Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/zcrx: fix sgtable leak on mapping failures<br /> <br /> In an unlikely case when io_populate_area_dma() fails, which could only<br /> happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine,<br /> io_zcrx_map_area() will have an initialised and not freed table. It was<br /> supposed to be cleaned up in the error path, but !is_mapped prevents<br /> that.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: pvrusb2: fix URB leak in pvr2_send_request_ex<br /> <br /> When pvr2_send_request_ex() submits a write URB successfully but fails to<br /> submit the read URB (e.g. returns -ENOMEM), it returns immediately without<br /> waiting for the write URB to complete. Since the driver reuses the same<br /> URB structure, a subsequent call to pvr2_send_request_ex() attempts to<br /> submit the still-active write URB, triggering a &amp;#39;URB submitted while<br /> active&amp;#39; warning in usb_submit_urb().<br /> <br /> Fix this by ensuring the write URB is unlinked and waited upon if the read<br /> URB submission fails.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: Replace BUG_ON with error handling for CNID count checks<br /> <br /> In a06ec283e125 next_id, folder_count, and file_count in the super block<br /> info were expanded to 64 bits, and BUG_ONs were added to detect<br /> overflow. This triggered an error reported by syzbot: if the MDB is<br /> corrupted, the BUG_ON is triggered. This patch replaces this mechanism<br /> with proper error handling and resolves the syzbot reported bug.<br /> <br /> Singed-off-by: Jori Koolstra

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/rds: No shortcut out of RDS_CONN_ERROR<br /> <br /> RDS connections carry a state "rds_conn_path::cp_state"<br /> and transitions from one state to another and are conditional<br /> upon an expected state: "rds_conn_path_transition."<br /> <br /> There is one exception to this conditionality, which is<br /> "RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop"<br /> regardless of what state the condition is currently in.<br /> <br /> But as soon as a connection enters state "RDS_CONN_ERROR",<br /> the connection handling code expects it to go through the<br /> shutdown-path.<br /> <br /> The RDS/TCP multipath changes added a shortcut out of<br /> "RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING"<br /> via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change").<br /> <br /> A subsequent "rds_tcp_reset_callbacks" can then transition<br /> the state to "RDS_CONN_RESETTING" with a shutdown-worker queued.<br /> <br /> That&amp;#39;ll trip up "rds_conn_init_shutdown", which was<br /> never adjusted to handle "RDS_CONN_RESETTING" and subsequently<br /> drops the connection with the dreaded "DR_INV_CONN_STATE",<br /> which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever.<br /> <br /> So we do two things here:<br /> <br /> a) Don&amp;#39;t shortcut "RDS_CONN_ERROR", but take the longer<br /> path through the shutdown code.<br /> <br /> b) Add "RDS_CONN_RESETTING" to the expected states in<br /> "rds_conn_init_shutdown" so that we won&amp;#39;t error out<br /> and get stuck, if we ever hit weird state transitions<br /> like this again."

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/rds: Clear reconnect pending bit<br /> <br /> When canceling the reconnect worker, care must be taken to reset the<br /> reconnect-pending bit. If the reconnect worker has not yet been<br /> scheduled before it is canceled, the reconnect-pending bit will stay<br /> on forever.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: rtl8723bs: fix memory leak on failure path<br /> <br /> cfg80211_inform_bss_frame() may return NULL on failure. In that case,<br /> the allocated buffer &amp;#39;buf&amp;#39; is not freed and the function returns early,<br /> leading to potential memory leak.<br /> Fix this by ensuring that &amp;#39;buf&amp;#39; is freed on both success and failure paths.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Drop the lock in skb_may_tx_timestamp()<br /> <br /> skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must<br /> not be taken in IRQ context, only softirq is okay. A few drivers receive<br /> the timestamp via a dedicated interrupt and complete the TX timestamp<br /> from that handler. This will lead to a deadlock if the lock is already<br /> write-locked on the same CPU.<br /> <br /> Taking the lock can be avoided. The socket (pointed by the skb) will<br /> remain valid until the skb is released. The -&gt;sk_socket and -&gt;file<br /> member will be set to NULL once the user closes the socket which may<br /> happen before the timestamp arrives.<br /> If we happen to observe the pointer while the socket is closing but<br /> before the pointer is set to NULL then we may use it because both<br /> pointer (and the file&amp;#39;s cred member) are RCU freed.<br /> <br /> Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add a<br /> matching WRITE_ONCE() where the pointer are cleared.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: iris: gen2: Add sanity check for session stop<br /> <br /> In iris_kill_session, inst-&gt;state is set to IRIS_INST_ERROR and<br /> session_close is executed, which will kfree(inst_hfi_gen2-&gt;packet).<br /> If stop_streaming is called afterward, it will cause a crash.<br /> <br /> Add a NULL check for inst_hfi_gen2-&gt;packet before sendling STOP packet<br /> to firmware to fix that.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: i2c/tw9903: Fix potential memory leak in tw9903_probe()<br /> <br /> In one of the error paths in tw9903_probe(), the memory allocated in<br /> v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that<br /> by calling v4l2_ctrl_handler_free() on the handler in that error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: cpsw_new: Fix potential unregister of netdev that has not been registered yet<br /> <br /> If an error occurs during register_netdev() for the first MAC in<br /> cpsw_register_ports(), even though cpsw-&gt;slaves[0].ndev is set to NULL,<br /> cpsw-&gt;slaves[1].ndev would remain unchanged. This could later cause<br /> cpsw_unregister_ports() to attempt unregistering the second MAC.<br /> To address this, add a check for ndev-&gt;reg_state before calling<br /> unregister_netdev(). With this change, setting cpsw-&gt;slaves[i].ndev<br /> to NULL becomes unnecessary and can be removed accordingly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/amd: serialize sequence allocation under concurrent TLB invalidations<br /> <br /> With concurrent TLB invalidations, completion wait randomly gets timed out<br /> because cmd_sem_val was incremented outside the IOMMU spinlock, allowing<br /> CMD_COMPL_WAIT commands to be queued out of sequence and breaking the<br /> ordering assumption in wait_on_sem().<br /> Move the cmd_sem_val increment under iommu-&gt;lock so completion sequence<br /> allocation is serialized with command queuing.<br /> And remove the unnecessary return.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipmi: ipmb: initialise event handler read bytes<br /> <br /> IPMB doesn&amp;#39;t use i2c reads, but the handler needs to set a value.<br /> Otherwise an i2c read will return an uninitialised value from the bus<br /> driver.