Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> async_xor: increase src_offs when dropping destination page<br /> <br /> Now we support sharing one page if PAGE_SIZE is not equal stripe size. To<br /> support this, it needs to support calculating xor value with different<br /> offsets for each r5dev. One offset array is used to record those offsets.<br /> <br /> In RMW mode, parity page is used as a source page. It sets<br /> ASYNC_TX_XOR_DROP_DST before calculating xor value in ops_run_prexor5.<br /> So it needs to add src_list and src_offs at the same time. Now it only<br /> needs src_list. So the xor value which is calculated is wrong. It can<br /> cause data corruption problem.<br /> <br /> I can reproduce this problem 100% on a POWER8 machine. The steps are:<br /> <br /> mdadm -CR /dev/md0 -l5 -n3 /dev/sdb1 /dev/sdc1 /dev/sdd1 --size=3G<br /> mkfs.xfs /dev/md0<br /> mount /dev/md0 /mnt/test<br /> mount: /mnt/test: mount(2) system call failed: Structure needs cleaning.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc/tegra: regulators: Fix locking up when voltage-spread is out of range<br /> <br /> Fix voltage coupler lockup which happens when voltage-spread is out<br /> of range due to a bug in the code. The max-spread requirement shall be<br /> accounted when CPU regulator doesn&amp;#39;t have consumers. This problem is<br /> observed on Tegra30 Ouya game console once system-wide DVFS is enabled<br /> in a device-tree.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/nfc: fix use-after-free llcp_sock_bind/connect<br /> <br /> Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")<br /> and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")<br /> fixed a refcount leak bug in bind/connect but introduced a<br /> use-after-free if the same local is assigned to 2 different sockets.<br /> <br /> This can be triggered by the following simple program:<br /> int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );<br /> int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );<br /> memset( &amp;addr, 0, sizeof(struct sockaddr_nfc_llcp) );<br /> addr.sa_family = AF_NFC;<br /> addr.nfc_protocol = NFC_PROTO_NFC_DEP;<br /> bind( sock1, (struct sockaddr*) &amp;addr, sizeof(struct sockaddr_nfc_llcp) )<br /> bind( sock2, (struct sockaddr*) &amp;addr, sizeof(struct sockaddr_nfc_llcp) )<br /> close(sock1);<br /> close(sock2);<br /> <br /> Fix this by assigning NULL to llcp_sock-&gt;local after calling<br /> nfc_llcp_local_put.<br /> <br /> This addresses CVE-2021-23134.

dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: Fix use-after-free with devm_spi_alloc_*<br /> <br /> We can&amp;#39;t rely on the contents of the devres list during<br /> spi_unregister_controller(), as the list is already torn down at the<br /> time we perform devres_find() for devm_spi_release_controller. This<br /> causes devices registered with devm_spi_alloc_{master,slave}() to be<br /> mistakenly identified as legacy, non-devm managed devices and have their<br /> reference counters decremented below 0.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174<br /> [] (refcount_warn_saturate) from [] (kobject_put+0x90/0x98)<br /> [] (kobject_put) from [] (put_device+0x20/0x24)<br /> r4:b6700140<br /> [] (put_device) from [] (devm_spi_release_controller+0x3c/0x40)<br /> [] (devm_spi_release_controller) from [] (release_nodes+0x84/0xc4)<br /> r5:b6700180 r4:b6700100<br /> [] (release_nodes) from [] (devres_release_all+0x5c/0x60)<br /> r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10<br /> [] (devres_release_all) from [] (__device_release_driver+0x144/0x1ec)<br /> r5:b117ad94 r4:b163dc10<br /> [] (__device_release_driver) from [] (device_driver_detach+0x84/0xa0)<br /> r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10<br /> [] (device_driver_detach) from [] (unbind_store+0xe4/0xf8)<br /> <br /> Instead, determine the devm allocation state as a flag on the<br /> controller which is guaranteed to be stable during cleanup.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> m68k: mvme147,mvme16x: Don&amp;#39;t wipe PCC timer config bits<br /> <br /> Don&amp;#39;t clear the timer 1 configuration bits when clearing the interrupt flag<br /> and counter overflow. As Michael reported, "This results in no timer<br /> interrupts being delivered after the first. Initialization then hangs<br /> in calibrate_delay as the jiffies counter is not updated."<br /> <br /> On mvme16x, enable the timer after requesting the irq, consistent with<br /> mvme147.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soundwire: stream: fix memory leak in stream config error path<br /> <br /> When stream config is failed, master runtime will release all<br /> slave runtime in the slave_rt_list, but slave runtime is not<br /> added to the list at this time. This patch frees slave runtime<br /> in the config error path to fix the memory leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bus: qcom: Put child node before return<br /> <br /> Put child node before return to fix potential reference count leak.<br /> Generally, the reference count of child is incremented and decremented<br /> automatically in the macro for_each_available_child_of_node() and should<br /> be decremented manually if the loop is broken in loop body.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: require write permissions for locking and badblock ioctls<br /> <br /> MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require<br /> write permission. Depending on the hardware MEMLOCK might even be<br /> write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK<br /> is always write-once.<br /> <br /> MEMSETBADBLOCK modifies the bad block table.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init<br /> <br /> ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown()<br /> before calling adf_iov_putmsg()-&gt;mutex_lock(vf2pf_lock), however the<br /> vf2pf_lock is initialized in adf_dev_init(), which can fail and when it<br /> fail, the vf2pf_lock is either not initialized or destroyed, a subsequent<br /> use of vf2pf_lock will cause issue.<br /> To fix this issue, only set this flag if adf_dev_init() returns 0.<br /> <br /> [ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0<br /> [ 7.180345] Call Trace:<br /> [ 7.182576] mutex_lock+0xc9/0xd0<br /> [ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat]<br /> [ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat]<br /> [ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat]<br /> [ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: sun8i-ss - Fix memory leak of object d when dma_iv fails to map<br /> <br /> In the case where the dma_iv mapping fails, the return error path leaks<br /> the memory allocated to object d. Fix this by adding a new error return<br /> label and jumping to this to ensure d is free&amp;#39;d before the return.<br /> <br /> Addresses-Coverity: ("Resource leak")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> regmap: set debugfs_name to NULL after it is freed<br /> <br /> There is a upstream commit cffa4b2122f5("regmap:debugfs:<br /> Fix a memory leak when calling regmap_attach_dev") that<br /> adds a if condition when create name for debugfs_name.<br /> With below function invoking logical, debugfs_name is<br /> freed in regmap_debugfs_exit(), but it is not created again<br /> because of the if condition introduced by above commit.<br /> regmap_reinit_cache()<br /> regmap_debugfs_exit()<br /> ...<br /> regmap_debugfs_init()<br /> So, set debugfs_name to NULL after it is freed.