync() call<br /> with usage count being zero triggering PM usage count warning<br /> (extra debug for univ8250_console_setup(), univ8250_console_exit(), and<br /> serial8250_register_ports()):<br /> <br /> [ 0.068987] univ8250_console_setup ttyS0 nodev<br /> [ 0.499670] printk: console [ttyS0] enabled<br /> [ 0.717955] printk: console [ttyS0] printing thread started<br /> [ 1.960163] serial8250_register_ports assigned dev for ttyS0<br /> [ 1.976830] printk: console [ttyS0] disabled<br /> [ 1.976888] printk: console [ttyS0] printing thread stopped<br /> [ 1.977073] univ8250_console_exit ttyS0 usage:0<br /> [ 1.977075] serial8250 serial8250: Runtime PM usage count underflow!<br /> [ 1.977429] dw-apb-uart.6: ttyS0 at MMIO 0x4010006000 (irq = 33, base_baud = 115200) is a 16550A<br /> [ 1.977812] univ8250_console_setup ttyS0 usage:2<br /> [ 1.978167] printk: console [ttyS0] printing thread started<br /> [ 1.978203] printk: console [ttyS0] enabled<br /> <br /> To fix the issue, call pm_runtime_get_sync() in<br /> serial8250_register_ports() as soon as .dev is set for an uart_port<br /> if it has console enabled.<br /> <br /> This problem became apparent only recently because 82586a721595 ("PM:<br /> runtime: Avoid device usage count underflows") added the warning<br /> printout. I confirmed this problem also occurs with v5.18 (w/o the<br /> warning printout, obviously).

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error<br /> <br /> The initial settings will be written before the codec probe function.<br /> But, the rt711-&gt;component doesn&amp;#39;t be assigned yet.<br /> If IO error happened during initial settings operations, it will cause the kernel panic.<br /> This patch changed component-&gt;dev to slave-&gt;dev to fix this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix a data-race around sysctl_tcp_probe_threshold.<br /> <br /> While reading sysctl_tcp_probe_threshold, it can be changed concurrently.<br /> Thus, we need to add READ_ONCE() to its reader.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix data-races around sysctl_tcp_min_snd_mss.<br /> <br /> While reading sysctl_tcp_min_snd_mss, it can be changed concurrently.<br /> Thus, we need to add READ_ONCE() to its readers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix data-races around sysctl_tcp_base_mss.<br /> <br /> While reading sysctl_tcp_base_mss, it can be changed concurrently.<br /> Thus, we need to add READ_ONCE() to its readers.