Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/drv: Fix potential memory leak in drm_dev_init()<br /> <br /> drm_dev_init() will add drm_dev_init_release() as a callback. When<br /> drmm_add_action() failed, the release function won&amp;#39;t be added. As the<br /> result, the ref cnt added by device_get() in drm_dev_init() won&amp;#39;t be put<br /> by drm_dev_init_release(), which leads to the memleak. Use<br /> drmm_add_action_or_reset() instead of drmm_add_action() to prevent<br /> memleak.<br /> <br /> unreferenced object 0xffff88810bc0c800 (size 2048):<br /> comm "modprobe", pid 8322, jiffies 4305809845 (age 15.292s)<br /> hex dump (first 32 bytes):<br /> e8 cc c0 0b 81 88 ff ff ff ff ff ff 00 00 00 00 ................<br /> 20 24 3c 0c 81 88 ff ff 18 c8 c0 0b 81 88 ff ff $

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/scheduler: fix fence ref counting<br /> <br /> We leaked dependency fences when processes were beeing killed.<br /> <br /> Additional to that grab a reference to the last scheduled fence.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hugetlbfs: don&amp;#39;t delete error page from pagecache<br /> <br /> This change is very similar to the change that was made for shmem [1], and<br /> it solves the same problem but for HugeTLBFS instead.<br /> <br /> Currently, when poison is found in a HugeTLB page, the page is removed<br /> from the page cache. That means that attempting to map or read that<br /> hugepage in the future will result in a new hugepage being allocated<br /> instead of notifying the user that the page was poisoned. As [1] states,<br /> this is effectively memory corruption.<br /> <br /> The fix is to leave the page in the page cache. If the user attempts to<br /> use a poisoned HugeTLB page with a syscall, the syscall will fail with<br /> EIO, the same error code that shmem uses. For attempts to map the page,<br /> the thread will get a BUS_MCEERR_AR SIGBUS.<br /> <br /> [1]: commit a76054266661 ("mm: shmem: don&amp;#39;t truncate page if memory failure happens")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm: Fix potential null-ptr-deref in drm_vblank_destroy_worker()<br /> <br /> drm_vblank_init() call drmm_add_action_or_reset() with<br /> drm_vblank_init_release() as action. If __drmm_add_action() failed, will<br /> directly call drm_vblank_init_release() with the vblank whose worker is<br /> NULL. As the resule, a null-ptr-deref will happen in<br /> kthread_destroy_worker(). Add the NULL check before calling<br /> drm_vblank_destroy_worker().<br /> <br /> BUG: null-ptr-deref<br /> KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]<br /> CPU: 5 PID: 961 Comm: modprobe Not tainted 6.0.0-11331-gd465bff130bf-dirty<br /> RIP: 0010:kthread_destroy_worker+0x25/0xb0<br /> Call Trace:<br /> <br /> drm_vblank_init_release+0x124/0x220 [drm]<br /> ? drm_crtc_vblank_restore+0x8b0/0x8b0 [drm]<br /> __drmm_add_action_or_reset+0x41/0x50 [drm]<br /> drm_vblank_init+0x282/0x310 [drm]<br /> vkms_init+0x35f/0x1000 [vkms]<br /> ? 0xffffffffc4508000<br /> ? lock_is_held_type+0xd7/0x130<br /> ? __kmem_cache_alloc_node+0x1c2/0x2b0<br /> ? lock_is_held_type+0xd7/0x130<br /> ? 0xffffffffc4508000<br /> do_one_initcall+0xd0/0x4f0<br /> ...<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-transport: fix double ata_host_put() in ata_tport_add()<br /> <br /> In the error path in ata_tport_add(), when calling put_device(),<br /> ata_tport_release() is called, it will put the refcount of &amp;#39;ap-&gt;host&amp;#39;.<br /> <br /> And then ata_host_put() is called again, the refcount is decreased<br /> to 0, ata_host_release() is called, all ports are freed and set to<br /> null.<br /> <br /> When unbinding the device after failure, ata_host_stop() is called<br /> to release the resources, it leads a null-ptr-deref(), because all<br /> the ports all freed and null.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008<br /> CPU: 7 PID: 18671 Comm: modprobe Kdump: loaded Tainted: G E 6.1.0-rc3+ #8<br /> pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : ata_host_stop+0x3c/0x84 [libata]<br /> lr : release_nodes+0x64/0xd0<br /> Call trace:<br /> ata_host_stop+0x3c/0x84 [libata]<br /> release_nodes+0x64/0xd0<br /> devres_release_all+0xbc/0x1b0<br /> device_unbind_cleanup+0x20/0x70<br /> really_probe+0x158/0x320<br /> __driver_probe_device+0x84/0x120<br /> driver_probe_device+0x44/0x120<br /> __driver_attach+0xb4/0x220<br /> bus_for_each_dev+0x78/0xdc<br /> driver_attach+0x2c/0x40<br /> bus_add_driver+0x184/0x240<br /> driver_register+0x80/0x13c<br /> __pci_register_driver+0x4c/0x60<br /> ahci_pci_driver_init+0x30/0x1000 [ahci]<br /> <br /> Fix this by removing redundant ata_host_put() in the error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix use-after-free bug of ns_writer on remount<br /> <br /> If a nilfs2 filesystem is downgraded to read-only due to metadata<br /> corruption on disk and is remounted read/write, or if emergency read-only<br /> remount is performed, detaching a log writer and synchronizing the<br /> filesystem can be done at the same time.<br /> <br /> In these cases, use-after-free of the log writer (hereinafter<br /> nilfs-&gt;ns_writer) can happen as shown in the scenario below:<br /> <br /> Task1 Task2<br /> -------------------------------- ------------------------------<br /> nilfs_construct_segment<br /> nilfs_segctor_sync<br /> init_wait<br /> init_waitqueue_entry<br /> add_wait_queue<br /> schedule<br /> nilfs_remount (R/W remount case)<br /> nilfs_attach_log_writer<br /> nilfs_detach_log_writer<br /> nilfs_segctor_destroy<br /> kfree<br /> finish_wait<br /> _raw_spin_lock_irqsave<br /> __raw_spin_lock_irqsave<br /> do_raw_spin_lock<br /> debug_spin_lock_before ns_writer is freed by Task2. After Task1<br /> waked up, Task1 accesses nilfs-&gt;ns_writer which is already freed. This<br /> scenario diagram is based on the Shigeru Yoshida&amp;#39;s post [1].<br /> <br /> This patch fixes the issue by not detaching nilfs-&gt;ns_writer on remount so<br /> that this UAF race doesn&amp;#39;t happen. Along with this change, this patch<br /> also inserts a few necessary read-only checks with superblock instance<br /> where only the ns_writer pointer was used to check if the filesystem is<br /> read-only.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: hda: fix potential memleak in &amp;#39;add_widget_node&amp;#39;<br /> <br /> As &amp;#39;kobject_add&amp;#39; may allocated memory for &amp;#39;kobject-&gt;name&amp;#39; when return error.<br /> And in this function, if call &amp;#39;kobject_add&amp;#39; failed didn&amp;#39;t free kobject.<br /> So call &amp;#39;kobject_put&amp;#39; to recycling resources.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: zoned: clone zoned device info when cloning a device<br /> <br /> When cloning a btrfs_device, we&amp;#39;re not cloning the associated<br /> btrfs_zoned_device_info structure of the device in case of a zoned<br /> filesystem.<br /> <br /> Later on this leads to a NULL pointer dereference when accessing the<br /> device&amp;#39;s zone_info for instance when setting a zone as active.<br /> <br /> This was uncovered by fstests&amp;#39; testcase btrfs/161.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mhi: Fix memory leak in mhi_net_dellink()<br /> <br /> MHI driver registers network device without setting the<br /> needs_free_netdev flag, and does NOT call free_netdev() when<br /> unregisters network device, which causes a memory leak.<br /> <br /> This patch calls free_netdev() to fix it since netdev_priv<br /> is used after unregister.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-transport: fix error handling in ata_tport_add()<br /> <br /> In ata_tport_add(), the return value of transport_add_device() is<br /> not checked. As a result, it causes null-ptr-deref while removing<br /> the module, because transport_remove_device() is called to remove<br /> the device that was not added.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0<br /> CPU: 12 PID: 13605 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #8<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : device_del+0x48/0x39c<br /> lr : device_del+0x44/0x39c<br /> Call trace:<br /> device_del+0x48/0x39c<br /> attribute_container_class_device_del+0x28/0x40<br /> transport_remove_classdev+0x60/0x7c<br /> attribute_container_device_trigger+0x118/0x120<br /> transport_remove_device+0x20/0x30<br /> ata_tport_delete+0x34/0x60 [libata]<br /> ata_port_detach+0x148/0x1b0 [libata]<br /> ata_pci_remove_one+0x50/0x80 [libata]<br /> ahci_remove_one+0x4c/0x8c [ahci]<br /> <br /> Fix this by checking and handling return value of transport_add_device()<br /> in ata_tport_add().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-transport: fix error handling in ata_tlink_add()<br /> <br /> In ata_tlink_add(), the return value of transport_add_device() is<br /> not checked. As a result, it causes null-ptr-deref while removing<br /> the module, because transport_remove_device() is called to remove<br /> the device that was not added.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0<br /> CPU: 33 PID: 13850 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #12<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : device_del+0x48/0x39c<br /> lr : device_del+0x44/0x39c<br /> Call trace:<br /> device_del+0x48/0x39c<br /> attribute_container_class_device_del+0x28/0x40<br /> transport_remove_classdev+0x60/0x7c<br /> attribute_container_device_trigger+0x118/0x120<br /> transport_remove_device+0x20/0x30<br /> ata_tlink_delete+0x88/0xb0 [libata]<br /> ata_tport_delete+0x2c/0x60 [libata]<br /> ata_port_detach+0x148/0x1b0 [libata]<br /> ata_pci_remove_one+0x50/0x80 [libata]<br /> ahci_remove_one+0x4c/0x8c [ahci]<br /> <br /> Fix this by checking and handling return value of transport_add_device()<br /> in ata_tlink_add().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-transport: fix error handling in ata_tdev_add()<br /> <br /> In ata_tdev_add(), the return value of transport_add_device() is<br /> not checked. As a result, it causes null-ptr-deref while removing<br /> the module, because transport_remove_device() is called to remove<br /> the device that was not added.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0<br /> CPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #36<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : device_del+0x48/0x3a0<br /> lr : device_del+0x44/0x3a0<br /> Call trace:<br /> device_del+0x48/0x3a0<br /> attribute_container_class_device_del+0x28/0x40<br /> transport_remove_classdev+0x60/0x7c<br /> attribute_container_device_trigger+0x118/0x120<br /> transport_remove_device+0x20/0x30<br /> ata_tdev_delete+0x24/0x50 [libata]<br /> ata_tlink_delete+0x40/0xa0 [libata]<br /> ata_tport_delete+0x2c/0x60 [libata]<br /> ata_port_detach+0x148/0x1b0 [libata]<br /> ata_pci_remove_one+0x50/0x80 [libata]<br /> ahci_remove_one+0x4c/0x8c [ahci]<br /> <br /> Fix this by checking and handling return value of transport_add_device()<br /> in ata_tdev_add(). In the error path, device_del() is called to delete<br /> the device which was added earlier in this function, and ata_tdev_free()<br /> is called to free ata_dev.