Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i915/perf: Fix NULL deref bugs with drm_dbg() calls<br /> <br /> When i915 perf interface is not available dereferencing it will lead to<br /> NULL dereferences.<br /> <br /> As returning -ENOTSUPP is pretty clear return when perf interface is not<br /> available.<br /> <br /> [tursulin: added stable tag]<br /> (cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: vcc: Add check for kstrdup() in vcc_probe()<br /> <br /> Add check for the return value of kstrdup() and return the error, if it<br /> fails in order to avoid NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> swiotlb: fix out-of-bounds TLB allocations with CONFIG_SWIOTLB_DYNAMIC<br /> <br /> Limit the free list length to the size of the IO TLB. Transient pool can be<br /> smaller than IO_TLB_SEGSIZE, but the free list is initialized with the<br /> assumption that the total number of slots is a multiple of IO_TLB_SEGSIZE.<br /> As a result, swiotlb_area_find_slots() may allocate slots past the end of<br /> a transient IO TLB buffer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: core: Run atomic i2c xfer when !preemptible<br /> <br /> Since bae1d3a05a8b, i2c transfers are non-atomic if preemption is<br /> disabled. However, non-atomic i2c transfers require preemption (e.g. in<br /> wait_for_completion() while waiting for the DMA).<br /> <br /> panic() calls preempt_disable_notrace() before calling<br /> emergency_restart(). Therefore, if an i2c device is used for the<br /> restart, the xfer should be atomic. This avoids warnings like:<br /> <br /> [ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0<br /> [ 12.676926] Voluntary context switch within RCU read-side critical section!<br /> ...<br /> [ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114<br /> [ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70<br /> ...<br /> [ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58<br /> [ 13.001050] machine_restart from panic+0x2a8/0x32c<br /> <br /> Use !preemptible() instead, which is basically the same check as<br /> pre-v5.2.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails<br /> <br /> Commit 5e42bcbc3fef ("cxl/region: decrement -&gt;nr_targets on error in<br /> cxl_region_attach()") tried to avoid &amp;#39;eiw&amp;#39; initialization errors when<br /> -&gt;nr_targets exceeded 16, by just decrementing -&gt;nr_targets when<br /> cxl_region_setup_targets() failed.<br /> <br /> Commit 86987c766276 ("cxl/region: Cleanup target list on attach error")<br /> extended that cleanup to also clear cxled-&gt;pos and p-&gt;targets[pos]. The<br /> initialization error was incidentally fixed separately by:<br /> Commit 8d4285425714 ("cxl/region: Fix port setup uninitialized variable<br /> warnings") which was merged a few days after 5e42bcbc3fef.<br /> <br /> But now the original cleanup when cxl_region_setup_targets() fails<br /> prevents endpoint and switch decoder resources from being reused:<br /> <br /> 1) the cleanup does not set the decoder&amp;#39;s region to NULL, which results<br /> in future dpa_size_store() calls returning -EBUSY<br /> 2) the decoder is not properly freed, which results in future commit<br /> errors associated with the upstream switch<br /> <br /> Now that the initialization errors were fixed separately, the proper<br /> cleanup for this case is to just return immediately. Then the resources<br /> associated with this target get cleanup up as normal when the failed<br /> region is deleted.<br /> <br /> The -&gt;nr_targets decrement in the error case also helped prevent<br /> a p-&gt;targets[] array overflow, so add a new check to prevent against<br /> that overflow.<br /> <br /> Tested by trying to create an invalid region for a 2 switch * 2 endpoint<br /> topology, and then following up with creating a valid region.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: avoid data corruption caused by decline<br /> <br /> We found a data corruption issue during testing of SMC-R on Redis<br /> applications.<br /> <br /> The benchmark has a low probability of reporting a strange error as<br /> shown below.<br /> <br /> "Error: Protocol error, got "\xe2" as reply type byte"<br /> <br /> Finally, we found that the retrieved error data was as follows:<br /> <br /> 0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C<br /> 0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00<br /> 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2<br /> <br /> It is quite obvious that this is a SMC DECLINE message, which means that<br /> the applications received SMC protocol message.<br /> We found that this was caused by the following situations:<br /> <br /> client server<br /> ¦ clc proposal<br /> -------------&gt;<br /> ¦ clc accept<br /> <br /> wait llc confirm<br /> send llc confirm<br /> ¦failed llc confirm<br /> ¦ x------<br /> (after 2s)timeout<br /> wait llc confirm rsp<br /> <br /> wait decline<br /> <br /> (after 1s) timeout<br /> (after 2s) timeout<br /> ¦ decline<br /> --------------&gt;<br /> ¦ decline<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: fix dfs-radar and temperature event locking<br /> <br /> The ath12k active pdevs are protected by RCU but the DFS-radar and<br /> temperature event handling code calling ath12k_mac_get_ar_by_pdev_id()<br /> was not marked as a read-side critical section.<br /> <br /> Mark the code in question as RCU read-side critical sections to avoid<br /> any potential use-after-free issues.<br /> <br /> Note that the temperature event handler looks like a place holder<br /> currently but would still trigger an RCU lockdep splat.<br /> <br /> Compile tested only.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: fix gtk offload status event locking<br /> <br /> The ath11k active pdevs are protected by RCU but the gtk offload status<br /> event handling code calling ath11k_mac_get_arvif_by_vdev_id() was not<br /> marked as a read-side critical section.<br /> <br /> Mark the code in question as an RCU read-side critical section to avoid<br /> any potential use-after-free issues.<br /> <br /> Compile tested only.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: deal with large GSO size<br /> <br /> After the blamed commit below, the TCP sockets (and the MPTCP subflows)<br /> can build egress packets larger than 64K. That exceeds the maximum DSS<br /> data size, the length being misrepresent on the wire and the stream being<br /> corrupted, as later observed on the receiver:<br /> <br /> WARNING: CPU: 0 PID: 9696 at net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/0x26e0<br /> CPU: 0 PID: 9696 Comm: syz-executor.7 Not tainted 6.6.0-rc5-gcd8bdf563d46 #45<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014<br /> netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4&amp;#39;.<br /> RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705<br /> RSP: 0018:ffffc90000006e80 EFLAGS: 00010246<br /> RAX: ffffffff83e9f674 RBX: ffff88802f45d870 RCX: ffff888102ad0000<br /> netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4&amp;#39;.<br /> RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908<br /> RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a<br /> R10: dffffc0000000000 R11: ffffed100e548c8b R12: 0000000000013908<br /> R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29<br /> FS: 00007f239c47e700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> mptcp_data_ready+0x263/0xac0 net/mptcp/protocol.c:819<br /> subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409<br /> tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151<br /> tcp_rcv_established+0x950/0x1d90 net/ipv4/tcp_input.c:6098<br /> tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483<br /> tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749<br /> ip6_protocol_deliver_rcu+0xd6b/0x1ae0 net/ipv6/ip6_input.c:438<br /> ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:483<br /> ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304<br /> __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532<br /> process_backlog+0x353/0x660 net/core/dev.c:5974<br /> __napi_poll+0xc6/0x5a0 net/core/dev.c:6536<br /> net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603<br /> __do_softirq+0x184/0x524 kernel/softirq.c:553<br /> do_softirq+0xdd/0x130 kernel/softirq.c:454<br /> <br /> Address the issue explicitly bounding the maximum GSO size to what MPTCP<br /> actually allows.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: Pass AT_GETATTR_NOSEC flag to getattr interface function<br /> <br /> When vfs_getattr_nosec() calls a filesystem&amp;#39;s getattr interface function<br /> then the &amp;#39;nosec&amp;#39; should propagate into this function so that<br /> vfs_getattr_nosec() can again be called from the filesystem&amp;#39;s gettattr<br /> rather than vfs_getattr(). The latter would add unnecessary security<br /> checks that the initial vfs_getattr_nosec() call wanted to avoid.<br /> Therefore, introduce the getattr flag GETATTR_NOSEC and allow to pass<br /> with the new getattr_flags parameter to the getattr interface function.<br /> In overlayfs and ecryptfs use this flag to determine which one of the<br /> two functions to call.<br /> <br /> In a recent code change introduced to IMA vfs_getattr_nosec() ended up<br /> calling vfs_getattr() in overlayfs, which in turn called<br /> security_inode_getattr() on an exiting process that did not have<br /> current-&gt;fs set anymore, which then caused a kernel NULL pointer<br /> dereference. With this change the call to security_inode_getattr() can<br /> be avoided, thus avoiding the NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mvneta: fix calls to page_pool_get_stats<br /> <br /> Calling page_pool_get_stats in the mvneta driver without checks<br /> leads to kernel crashes.<br /> First the page pool is only available if the bm is not used.<br /> The page pool is also not allocated when the port is stopped.<br /> It can also be not allocated in case of errors.<br /> <br /> The current implementation leads to the following crash calling<br /> ethstats on a port that is down or when calling it at the wrong moment:<br /> <br /> ble to handle kernel NULL pointer dereference at virtual address 00000070<br /> [00000070] *pgd=00000000<br /> Internal error: Oops: 5 [#1] SMP ARM<br /> Hardware name: Marvell Armada 380/385 (Device Tree)<br /> PC is at page_pool_get_stats+0x18/0x1cc<br /> LR is at mvneta_ethtool_get_stats+0xa0/0xe0 [mvneta]<br /> pc : [] lr : [] psr: a0000013<br /> sp : f1439d48 ip : f1439dc0 fp : 0000001d<br /> r10: 00000100 r9 : c4816b80 r8 : f0d75150<br /> r7 : bf0b400c r6 : c238f000 r5 : 00000000 r4 : f1439d68<br /> r3 : c2091040 r2 : ffffffd8 r1 : f1439d68 r0 : 00000000<br /> Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none<br /> Control: 10c5387d Table: 066b004a DAC: 00000051<br /> Register r0 information: NULL pointer<br /> Register r1 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390<br /> Register r2 information: non-paged memory<br /> Register r3 information: slab kmalloc-2k start c2091000 pointer offset 64 size 2048<br /> Register r4 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390<br /> Register r5 information: NULL pointer<br /> Register r6 information: slab kmalloc-cg-4k start c238f000 pointer offset 0 size 4096<br /> Register r7 information: 15-page vmalloc region starting at 0xbf0a8000 allocated at load_module+0xa30/0x219c<br /> Register r8 information: 1-page vmalloc region starting at 0xf0d75000 allocated at ethtool_get_stats+0x138/0x208<br /> Register r9 information: slab task_struct start c4816b80 pointer offset 0<br /> Register r10 information: non-paged memory<br /> Register r11 information: non-paged memory<br /> Register r12 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390<br /> Process snmpd (pid: 733, stack limit = 0x38de3a88)<br /> Stack: (0xf1439d48 to 0xf143a000)<br /> 9d40: 000000c0 00000001 c238f000 bf0b400c f0d75150 c4816b80<br /> 9d60: 00000100 bf0a98d8 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9d80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9da0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9dc0: 00000dc0 5335509c 00000035 c238f000 bf0b2214 01067f50 f0d75000 c0b9b9c8<br /> 9de0: 0000001d 00000035 c2212094 5335509c c4816b80 c238f000 c5ad6e00 01067f50<br /> 9e00: c1b0be80 c4816b80 00014813 c0b9d7f0 00000000 00000000 0000001d 0000001d<br /> 9e20: 00000000 00001200 00000000 00000000 c216ed90 c73943b8 00000000 00000000<br /> 9e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9e60: 00000000 c0ad9034 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9e80: 00000000 00000000 00000000 5335509c c1b0be80 f1439ee4 00008946 c1b0be80<br /> 9ea0: 01067f50 f1439ee3 00000000 00000046 b6d77ae0 c0b383f0 00008946 becc83e8<br /> 9ec0: c1b0be80 00000051 0000000b c68ca480 c7172d00 c0ad8ff0 f1439ee3 cf600e40<br /> 9ee0: 01600e40 32687465 00000000 00000000 00000000 01067f50 00000000 00000000<br /> 9f00: 00000000 5335509c 00008946 00008946 00000000 c68ca480 becc83e8 c05e2de0<br /> 9f20: f1439fb0 c03002f0 00000006 5ac3c35a c4816b80 00000006 b6d77ae0 c030caf0<br /> 9f40: c4817350 00000014 f1439e1c 0000000c 00000000 00000051 01000000 00000014<br /> 9f60: 00003fec f1439edc 00000001 c0372abc b6d77ae0 c0372abc cf600e40 5335509c<br /> 9f80: c21e6800 01015c9c 0000000b 00008946 00000036 c03002f0 c4816b80 00000036<br /> 9fa0: b6d77ae0 c03000c0 01015c9c 0000000b 0000000b 00008946 becc83e8 00000000<br /> 9fc0: 01015c9c 0000000b 00008946 00000036 00000035 010678a0 b6d797ec b6d77ae0<br /> 9fe0: b6dbf738 becc838c b6d186d7 b6baa858 40000030 0000000b 00000000 00000000<br /> page_pool_get_s<br /> ---truncated---