Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/qeth: fix deadlock during failing recovery<br /> <br /> Commit 0b9902c1fcc5 ("s390/qeth: fix deadlock during recovery") removed<br /> taking discipline_mutex inside qeth_do_reset(), fixing potential<br /> deadlocks. An error path was missed though, that still takes<br /> discipline_mutex and thus has the original deadlock potential.<br /> <br /> Intermittent deadlocks were seen when a qeth channel path is configured<br /> offline, causing a race between qeth_do_reset and ccwgroup_remove.<br /> Call qeth_set_offline() directly in the qeth_do_reset() error case and<br /> then a new variant of ccwgroup_set_offline(), without taking<br /> discipline_mutex.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field<br /> <br /> If driver read tmp value sufficient for<br /> (tmp &amp; 0x08) &amp;&amp; (!(tmp &amp; 0x80)) &amp;&amp; ((tmp &amp; 0x7) == ((tmp &gt;&gt; 4) &amp; 0x7))<br /> from device then Null pointer dereference occurs.<br /> (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)<br /> Also lm75[] does not serve a purpose anymore after switching to<br /> devm_i2c_new_dummy_device() in w83791d_detect_subclients().<br /> <br /> The patch fixes possible NULL pointer dereference by removing lm75[].<br /> <br /> Found by Linux Driver Verification project (linuxtesting.org).<br /> <br /> [groeck: Dropped unnecessary continuation lines, fixed multi-line alignments]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: Fix out-of-bound vmalloc access in imageblit<br /> <br /> This issue happens when a userspace program does an ioctl<br /> FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct<br /> containing only the fields xres, yres, and bits_per_pixel<br /> with values.<br /> <br /> If this struct is the same as the previous ioctl, the<br /> vc_resize() detects it and doesn&amp;#39;t call the resize_screen(),<br /> leaving the fb_var_screeninfo incomplete. And this leads to<br /> the updatescrollmode() calculates a wrong value to<br /> fbcon_display-&gt;vrows, which makes the real_y() return a<br /> wrong value of y, and that value, eventually, causes<br /> the imageblit to access an out-of-bound address value.<br /> <br /> To solve this issue I made the resize_screen() be called<br /> even if the screen does not need any resizing, so it will<br /> "fix and fill" the fb_var_screeninfo independently.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> atm: iphase: fix possible use-after-free in ia_module_exit()<br /> <br /> This module&amp;#39;s remove path calls del_timer(). However, that function<br /> does not wait until the timer handler finishes. This means that the<br /> timer handler may still be running after the driver&amp;#39;s remove function<br /> has finished, which would result in a use-after-free.<br /> <br /> Fix by calling del_timer_sync(), which makes sure the timer handler<br /> has finished, and unable to re-schedule itself.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: greybus: uart: fix tty use after free<br /> <br /> User space can hold a tty open indefinitely and tty drivers must not<br /> release the underlying structures until the last user is gone.<br /> <br /> Switch to using the tty-port reference counter to manage the life time<br /> of the greybus tty state to avoid use after free after a disconnect.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix soft lockup during fsstress<br /> <br /> Below traces are observed during fsstress and system got hung.<br /> [ 130.698396] watchdog: BUG: soft lockup - CPU#6 stuck for 26s!

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: make sure fd closes complete<br /> <br /> During BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object<br /> cleanup may close 1 or more fds. The close operations are<br /> completed using the task work mechanism -- which means the thread<br /> needs to return to userspace or the file object may never be<br /> dereferenced -- which can lead to hung processes.<br /> <br /> Force the binder thread back to userspace if an fd is closed during<br /> BC_FREE_BUFFER handling.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mcb: fix error handling in mcb_alloc_bus()<br /> <br /> There are two bugs:<br /> 1) If ida_simple_get() fails then this code calls put_device(carrier)<br /> but we haven&amp;#39;t yet called get_device(carrier) and probably that<br /> leads to a use after free.<br /> 2) After device_initialize() then we need to use put_device() to<br /> release the bus. This will free the internal resources tied to the<br /> device and call mcb_free_bus() which will free the rest.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/pm: Update intermediate power state for SI<br /> <br /> Update the current state as boot state during dpm initialization.<br /> During the subsequent initialization, set_power_state gets called to<br /> transition to the final power state. set_power_state refers to values<br /> from the current state and without current state populated, it could<br /> result in NULL pointer dereference.<br /> <br /> For ex: on platforms where PCI speed change is supported through ACPI<br /> ATCS method, the link speed of current state needs to be queried before<br /> deciding on changing to final power state&amp;#39;s link speed. The logic to query<br /> ATCS-support was broken on certain platforms. The issue became visible<br /> when broken ATCS-support logic got fixed with commit<br /> f9b7f3703ff9 ("drm/amdgpu/acpi: make ATPX/ATCS structures global (v2)").<br /> <br /> Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1698

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nexthop: Fix division by zero while replacing a resilient group<br /> <br /> The resilient nexthop group torture tests in fib_nexthop.sh exposed a<br /> possible division by zero while replacing a resilient group [1]. The<br /> division by zero occurs when the data path sees a resilient nexthop<br /> group with zero buckets.<br /> <br /> The tests replace a resilient nexthop group in a loop while traffic is<br /> forwarded through it. The tests do not specify the number of buckets<br /> while performing the replacement, resulting in the kernel allocating a<br /> stub resilient table (i.e, &amp;#39;struct nh_res_table&amp;#39;) with zero buckets.<br /> <br /> This table should never be visible to the data path, but the old nexthop<br /> group (i.e., &amp;#39;oldg&amp;#39;) might still be used by the data path when the stub<br /> table is assigned to it.<br /> <br /> Fix this by only assigning the stub table to the old nexthop group after<br /> making sure the group is no longer used by the data path.<br /> <br /> Tested with fib_nexthops.sh:<br /> <br /> Tests passed: 222<br /> Tests failed: 0<br /> <br /> [1]<br /> divide error: 0000 [#1] PREEMPT SMP KASAN<br /> CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014<br /> RIP: 0010:nexthop_select_path+0x2d2/0x1a80<br /> [...]<br /> Call Trace:<br /> fib_select_multipath+0x79b/0x1530<br /> fib_select_path+0x8fb/0x1c10<br /> ip_route_output_key_hash_rcu+0x1198/0x2da0<br /> ip_route_output_key_hash+0x190/0x340<br /> ip_route_output_flow+0x21/0x120<br /> raw_sendmsg+0x91d/0x2e10<br /> inet_sendmsg+0x9e/0xe0<br /> __sys_sendto+0x23d/0x360<br /> __x64_sys_sendto+0xe1/0x1b0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: Fix memory leak in compat_insnlist()<br /> <br /> `compat_insnlist()` handles the 32-bit version of the `COMEDI_INSNLIST`<br /> ioctl (whenwhen `CONFIG_COMPAT` is enabled). It allocates memory to<br /> temporarily hold an array of `struct comedi_insn` converted from the<br /> 32-bit version in user space. This memory is only being freed if there<br /> is a fault while filling the array, otherwise it is leaked.<br /> <br /> Add a call to `kfree()` to fix the leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> afs: Fix page leak<br /> <br /> There&amp;#39;s a loop in afs_extend_writeback() that adds extra pages to a write<br /> we want to make to improve the efficiency of the writeback by making it<br /> larger. This loop stops, however, if we hit a page we can&amp;#39;t write back<br /> from immediately, but it doesn&amp;#39;t get rid of the page ref we speculatively<br /> acquired.<br /> <br /> This was caused by the removal of the cleanup loop when the code switched<br /> from using find_get_pages_contig() to xarray scanning as the latter only<br /> gets a single page at a time, not a batch.<br /> <br /> Fix this by putting the page on a ref on an early break from the loop.<br /> Unfortunately, we can&amp;#39;t just add that page to the pagevec we&amp;#39;re employing<br /> as we&amp;#39;ll go through that and add those pages to the RPC call.<br /> <br /> This was found by the generic/074 test. It leaks ~4GiB of RAM each time it<br /> is run - which can be observed with "top".