Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfs: Fix oops in nfs_netfs_init_request() when copying to cache<br /> <br /> When netfslib wants to copy some data that has just been read on behalf of<br /> nfs, it creates a new write request and calls nfs_netfs_init_request() to<br /> initialise it, but with a NULL file pointer. This causes<br /> nfs_file_open_context() to oops - however, we don&amp;#39;t actually need the nfs<br /> context as we&amp;#39;re only going to write to the cache.<br /> <br /> Fix this by just returning if we aren&amp;#39;t given a file pointer and emit a<br /> warning if the request was for something other than copy-to-cache.<br /> <br /> Further, fix nfs_netfs_free_request() so that it doesn&amp;#39;t try to free the<br /> context if the pointer is NULL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfs: Fix enomem handling in buffered reads<br /> <br /> If netfs_read_to_pagecache() gets an error from either -&gt;prepare_read() or<br /> from netfs_prepare_read_iterator(), it needs to decrement -&gt;nr_outstanding,<br /> cancel the subrequest and break out of the issuing loop. Currently, it<br /> only does this for two of the cases, but there are two more that aren&amp;#39;t<br /> handled.<br /> <br /> Fix this by moving the handling to a common place and jumping to it from<br /> all four places. This is in preference to inserting a wrapper around<br /> netfs_prepare_read_iterator() as proposed by Dmitry Antipov[1].

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: relax assertions on failure to encode file handles<br /> <br /> Encoding file handles is usually performed by a filesystem &gt;encode_fh()<br /> method that may fail for various reasons.<br /> <br /> The legacy users of exportfs_encode_fh(), namely, nfsd and<br /> name_to_handle_at(2) syscall are ready to cope with the possibility<br /> of failure to encode a file handle.<br /> <br /> There are a few other users of exportfs_encode_{fh,fid}() that<br /> currently have a WARN_ON() assertion when -&gt;encode_fh() fails.<br /> Relax those assertions because they are wrong.<br /> <br /> The second linked bug report states commit 16aac5ad1fa9 ("ovl: support<br /> encoding non-decodable file handles") in v6.6 as the regressing commit,<br /> but this is not accurate.<br /> <br /> The aforementioned commit only increases the chances of the assertion<br /> and allows triggering the assertion with the reproducer using overlayfs,<br /> inotify and drop_caches.<br /> <br /> Triggering this assertion was always possible with other filesystems and<br /> other reasons of -&gt;encode_fh() failures and more particularly, it was<br /> also possible with the exact same reproducer using overlayfs that is<br /> mounted with options index=on,nfs_export=on also on kernels

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Add check for granularity in dml ceil/floor helpers<br /> <br /> [Why]<br /> Wrapper functions for dcn_bw_ceil2() and dcn_bw_floor2()<br /> should check for granularity is non zero to avoid assert and<br /> divide-by-zero error in dcn_bw_ functions.<br /> <br /> [How]<br /> Add check for granularity 0.<br /> <br /> (cherry picked from commit f6e09701c3eb2ccb8cb0518e0b67f1c69742a4ec)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix a missing return value check bug<br /> <br /> In the smb2_send_interim_resp(), if ksmbd_alloc_work_struct()<br /> fails to allocate a node, it returns a NULL pointer to the<br /> in_work pointer. This can lead to an illegal memory write of<br /> in_work-&gt;response_buf when allocate_interim_rsp_buf() attempts<br /> to perform a kzalloc() on it.<br /> <br /> To address this issue, incorporating a check for the return<br /> value of ksmbd_alloc_work_struct() ensures that the function<br /> returns immediately upon allocation failure, thereby preventing<br /> the aforementioned illegal memory access.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: light: bh1745: fix information leak in triggered buffer<br /> <br /> The &amp;#39;scan&amp;#39; local struct is used to push data to user space from a<br /> triggered buffer, but it does not set values for inactive channels, as<br /> it only uses iio_for_each_active_channel() to assign new values.<br /> <br /> Initialize the struct to zero before using it to avoid pushing<br /> uninitialized information to userspace.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: tcpci: fix NULL pointer issue on shared irq case<br /> <br /> The tcpci_irq() may meet below NULL pointer dereference issue:<br /> <br /> [ 2.641851] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010<br /> [ 2.641951] status 0x1, 0x37f<br /> [ 2.650659] Mem abort info:<br /> [ 2.656490] ESR = 0x0000000096000004<br /> [ 2.660230] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 2.665532] SET = 0, FnV = 0<br /> [ 2.668579] EA = 0, S1PTW = 0<br /> [ 2.671715] FSC = 0x04: level 0 translation fault<br /> [ 2.676584] Data abort info:<br /> [ 2.679459] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> [ 2.684936] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 2.689980] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 2.695284] [0000000000000010] user address but active_mm is swapper<br /> [ 2.701632] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> [ 2.707883] Modules linked in:<br /> [ 2.710936] CPU: 1 UID: 0 PID: 87 Comm: irq/111-2-0051 Not tainted 6.12.0-rc6-06316-g7f63786ad3d1-dirty #4<br /> [ 2.720570] Hardware name: NXP i.MX93 11X11 EVK board (DT)<br /> [ 2.726040] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 2.732989] pc : tcpci_irq+0x38/0x318<br /> [ 2.736647] lr : _tcpci_irq+0x14/0x20<br /> [ 2.740295] sp : ffff80008324bd30<br /> [ 2.743597] x29: ffff80008324bd70 x28: ffff800080107894 x27: ffff800082198f70<br /> [ 2.750721] x26: ffff0000050e6680 x25: ffff000004d172ac x24: ffff0000050f0000<br /> [ 2.757845] x23: ffff000004d17200 x22: 0000000000000001 x21: ffff0000050f0000<br /> [ 2.764969] x20: ffff000004d17200 x19: 0000000000000000 x18: 0000000000000001<br /> [ 2.772093] x17: 0000000000000000 x16: ffff80008183d8a0 x15: ffff00007fbab040<br /> [ 2.779217] x14: ffff00007fb918c0 x13: 0000000000000000 x12: 000000000000017a<br /> [ 2.786341] x11: 0000000000000001 x10: 0000000000000a90 x9 : ffff80008324bd00<br /> [ 2.793465] x8 : ffff0000050f0af0 x7 : ffff00007fbaa840 x6 : 0000000000000031<br /> [ 2.800589] x5 : 000000000000017a x4 : 0000000000000002 x3 : 0000000000000002<br /> [ 2.807713] x2 : ffff80008324bd3a x1 : 0000000000000010 x0 : 0000000000000000<br /> [ 2.814838] Call trace:<br /> [ 2.817273] tcpci_irq+0x38/0x318<br /> [ 2.820583] _tcpci_irq+0x14/0x20<br /> [ 2.823885] irq_thread_fn+0x2c/0xa8<br /> [ 2.827456] irq_thread+0x16c/0x2f4<br /> [ 2.830940] kthread+0x110/0x114<br /> [ 2.834164] ret_from_fork+0x10/0x20<br /> [ 2.837738] Code: f9426420 f9001fe0 d2800000 52800201 (f9400a60)<br /> <br /> This may happen on shared irq case. Such as two Type-C ports share one<br /> irq. After the first port finished tcpci_register_port(), it may trigger<br /> interrupt. However, if the interrupt comes by chance the 2nd port finishes<br /> devm_request_threaded_irq(), the 2nd port interrupt handler will run at<br /> first. Then the above issue happens due to tcpci is still a NULL pointer<br /> in tcpci_irq() when dereference to regmap.<br /> <br /> devm_request_threaded_irq()<br /> irq);<br /> tcpci_register_port()<br /> <br /> This will restore the logic to the state before commit (77e85107a771 "usb:<br /> typec: tcpci: support edge irq").<br /> <br /> However, moving tcpci_register_port() earlier creates a problem when use<br /> edge irq because tcpci_init() will be called before<br /> devm_request_threaded_irq(). The tcpci_init() writes the ALERT_MASK to<br /> the hardware to tell it to start generating interrupts but we&amp;#39;re not ready<br /> to deal with them yet, then the ALERT events may be missed and ALERT line<br /> will not recover to high level forever. To avoid the issue, this will also<br /> set ALERT_MASK register after devm_request_threaded_irq() return.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: fix page fault due to max surface definition mismatch<br /> <br /> DC driver is using two different values to define the maximum number of<br /> surfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as<br /> the unique definition for surface updates across DC.<br /> <br /> It fixes page fault faced by Cosmic users on AMD display versions that<br /> support two overlay planes, since the introduction of cursor overlay<br /> mode.<br /> <br /> [Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b<br /> [ +0.000015] #PF: supervisor read access in kernel mode<br /> [ +0.000006] #PF: error_code(0x0000) - not-present page<br /> [ +0.000005] PGD 0 P4D 0<br /> [ +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [ +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300<br /> [ +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024<br /> [ +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper]<br /> [ +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]<br /> [ +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b<br /> [ +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206<br /> [ +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070<br /> [ +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000<br /> [ +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000<br /> [ +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000<br /> [ +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000<br /> [ +0.000004] FS: 0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000<br /> [ +0.000005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0<br /> [ +0.000005] Call Trace:<br /> [ +0.000011] <br /> [ +0.000010] ? __die_body.cold+0x19/0x27<br /> [ +0.000012] ? page_fault_oops+0x15a/0x2d0<br /> [ +0.000014] ? exc_page_fault+0x7e/0x180<br /> [ +0.000009] ? asm_exc_page_fault+0x26/0x30<br /> [ +0.000013] ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]<br /> [ +0.000739] ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu]<br /> [ +0.000470] update_planes_and_stream_state+0x49b/0x4f0 [amdgpu]<br /> [ +0.000450] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000009] ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu]<br /> [ +0.000446] update_planes_and_stream_v2+0x24a/0x590 [amdgpu]<br /> [ +0.000464] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000009] ? sort+0x31/0x50<br /> [ +0.000007] ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu]<br /> [ +0.000508] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000009] ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu]<br /> [ +0.000377] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000009] ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm]<br /> [ +0.000058] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000005] ? dma_fence_default_wait+0x8c/0x260<br /> [ +0.000010] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000005] ? wait_for_completion_timeout+0x13b/0x170<br /> [ +0.000006] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000005] ? dma_fence_wait_timeout+0x108/0x140<br /> [ +0.000010] ? commit_tail+0x94/0x130 [drm_kms_helper]<br /> [ +0.000024] ? process_one_work+0x177/0x330<br /> [ +0.000008] ? worker_thread+0x266/0x3a0<br /> [ +0.000006] ? __pfx_worker_thread+0x10/0x10<br /> [ +0.000004] ? kthread+0xd2/0x100<br /> [ +0.000006] ? __pfx_kthread+0x10/0x10<br /> [ +0.000006] ? ret_from_fork+0x34/0x50<br /> [ +0.000004] ? __pfx_kthread+0x10/0x10<br /> [ +0.000005] ? ret_from_fork_asm+0x1a/0x30<br /> [ +0.000011] <br /> <br /> (cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: light: vcnl4035: fix information leak in triggered buffer<br /> <br /> The &amp;#39;buffer&amp;#39; local array is used to push data to userspace from a<br /> triggered buffer, but it does not set an initial value for the single<br /> data element, which is an u16 aligned to 8 bytes. That leaves at least<br /> 4 bytes uninitialized even after writing an integer value with<br /> regmap_read().<br /> <br /> Initialize the array to zero before using it to avoid pushing<br /> uninitialized information to userspace.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer<br /> <br /> The &amp;#39;data&amp;#39; array is allocated via kmalloc() and it is used to push data<br /> to user space from a triggered buffer, but it does not set values for<br /> inactive channels, as it only uses iio_for_each_active_channel()<br /> to assign new values.<br /> <br /> Use kzalloc for the memory allocation to avoid pushing uninitialized<br /> information to userspace.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: pressure: zpa2326: fix information leak in triggered buffer<br /> <br /> The &amp;#39;sample&amp;#39; local struct is used to push data to user space from a<br /> triggered buffer, but it has a hole between the temperature and the<br /> timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp).<br /> This hole is never initialized.<br /> <br /> Initialize the struct to zero before using it to avoid pushing<br /> uninitialized information to userspace.