Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: Replace BUG_ON with error handling for CNID count checks<br /> <br /> In a06ec283e125 next_id, folder_count, and file_count in the super block<br /> info were expanded to 64 bits, and BUG_ONs were added to detect<br /> overflow. This triggered an error reported by syzbot: if the MDB is<br /> corrupted, the BUG_ON is triggered. This patch replaces this mechanism<br /> with proper error handling and resolves the syzbot reported bug.<br /> <br /> Singed-off-by: Jori Koolstra

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: chips-media: wave5: Fix device cleanup order to prevent kernel panic<br /> <br /> Move video device unregistration to the beginning of the remove function<br /> to ensure all video operations are stopped before cleaning up the worker<br /> thread and disabling PM runtime. This prevents hardware register access<br /> after the device has been powered down.<br /> <br /> In polling mode, the hrtimer periodically triggers<br /> wave5_vpu_timer_callback() which queues work to the kthread worker.<br /> The worker executes wave5_vpu_irq_work_fn() which reads hardware<br /> registers via wave5_vdi_read_register().<br /> <br /> The original cleanup order disabled PM runtime and powered down hardware<br /> before unregistering video devices. When autosuspend triggers and powers<br /> off the hardware, the video devices are still registered and the worker<br /> thread can still be triggered by the hrtimer, causing it to attempt<br /> reading registers from powered-off hardware. This results in a bus error<br /> (synchronous external abort) and kernel panic.<br /> <br /> This causes random kernel panics during encoding operations:<br /> <br /> Internal error: synchronous external abort: 0000000096000010<br /> [#1] PREEMPT SMP<br /> Modules linked in: wave5 rpmsg_ctrl rpmsg_char ...<br /> CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread<br /> Tainted: G M W<br /> pc : wave5_vdi_read_register+0x10/0x38 [wave5]<br /> lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5]<br /> Call trace:<br /> wave5_vdi_read_register+0x10/0x38 [wave5]<br /> kthread_worker_fn+0xd8/0x238<br /> kthread+0x104/0x120<br /> ret_from_fork+0x10/0x20<br /> Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000)<br /> ---[ end trace 0000000000000000 ]---<br /> Kernel panic - not syncing: synchronous external abort:<br /> Fatal exception

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/rds: Clear reconnect pending bit<br /> <br /> When canceling the reconnect worker, care must be taken to reset the<br /> reconnect-pending bit. If the reconnect worker has not yet been<br /> scheduled before it is canceled, the reconnect-pending bit will stay<br /> on forever.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/amd: serialize sequence allocation under concurrent TLB invalidations<br /> <br /> With concurrent TLB invalidations, completion wait randomly gets timed out<br /> because cmd_sem_val was incremented outside the IOMMU spinlock, allowing<br /> CMD_COMPL_WAIT commands to be queued out of sequence and breaking the<br /> ordering assumption in wait_on_sem().<br /> Move the cmd_sem_val increment under iommu-&gt;lock so completion sequence<br /> allocation is serialized with command queuing.<br /> And remove the unnecessary return.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix locking usage for tcon fields<br /> <br /> We used to use the cifs_tcp_ses_lock to protect a lot of objects<br /> that are not just the server, ses or tcon lists. We later introduced<br /> srv_lock, ses_lock and tc_lock to protect fields within the<br /> corresponding structs. This was done to provide a more granular<br /> protection and avoid unnecessary serialization.<br /> <br /> There were still a couple of uses of cifs_tcp_ses_lock to provide<br /> tcon fields. In this patch, I&amp;#39;ve replaced them with tc_lock.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Drop the lock in skb_may_tx_timestamp()<br /> <br /> skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must<br /> not be taken in IRQ context, only softirq is okay. A few drivers receive<br /> the timestamp via a dedicated interrupt and complete the TX timestamp<br /> from that handler. This will lead to a deadlock if the lock is already<br /> write-locked on the same CPU.<br /> <br /> Taking the lock can be avoided. The socket (pointed by the skb) will<br /> remain valid until the skb is released. The -&gt;sk_socket and -&gt;file<br /> member will be set to NULL once the user closes the socket which may<br /> happen before the timestamp arrives.<br /> If we happen to observe the pointer while the socket is closing but<br /> before the pointer is set to NULL then we may use it because both<br /> pointer (and the file&amp;#39;s cred member) are RCU freed.<br /> <br /> Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add a<br /> matching WRITE_ONCE() where the pointer are cleared.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: iris: gen2: Add sanity check for session stop<br /> <br /> In iris_kill_session, inst-&gt;state is set to IRIS_INST_ERROR and<br /> session_close is executed, which will kfree(inst_hfi_gen2-&gt;packet).<br /> If stop_streaming is called afterward, it will cause a crash.<br /> <br /> Add a NULL check for inst_hfi_gen2-&gt;packet before sendling STOP packet<br /> to firmware to fix that.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: i2c/tw9903: Fix potential memory leak in tw9903_probe()<br /> <br /> In one of the error paths in tw9903_probe(), the memory allocated in<br /> v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that<br /> by calling v4l2_ctrl_handler_free() on the handler in that error path.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: cpsw_new: Fix potential unregister of netdev that has not been registered yet<br /> <br /> If an error occurs during register_netdev() for the first MAC in<br /> cpsw_register_ports(), even though cpsw-&gt;slaves[0].ndev is set to NULL,<br /> cpsw-&gt;slaves[1].ndev would remain unchanged. This could later cause<br /> cpsw_unregister_ports() to attempt unregistering the second MAC.<br /> To address this, add a check for ndev-&gt;reg_state before calling<br /> unregister_netdev(). With this change, setting cpsw-&gt;slaves[i].ndev<br /> to NULL becomes unnecessary and can be removed accordingly.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipmi: ipmb: initialise event handler read bytes<br /> <br /> IPMB doesn&amp;#39;t use i2c reads, but the handler needs to set a value.<br /> Otherwise an i2c read will return an uninitialised value from the bus<br /> driver.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: verisilicon: AV1: Fix tile info buffer size<br /> <br /> Each tile info is composed of: row_sb, col_sb, start_pos<br /> and end_pos (4 bytes each). So the total required memory<br /> is AV1_MAX_TILES * 16 bytes.<br /> Use the correct #define to allocate the buffer and avoid<br /> writing tile info in non-allocated memory.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mtk-mdp: Fix error handling in probe function<br /> <br /> Add mtk_mdp_unregister_m2m_device() on the error handling path to prevent<br /> resource leak.<br /> <br /> Add check for the return value of vpu_get_plat_device() to prevent null<br /> pointer dereference. And vpu_get_plat_device() increases the reference<br /> count of the returned platform device. Add platform_device_put() to<br /> prevent reference leak.