Vulnerabilities

In BnAudioPolicyService::onTransact of AudioPolicyService.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: Prevent a bad reference count on CPU nodes<br /> <br /> When populating cache leaves we previously fetched the CPU device node<br /> at the very beginning. But when ACPI is enabled we go through a<br /> specific branch which returns early and does not call &amp;#39;of_node_put&amp;#39; for<br /> the node that was acquired.<br /> <br /> Since we are not using a CPU device node for the ACPI code anyways, we<br /> can simply move the initialization of it just passed the ACPI block, and<br /> we are guaranteed to have an &amp;#39;of_node_put&amp;#39; call for the acquired node.<br /> This prevents a bad reference count of the CPU device node.<br /> <br /> Moreover, the previous function did not check for errors when acquiring<br /> the device node, so a return -ENOENT has been added for that case.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table()<br /> <br /> If per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop<br /> of iio_gts_build_avail_scale_table(), the err_free_out will fail to call<br /> kfree() each time when i is reduced to 0, so all the per_time_scales[0]<br /> and per_time_gains[0] will not be freed, which will cause memory leaks.<br /> <br /> Fix it by checking if i &gt;= 0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rpcrdma: Always release the rpcrdma_device&amp;#39;s xa_array<br /> <br /> Dai pointed out that the xa_init_flags() in rpcrdma_add_one() needs<br /> to have a matching xa_destroy() in rpcrdma_remove_one() to release<br /> underlying memory that the xarray might have accrued during<br /> operation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/tegra: Fix NULL vs IS_ERR() check in probe()<br /> <br /> The iommu_paging_domain_alloc() function doesn&amp;#39;t return NULL pointers,<br /> it returns error pointers. Update the check to match.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/thp: fix deferred split unqueue naming and locking<br /> <br /> Recent changes are putting more pressure on THP deferred split queues:<br /> under load revealing long-standing races, causing list_del corruptions,<br /> "Bad page state"s and worse (I keep BUGs in both of those, so usually<br /> don&amp;#39;t get to see how badly they end up without). The relevant recent<br /> changes being 6.8&amp;#39;s mTHP, 6.10&amp;#39;s mTHP swapout, and 6.12&amp;#39;s mTHP swapin,<br /> improved swap allocation, and underused THP splitting.<br /> <br /> Before fixing locking: rename misleading folio_undo_large_rmappable(),<br /> which does not undo large_rmappable, to folio_unqueue_deferred_split(),<br /> which is what it does. But that and its out-of-line __callee are mm<br /> internals of very limited usability: add comment and WARN_ON_ONCEs to<br /> check usage; and return a bool to say if a deferred split was unqueued,<br /> which can then be used in WARN_ON_ONCEs around safety checks (sparing<br /> callers the arcane conditionals in __folio_unqueue_deferred_split()).<br /> <br /> Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all<br /> of whose callers now call it beforehand (and if any forget then bad_page()<br /> will tell) - except for its caller put_pages_list(), which itself no<br /> longer has any callers (and will be deleted separately).<br /> <br /> Swapout: mem_cgroup_swapout() has been resetting folio-&gt;memcg_data 0<br /> without checking and unqueueing a THP folio from deferred split list;<br /> which is unfortunate, since the split_queue_lock depends on the memcg<br /> (when memcg is enabled); so swapout has been unqueueing such THPs later,<br /> when freeing the folio, using the pgdat&amp;#39;s lock instead: potentially<br /> corrupting the memcg&amp;#39;s list. __remove_mapping() has frozen refcount to 0<br /> here, so no problem with calling folio_unqueue_deferred_split() before<br /> resetting memcg_data.<br /> <br /> That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split<br /> shrinker memcg aware"): which included a check on swapcache before adding<br /> to deferred queue, but no check on deferred queue before adding THP to<br /> swapcache. That worked fine with the usual sequence of events in reclaim<br /> (though there were a couple of rare ways in which a THP on deferred queue<br /> could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split<br /> underused THPs") avoids splitting underused THPs in reclaim, which makes<br /> swapcache THPs on deferred queue commonplace.<br /> <br /> Keep the check on swapcache before adding to deferred queue? Yes: it is<br /> no longer essential, but preserves the existing behaviour, and is likely<br /> to be a worthwhile optimization (vmstat showed much more traffic on the<br /> queue under swapping load if the check was removed); update its comment.<br /> <br /> Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing<br /> folio-&gt;memcg_data without checking and unqueueing a THP folio from the<br /> deferred list, sometimes corrupting "from" memcg&amp;#39;s list, like swapout. <br /> Refcount is non-zero here, so folio_unqueue_deferred_split() can only be<br /> used in a WARN_ON_ONCE to validate the fix, which must be done earlier:<br /> mem_cgroup_move_charge_pte_range() first try to split the THP (splitting<br /> of course unqueues), or skip it if that fails. Not ideal, but moving<br /> charge has been requested, and khugepaged should repair the THP later:<br /> nobody wants new custom unqueueing code just for this deprecated case.<br /> <br /> The 87eaceb3faa5 commit did have the code to move from one deferred list<br /> to another (but was not conscious of its unsafety while refcount non-0);<br /> but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don&amp;#39;t need care<br /> deferred split queue in memcg charge move path"), which argued that the<br /> existence of a PMD mapping guarantees that the THP cannot be on a deferred<br /> list. As above, false in rare cases, and now commonly false.<br /> <br /> Backport to 6.11 should be straightforward. Earlier backports must take<br /> care that other _deferred_list fixes and dependencies are included. There<br /> is not a strong case for backports, but they can fix cornercases.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/panthor: Lock XArray when getting entries for the VM<br /> <br /> Similar to commit cac075706f29 ("drm/panthor: Fix race when converting<br /> group handle to group object") we need to use the XArray&amp;#39;s internal<br /> locking when retrieving a vm pointer from there.<br /> <br /> v2: Removed part of the patch that was trying to protect fetching<br /> the heap pointer from XArray, as that operation is protected by<br /> the @pool-&gt;lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier<br /> <br /> If the read of USB_PDPHY_RX_ACKNOWLEDGE_REG failed, then hdr_len and<br /> txbuf_len are uninitialized. This commit stops to print uninitialized<br /> value and misleading/false data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/imagination: Break an object reference loop<br /> <br /> When remaining resources are being cleaned up on driver close,<br /> outstanding VM mappings may result in resources being leaked, due<br /> to an object reference loop, as shown below, with each object (or<br /> set of objects) referencing the object below it:<br /> <br /> PVR GEM Object<br /> GPU scheduler "finished" fence<br /> GPU scheduler “scheduled” fence<br /> PVR driver “done” fence<br /> PVR Context<br /> PVR VM Context<br /> PVR VM Mappings<br /> PVR GEM Object<br /> <br /> The reference that the PVR VM Context has on the VM mappings is a<br /> soft one, in the sense that the freeing of outstanding VM mappings<br /> is done as part of VM context destruction; no reference counts are<br /> involved, as is the case for all the other references in the loop.<br /> <br /> To break the reference loop during cleanup, free the outstanding<br /> VM mappings before destroying the PVR Context associated with the<br /> VM context.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tpm: Lock TPM chip in tpm_pm_suspend() first<br /> <br /> Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy<br /> according, as this leaves window for tpm_hwrng_read() to be called while<br /> the operation is in progress. The recent bug report gives also evidence of<br /> this behaviour.<br /> <br /> Aadress this by locking the TPM chip before checking any chip-&gt;flags both<br /> in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED<br /> check inside tpm_get_random() so that it will be always checked only when<br /> the lock is reserved.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Drop VM dma-resv lock on xe_sync_in_fence_get failure in exec IOCTL<br /> <br /> Upon failure all locks need to be dropped before returning to the user.<br /> <br /> (cherry picked from commit 7d1a4258e602ffdce529f56686925034c1b3b095)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Fix possible exec queue leak in exec IOCTL<br /> <br /> In a couple of places after an exec queue is looked up the exec IOCTL<br /> returns on input errors without dropping the exec queue ref. Fix this<br /> ensuring the exec queue ref is dropped on input error.<br /> <br /> (cherry picked from commit 07064a200b40ac2195cb6b7b779897d9377e5e6f)