Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: gcc-ipq9574: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: gcc-ipq6018: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: gcc-ipq5018: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fat: fix uninitialized field in nostale filehandles<br /> <br /> When fat_encode_fh_nostale() encodes file handle without a parent it<br /> stores only first 10 bytes of the file handle. However the length of the<br /> file handle must be a multiple of 4 so the file handle is actually 12<br /> bytes long and the last two bytes remain uninitialized. This is not<br /> great at we potentially leak uninitialized information with the handle<br /> to userspace. Properly initialize the full handle length.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btnxpuart: Fix btnxpuart_close<br /> <br /> Fix scheduling while atomic BUG in btnxpuart_close(), properly<br /> purge the transmit queue and free the receive skb.<br /> <br /> [ 10.973809] BUG: scheduling while atomic: kworker/u9:0/80/0x00000002<br /> ...<br /> [ 10.980740] CPU: 3 PID: 80 Comm: kworker/u9:0 Not tainted 6.8.0-rc7-0.0.0-devel-00005-g61fdfceacf09 #1<br /> [ 10.980751] Hardware name: Toradex Verdin AM62 WB on Dahlia Board (DT)<br /> [ 10.980760] Workqueue: hci0 hci_power_off [bluetooth]<br /> [ 10.981169] Call trace:<br /> ...<br /> [ 10.981363] uart_update_mctrl+0x58/0x78<br /> [ 10.981373] uart_dtr_rts+0x104/0x114<br /> [ 10.981381] tty_port_shutdown+0xd4/0xdc<br /> [ 10.981396] tty_port_close+0x40/0xbc<br /> [ 10.981407] uart_close+0x34/0x9c<br /> [ 10.981414] ttyport_close+0x50/0x94<br /> [ 10.981430] serdev_device_close+0x40/0x50<br /> [ 10.981442] btnxpuart_close+0x24/0x98 [btnxpuart]<br /> [ 10.981469] hci_dev_close_sync+0x2d8/0x718 [bluetooth]<br /> [ 10.981728] hci_dev_do_close+0x2c/0x70 [bluetooth]<br /> [ 10.981862] hci_power_off+0x20/0x64 [bluetooth]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape<br /> <br /> For raid456, if reshape is still in progress, then IO across reshape<br /> position will wait for reshape to make progress. However, for dm-raid,<br /> in following cases reshape will never make progress hence IO will hang:<br /> <br /> 1) the array is read-only;<br /> 2) MD_RECOVERY_WAIT is set;<br /> 3) MD_RECOVERY_FROZEN is set;<br /> <br /> After commit c467e97f079f ("md/raid6: use valid sector values to determine<br /> if an I/O should wait on the reshape") fix the problem that IO across<br /> reshape position doesn&amp;#39;t wait for reshape, the dm-raid test<br /> shell/lvconvert-raid-reshape.sh start to hang:<br /> <br /> [root@fedora ~]# cat /proc/979/stack<br /> [] wait_woken+0x7d/0x90<br /> [] raid5_make_request+0x929/0x1d70 [raid456]<br /> [] md_handle_request+0xc2/0x3b0 [md_mod]<br /> [] raid_map+0x2c/0x50 [dm_raid]<br /> [] __map_bio+0x251/0x380 [dm_mod]<br /> [] dm_submit_bio+0x1f0/0x760 [dm_mod]<br /> [] __submit_bio+0xc2/0x1c0<br /> [] submit_bio_noacct_nocheck+0x17f/0x450<br /> [] submit_bio_noacct+0x2bc/0x780<br /> [] submit_bio+0x70/0xc0<br /> [] mpage_readahead+0x169/0x1f0<br /> [] blkdev_readahead+0x18/0x30<br /> [] read_pages+0x7c/0x3b0<br /> [] page_cache_ra_unbounded+0x1ab/0x280<br /> [] force_page_cache_ra+0x9e/0x130<br /> [] page_cache_sync_ra+0x3b/0x110<br /> [] filemap_get_pages+0x143/0xa30<br /> [] filemap_read+0xdc/0x4b0<br /> [] blkdev_read_iter+0x75/0x200<br /> [] vfs_read+0x272/0x460<br /> [] ksys_read+0x7a/0x170<br /> [] __x64_sys_read+0x1c/0x30<br /> [] do_syscall_64+0xc6/0x230<br /> [] entry_SYSCALL_64_after_hwframe+0x6c/0x74<br /> <br /> This is because reshape can&amp;#39;t make progress.<br /> <br /> For md/raid, the problem doesn&amp;#39;t exist because register new sync_thread<br /> doesn&amp;#39;t rely on the IO to be done any more:<br /> <br /> 1) If array is read-only, it can switch to read-write by ioctl/sysfs;<br /> 2) md/raid never set MD_RECOVERY_WAIT;<br /> 3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn&amp;#39;t hold<br /> &amp;#39;reconfig_mutex&amp;#39;, hence it can be cleared and reshape can continue by<br /> sysfs api &amp;#39;sync_action&amp;#39;.<br /> <br /> However, I&amp;#39;m not sure yet how to avoid the problem in dm-raid yet. This<br /> patch on the one hand make sure raid_message() can&amp;#39;t change<br /> sync_thread() through raid_message() after presuspend(), on the other<br /> hand detect the above 3 cases before wait for IO do be done in<br /> dm_suspend(), and let dm-raid requeue those IO.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3-am62: fix module unload/reload behavior<br /> <br /> As runtime PM is enabled, the module can be runtime<br /> suspended when .remove() is called.<br /> <br /> Do a pm_runtime_get_sync() to make sure module is active<br /> before doing any register operations.<br /> <br /> Doing a pm_runtime_put_sync() should disable the refclk<br /> so no need to disable it again.<br /> <br /> Fixes the below warning at module removel.<br /> <br /> [ 39.705310] ------------[ cut here ]------------<br /> [ 39.710004] clk:162:3 already disabled<br /> [ 39.713941] WARNING: CPU: 0 PID: 921 at drivers/clk/clk.c:1090 clk_core_disable+0xb0/0xb8<br /> <br /> We called of_platform_populate() in .probe() so call the<br /> cleanup function of_platform_depopulate() in .remove().<br /> Get rid of the now unnnecessary dwc3_ti_remove_core().<br /> Without this, module re-load doesn&amp;#39;t work properly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: Add error handling in xhci_map_urb_for_dma<br /> <br /> Currently xhci_map_urb_for_dma() creates a temporary buffer and copies<br /> the SG list to the new linear buffer. But if the kzalloc_node() fails,<br /> then the following sg_pcopy_to_buffer() can lead to crash since it<br /> tries to memcpy to NULL pointer.<br /> <br /> So return -ENOMEM if kzalloc returns null pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.