Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup<br /> <br /> The function rxe_create_qp calls rxe_qp_from_init. If some error<br /> occurs, the error handler of function rxe_qp_from_init will set<br /> both scq and rcq to NULL.<br /> <br /> Then rxe_create_qp calls rxe_put to handle qp. In the end,<br /> rxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly<br /> accesses scq and rcq before checking them. This will cause<br /> null-ptr-deref error.<br /> <br /> The call graph is as below:<br /> <br /> rxe_create_qp {<br /> ...<br /> rxe_qp_from_init {<br /> ...<br /> err1:<br /> ...<br /> qp-&gt;rcq = NULL; scq = NULL; scq-&gt;num_wq); rcq-&gt;num_wq);

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/hfi1: fix potential memory leak in setup_base_ctxt()<br /> <br /> setup_base_ctxt() allocates a memory chunk for uctxt-&gt;groups with<br /> hfi1_alloc_ctxt_rcv_groups(). When init_user_ctxt() fails, uctxt-&gt;groups<br /> is not released, which will lead to a memory leak.<br /> <br /> We should release the uctxt-&gt;groups with hfi1_free_ctxt_rcv_groups()<br /> when init_user_ctxt() fails.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci_plat_remove: avoid NULL dereference<br /> <br /> Since commit 4736ebd7fcaff1eb8481c140ba494962847d6e0a ("usb: host:<br /> xhci-plat: omit shared hcd if either root hub has no ports")<br /> xhci-&gt;shared_hcd can be NULL, which causes the following Oops<br /> on reboot:<br /> <br /> [ 710.124450] systemd-shutdown[1]: Rebooting.<br /> [ 710.298861] xhci-hcd xhci-hcd.2.auto: remove, state 4<br /> [ 710.304217] usb usb3: USB disconnect, device number 1<br /> [ 710.317441] xhci-hcd xhci-hcd.2.auto: USB bus 3 deregistered<br /> [ 710.323280] xhci-hcd xhci-hcd.2.auto: remove, state 1<br /> [ 710.328401] usb usb2: USB disconnect, device number 1<br /> [ 710.333515] usb 2-3: USB disconnect, device number 2<br /> [ 710.467649] xhci-hcd xhci-hcd.2.auto: USB bus 2 deregistered<br /> [ 710.475450] Unable to handle kernel NULL pointer dereference at virtual address 00000000000003b8<br /> [ 710.484425] Mem abort info:<br /> [ 710.487265] ESR = 0x0000000096000004<br /> [ 710.491060] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 710.496427] SET = 0, FnV = 0<br /> [ 710.499525] EA = 0, S1PTW = 0<br /> [ 710.502716] FSC = 0x04: level 0 translation fault<br /> [ 710.507648] Data abort info:<br /> [ 710.510577] ISV = 0, ISS = 0x00000004<br /> [ 710.514462] CM = 0, WnR = 0<br /> [ 710.517480] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008b0050000<br /> [ 710.523976] [00000000000003b8] pgd=0000000000000000, p4d=0000000000000000<br /> [ 710.530961] Internal error: Oops: 96000004 [#1] PREEMPT SMP<br /> [ 710.536551] Modules linked in: rfkill input_leds snd_soc_simple_card snd_soc_simple_card_utils snd_soc_nau8822 designware_i2s snd_soc_core dw_hdmi_ahb_audio snd_pcm_dmaengine arm_ccn panfrost ac97_bus gpu_sched snd_pcm at24 fuse configfs sdhci_of_dwcmshc sdhci_pltfm sdhci nvme led_class mmc_core nvme_core bt1_pvt polynomial tp_serio snd_seq_midi snd_seq_midi_event snd_seq snd_timer snd_rawmidi snd_seq_device snd soundcore efivarfs ipv6<br /> [ 710.575286] CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 5.19.0-rc7-00043-gfd8619f4fd54 #1<br /> [ 710.583822] Hardware name: T-Platforms TF307-MB/BM1BM1-A, BIOS 5.6 07/06/2022<br /> [ 710.590972] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 710.597949] pc : usb_remove_hcd+0x34/0x1e4<br /> [ 710.602067] lr : xhci_plat_remove+0x74/0x140<br /> [ 710.606351] sp : ffff800009f3b7c0<br /> [ 710.609674] x29: ffff800009f3b7c0 x28: ffff000800960040 x27: 0000000000000000<br /> [ 710.616833] x26: ffff800008dc22a0 x25: 0000000000000000 x24: 0000000000000000<br /> [ 710.623992] x23: 0000000000000000 x22: ffff000805465810 x21: ffff000805465800<br /> [ 710.631149] x20: ffff000800f80000 x19: 0000000000000000 x18: ffffffffffffffff<br /> [ 710.638307] x17: ffff000805096000 x16: ffff00080633b800 x15: ffff000806537a1c<br /> [ 710.645465] x14: 0000000000000001 x13: 0000000000000000 x12: ffff00080378d6f0<br /> [ 710.652621] x11: ffff00080041a900 x10: ffff800009b204e8 x9 : ffff8000088abaa4<br /> [ 710.659779] x8 : ffff000800960040 x7 : ffff800009409000 x6 : 0000000000000001<br /> [ 710.666936] x5 : ffff800009241000 x4 : ffff800009241440 x3 : 0000000000000000<br /> [ 710.674094] x2 : ffff000800960040 x1 : ffff000800960040 x0 : 0000000000000000<br /> [ 710.681251] Call trace:<br /> [ 710.683704] usb_remove_hcd+0x34/0x1e4<br /> [ 710.687467] xhci_plat_remove+0x74/0x140<br /> [ 710.691400] platform_remove+0x34/0x70<br /> [ 710.695165] device_remove+0x54/0x90<br /> [ 710.698753] device_release_driver_internal+0x200/0x270<br /> [ 710.703992] device_release_driver+0x24/0x30<br /> [ 710.708273] bus_remove_device+0xe0/0x16c<br /> [ 710.712293] device_del+0x178/0x390<br /> [ 710.715797] platform_device_del.part.0+0x24/0x90<br /> [ 710.720514] platform_device_unregister+0x30/0x50<br /> [ 710.725232] dwc3_host_exit+0x20/0x30<br /> [ 710.728907] dwc3_remove+0x174/0x1b0<br /> [ 710.732494] platform_remove+0x34/0x70<br /> [ 710.736254] device_remove+0x54/0x90<br /> [ 710.739840] device_release_driver_internal+0x200/0x270<br /> [ 710.745078] device_release_driver+0x24/0x30<br /> [ 710.749359] bus_remove_device+0xe0/0x16c<br /> [ 710.753380] device_del+0x178/0x390<br /> [ 710.756881] platform_device_del.part<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: cdns3: change place of &amp;#39;priv_ep&amp;#39; assignment in cdns3_gadget_ep_dequeue(), cdns3_gadget_ep_enable()<br /> <br /> If &amp;#39;ep&amp;#39; is NULL, result of ep_to_cdns3_ep(ep) is invalid pointer<br /> and its dereference with priv_ep-&gt;cdns3_dev may cause panic.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: mcp2221: prevent a buffer overflow in mcp_smbus_write()<br /> <br /> Smatch Warning:<br /> drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()<br /> &amp;#39;&amp;mcp-&gt;txbuf[5]&amp;#39; too small (59 vs 255)<br /> drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() &amp;#39;buf&amp;#39;<br /> too small (34 vs 255)<br /> <br /> The &amp;#39;len&amp;#39; variable can take a value between 0-255 as it can come from<br /> data-&gt;block[0] and it is user data. So add an bound check to prevent a<br /> buffer overflow in memcpy().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: fbtft: core: set smem_len before fb_deferred_io_init call<br /> <br /> The fbtft_framebuffer_alloc() calls fb_deferred_io_init() before<br /> initializing info-&gt;fix.smem_len. It is set to zero by the<br /> framebuffer_alloc() function. It will trigger a WARN_ON() at the<br /> start of fb_deferred_io_init() and the function will not do anything.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/srpt: Fix a use-after-free<br /> <br /> Change the LIO port members inside struct srpt_port from regular members<br /> into pointers. Allocate the LIO port data structures from inside<br /> srpt_make_tport() and free these from inside srpt_make_tport(). Keep<br /> struct srpt_device as long as either an RDMA port or a LIO target port is<br /> associated with it. This patch decouples the lifetime of struct srpt_port<br /> (controlled by the RDMA core) and struct srpt_port_id (controlled by LIO).<br /> This patch fixes the following KASAN complaint:<br /> <br /> BUG: KASAN: use-after-free in srpt_enable_tpg+0x31/0x70 [ib_srpt]<br /> Read of size 8 at addr ffff888141cc34b8 by task check/5093<br /> <br /> Call Trace:<br /> <br /> show_stack+0x4e/0x53<br /> dump_stack_lvl+0x51/0x66<br /> print_address_description.constprop.0.cold+0xea/0x41e<br /> print_report.cold+0x90/0x205<br /> kasan_report+0xb9/0xf0<br /> __asan_load8+0x69/0x90<br /> srpt_enable_tpg+0x31/0x70 [ib_srpt]<br /> target_fabric_tpg_base_enable_store+0xe2/0x140 [target_core_mod]<br /> configfs_write_iter+0x18b/0x210<br /> new_sync_write+0x1f2/0x2f0<br /> vfs_write+0x3e3/0x540<br /> ksys_write+0xbb/0x140<br /> __x64_sys_write+0x42/0x50<br /> do_syscall_64+0x34/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix error unwind in rxe_create_qp()<br /> <br /> In the function rxe_create_qp(), rxe_qp_from_init() is called to<br /> initialize qp, internally things like the spin locks are not setup until<br /> rxe_qp_init_req().<br /> <br /> If an error occures before this point then the unwind will call<br /> rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task()<br /> which will oops when trying to access the uninitialized spinlock.<br /> <br /> Move the spinlock initializations earlier before any failures.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jbd2: fix assertion &amp;#39;jh-&gt;b_frozen_data == NULL&amp;#39; failure when journal aborted<br /> <br /> Following process will fail assertion &amp;#39;jh-&gt;b_frozen_data == NULL&amp;#39; in<br /> jbd2_journal_dirty_metadata():<br /> <br /> jbd2_journal_commit_transaction<br /> unlink(dir/a)<br /> jh-&gt;b_transaction = trans1<br /> jh-&gt;b_jlist = BJ_Metadata<br /> journal-&gt;j_running_transaction = NULL<br /> trans1-&gt;t_state = T_COMMIT<br /> unlink(dir/b)<br /> handle-&gt;h_trans = trans2<br /> do_get_write_access<br /> jh-&gt;b_modified = 0<br /> jh-&gt;b_frozen_data = frozen_buffer<br /> jh-&gt;b_next_transaction = trans2<br /> jbd2_journal_dirty_metadata<br /> is_handle_aborted<br /> is_journal_aborted // return false<br /> <br /> --&gt; jbd2 abort t_buffers)<br /> if (is_journal_aborted)<br /> jbd2_journal_refile_buffer<br /> __jbd2_journal_refile_buffer<br /> WRITE_ONCE(jh-&gt;b_transaction,<br /> jh-&gt;b_next_transaction)<br /> WRITE_ONCE(jh-&gt;b_next_transaction, NULL)<br /> __jbd2_journal_file_buffer(jh, BJ_Reserved)<br /> J_ASSERT_JH(jh, jh-&gt;b_frozen_data == NULL) // assertion failure !<br /> <br /> The reproducer (See detail in [Link]) reports:<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/jbd2/transaction.c:1629!<br /> invalid opcode: 0000 [#1] PREEMPT SMP<br /> CPU: 2 PID: 584 Comm: unlink Tainted: G W<br /> 5.19.0-rc6-00115-g4a57a8400075-dirty #697<br /> RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470<br /> RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202<br /> Call Trace:<br /> <br /> __ext4_handle_dirty_metadata+0xa0/0x290<br /> ext4_handle_dirty_dirblock+0x10c/0x1d0<br /> ext4_delete_entry+0x104/0x200<br /> __ext4_unlink+0x22b/0x360<br /> ext4_unlink+0x275/0x390<br /> vfs_unlink+0x20b/0x4c0<br /> do_unlinkat+0x42f/0x4c0<br /> __x64_sys_unlink+0x37/0x50<br /> do_syscall_64+0x35/0x80<br /> <br /> After journal aborting, __jbd2_journal_refile_buffer() is executed with<br /> holding @jh-&gt;b_state_lock, we can fix it by moving &amp;#39;is_handle_aborted()&amp;#39;<br /> into the area protected by @jh-&gt;b_state_lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: cros_ec_codec: Fix refcount leak in cros_ec_codec_platform_probe<br /> <br /> of_parse_phandle() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when not need anymore.<br /> Add missing of_node_put() to avoid refcount leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe<br /> <br /> of_parse_phandle() returns a node pointer with refcount<br /> incremented, we should use of_node_put() on it when not need anymore.<br /> Add missing of_node_put() to avoid refcount leak.