Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> slub/kunit: fix a WARNING due to unwrapped __kmalloc_cache_noprof<br /> <br /> &amp;#39;modprobe slub_kunit&amp;#39; will have a warning as shown below. The root cause<br /> is that __kmalloc_cache_noprof was directly used, which resulted in no<br /> alloc_tag being allocated. This caused current-&gt;alloc_tag to be null,<br /> leading to a warning in alloc_tag_add_check.<br /> <br /> Let&amp;#39;s add an alloc_hook layer to __kmalloc_cache_noprof specifically<br /> within lib/slub_kunit.c, which is the only user of this internal slub<br /> function outside kmalloc implementation itself.<br /> <br /> [58162.947016] WARNING: CPU: 2 PID: 6210 at<br /> ./include/linux/alloc_tag.h:125 alloc_tagging_slab_alloc_hook+0x268/0x27c<br /> [58162.957721] Call trace:<br /> [58162.957919] alloc_tagging_slab_alloc_hook+0x268/0x27c<br /> [58162.958286] __kmalloc_cache_noprof+0x14c/0x344<br /> [58162.958615] test_kmalloc_redzone_access+0x50/0x10c [slub_kunit]<br /> [58162.959045] kunit_try_run_case+0x74/0x184 [kunit]<br /> [58162.959401] kunit_generic_run_threadfn_adapter+0x2c/0x4c [kunit]<br /> [58162.959841] kthread+0x10c/0x118<br /> [58162.960093] ret_from_fork+0x10/0x20<br /> [58162.960363] ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/hdcp: Add encoder check in hdcp2_get_capability<br /> <br /> Add encoder check in intel_hdcp2_get_capability to avoid<br /> null pointer error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability<br /> <br /> Sometimes during hotplug scenario or suspend/resume scenario encoder is<br /> not always initialized when intel_hdcp_get_capability add<br /> a check to avoid kernel null pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix another deadlock during RTC update<br /> <br /> If ufshcd_rtc_work calls ufshcd_rpm_put_sync() and the pm&amp;#39;s usage_count<br /> is 0, we will enter the runtime suspend callback. However, the runtime<br /> suspend callback will wait to flush ufshcd_rtc_work, causing a deadlock.<br /> <br /> Replace ufshcd_rpm_put_sync() with ufshcd_rpm_put() to avoid the<br /> deadlock.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()<br /> <br /> In mtk_crtc_create(), if the call to mbox_request_channel() fails then we<br /> set the "mtk_crtc-&gt;cmdq_client.chan" pointer to NULL. In that situation,<br /> we do not call cmdq_pkt_create().<br /> <br /> During the cleanup, we need to check if the "mtk_crtc-&gt;cmdq_client.chan"<br /> is NULL first before calling cmdq_pkt_destroy(). Calling<br /> cmdq_pkt_destroy() is unnecessary if we didn&amp;#39;t call cmdq_pkt_create() and<br /> it will result in a NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/rw: fix missing NOWAIT check for O_DIRECT start write<br /> <br /> When io_uring starts a write, it&amp;#39;ll call kiocb_start_write() to bump the<br /> super block rwsem, preventing any freezes from happening while that<br /> write is in-flight. The freeze side will grab that rwsem for writing,<br /> excluding any new writers from happening and waiting for existing writes<br /> to finish. But io_uring unconditionally uses kiocb_start_write(), which<br /> will block if someone is currently attempting to freeze the mount point.<br /> This causes a deadlock where freeze is waiting for previous writes to<br /> complete, but the previous writes cannot complete, as the task that is<br /> supposed to complete them is blocked waiting on starting a new write.<br /> This results in the following stuck trace showing that dependency with<br /> the write blocked starting a new write:<br /> <br /> task:fio state:D stack:0 pid:886 tgid:886 ppid:876<br /> Call trace:<br /> __switch_to+0x1d8/0x348<br /> __schedule+0x8e8/0x2248<br /> schedule+0x110/0x3f0<br /> percpu_rwsem_wait+0x1e8/0x3f8<br /> __percpu_down_read+0xe8/0x500<br /> io_write+0xbb8/0xff8<br /> io_issue_sqe+0x10c/0x1020<br /> io_submit_sqes+0x614/0x2110<br /> __arm64_sys_io_uring_enter+0x524/0x1038<br /> invoke_syscall+0x74/0x268<br /> el0_svc_common.constprop.0+0x160/0x238<br /> do_el0_svc+0x44/0x60<br /> el0_svc+0x44/0xb0<br /> el0t_64_sync_handler+0x118/0x128<br /> el0t_64_sync+0x168/0x170<br /> INFO: task fsfreeze:7364 blocked for more than 15 seconds.<br /> Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963<br /> <br /> with the attempting freezer stuck trying to grab the rwsem:<br /> <br /> task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995<br /> Call trace:<br /> __switch_to+0x1d8/0x348<br /> __schedule+0x8e8/0x2248<br /> schedule+0x110/0x3f0<br /> percpu_down_write+0x2b0/0x680<br /> freeze_super+0x248/0x8a8<br /> do_vfs_ioctl+0x149c/0x1b18<br /> __arm64_sys_ioctl+0xd0/0x1a0<br /> invoke_syscall+0x74/0x268<br /> el0_svc_common.constprop.0+0x160/0x238<br /> do_el0_svc+0x44/0x60<br /> el0_svc+0x44/0xb0<br /> el0t_64_sync_handler+0x118/0x128<br /> el0t_64_sync+0x168/0x170<br /> <br /> Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a<br /> blocking grab of the super block rwsem if it isn&amp;#39;t set. For normal issue<br /> where IOCB_NOWAIT would always be set, this returns -EAGAIN which will<br /> have io_uring core issue a blocking attempt of the write. That will in<br /> turn also get completions run, ensuring forward progress.<br /> <br /> Since freezing requires CAP_SYS_ADMIN in the first place, this isn&amp;#39;t<br /> something that can be triggered by a regular user.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: fix 6 GHz scan construction<br /> <br /> If more than 255 colocated APs exist for the set of all<br /> APs found during 2.4/5 GHz scanning, then the 6 GHz scan<br /> construction will loop forever since the loop variable<br /> has type u8, which can never reach the number found when<br /> that&amp;#39;s bigger than 255, and is stored in a u32 variable.<br /> Also move it into the loops to have a smaller scope.<br /> <br /> Using a u32 there is fine, we limit the number of APs in<br /> the scan list and each has a limit on the number of RNR<br /> entries due to the frame size. With a limit of 1000 scan<br /> results, a frame size upper bound of 4096 (really it&amp;#39;s<br /> more like ~2300) and a TBTT entry size of at least 11,<br /> we get an upper bound for the number of ~372k, well in<br /> the bounds of a u32.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT<br /> <br /> In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed<br /> to be either root or ingress. This assumption is bogus since it&amp;#39;s valid<br /> to create egress qdiscs with major handle ffff:<br /> Budimir Markovic found that for qdiscs like DRR that maintain an active<br /> class list, it will cause a UAF with a dangling class pointer.<br /> <br /> In 066a3b5b2346, the concern was to avoid iterating over the ingress<br /> qdisc since its parent is itself. The proper fix is to stop when parent<br /> TC_H_ROOT is reached because the only way to retrieve ingress is when a<br /> hierarchy which does not contain a ffff: major handle call into<br /> qdisc_lookup with TC_H_MAJ(TC_H_ROOT).<br /> <br /> In the scenario where major ffff: is an egress qdisc in any of the tree<br /> levels, the updates will also propagate to TC_H_ROOT, which then the<br /> iteration must stop.<br /> <br /> <br /> net/sched/sch_api.c | 2 +-<br /> 1 file changed, 1 insertion(+), 1 deletion(-)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data<br /> <br /> In case the non-paged data of a SKB carries protocol header and protocol<br /> payload to be transmitted on a certain platform that the DMA AXI address<br /> width is configured to 40-bit/48-bit, or the size of the non-paged data<br /> is bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI<br /> address width is configured to 32-bit, then this SKB requires at least<br /> two DMA transmit descriptors to serve it.<br /> <br /> For example, three descriptors are allocated to split one DMA buffer<br /> mapped from one piece of non-paged data:<br /> dma_desc[N + 0],<br /> dma_desc[N + 1],<br /> dma_desc[N + 2].<br /> Then three elements of tx_q-&gt;tx_skbuff_dma[] will be allocated to hold<br /> extra information to be reused in stmmac_tx_clean():<br /> tx_q-&gt;tx_skbuff_dma[N + 0],<br /> tx_q-&gt;tx_skbuff_dma[N + 1],<br /> tx_q-&gt;tx_skbuff_dma[N + 2].<br /> Now we focus on tx_q-&gt;tx_skbuff_dma[entry].buf, which is the DMA buffer<br /> address returned by DMA mapping call. stmmac_tx_clean() will try to<br /> unmap the DMA buffer _ONLY_IF_ tx_q-&gt;tx_skbuff_dma[entry].buf<br /> is a valid buffer address.<br /> <br /> The expected behavior that saves DMA buffer address of this non-paged<br /> data to tx_q-&gt;tx_skbuff_dma[entry].buf is:<br /> tx_q-&gt;tx_skbuff_dma[N + 0].buf = NULL;<br /> tx_q-&gt;tx_skbuff_dma[N + 1].buf = NULL;<br /> tx_q-&gt;tx_skbuff_dma[N + 2].buf = dma_map_single();<br /> Unfortunately, the current code misbehaves like this:<br /> tx_q-&gt;tx_skbuff_dma[N + 0].buf = dma_map_single();<br /> tx_q-&gt;tx_skbuff_dma[N + 1].buf = NULL;<br /> tx_q-&gt;tx_skbuff_dma[N + 2].buf = NULL;<br /> <br /> On the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the<br /> DMA engine, tx_q-&gt;tx_skbuff_dma[N + 0].buf is a valid buffer address<br /> obviously, then the DMA buffer will be unmapped immediately.<br /> There may be a rare case that the DMA engine does not finish the<br /> pending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go<br /> horribly wrong, DMA is going to access a unmapped/unreferenced memory<br /> region, corrupted data will be transmited or iommu fault will be<br /> triggered :(<br /> <br /> In contrast, the for-loop that maps SKB fragments behaves perfectly<br /> as expected, and that is how the driver should do for both non-paged<br /> data and paged frags actually.<br /> <br /> This patch corrects DMA map/unmap sequences by fixing the array index<br /> for tx_q-&gt;tx_skbuff_dma[entry].buf when assigning DMA buffer address.<br /> <br /> Tested and verified on DWXGMAC CORE 3.20a

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()<br /> <br /> 1. The size of the response packet is not validated.<br /> 2. The response buffer is not freed.<br /> <br /> Resolve these issues by switching to iwl_mvm_send_cmd_status(),<br /> which handles both size validation and frees the buffer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported<br /> <br /> acpi_evaluate_object() may return AE_NOT_FOUND (failure), which<br /> would result in dereferencing buffer.pointer (obj) while being NULL.<br /> <br /> Although this case may be unrealistic for the current code, it is<br /> still better to protect against possible bugs.<br /> <br /> Bail out also when status is AE_NOT_FOUND.<br /> <br /> This fixes 1 FORWARD_NULL issue reported by Coverity<br /> Report: CID 1600951: Null pointer dereferences (FORWARD_NULL)<br /> <br /> (cherry picked from commit 91c9e221fe2553edf2db71627d8453f083de87a1)