Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Add sanity check for OOB writes at silencing<br /> <br /> At silencing the playback URB packets in the implicit fb mode before<br /> the actual playback, we blindly assume that the received packets fit<br /> with the buffer size. But when the setup in the capture stream<br /> differs from the playback stream (e.g. due to the USB core limitation<br /> of max packet size), such an inconsistency may lead to OOB writes to<br /> the buffer, resulting in a crash.<br /> <br /> For addressing it, add a sanity check of the transfer buffer size at<br /> prepare_silent_urb(), and stop the data copy if the received data<br /> overflows. Also, report back the transfer error properly from there,<br /> too.<br /> <br /> Note that this doesn&amp;#39;t fix the root cause of the playback error<br /> itself, but this merely covers the kernel Oops.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise<br /> <br /> When user provides a bogus pat_index value through the madvise IOCTL, the<br /> xe_pat_index_get_coh_mode() function performs an array access without<br /> validating bounds. This allows a malicious user to trigger an out-of-bounds<br /> kernel read from the xe-&gt;pat.table array.<br /> <br /> The vulnerability exists because the validation in madvise_args_are_sane()<br /> directly calls xe_pat_index_get_coh_mode(xe, args-&gt;pat_index.val) without<br /> first checking if pat_index is within [0, xe-&gt;pat.n_entries).<br /> <br /> Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug<br /> builds, it still performs the unsafe array access in production kernels.<br /> <br /> v2(Matthew Auld)<br /> - Using array_index_nospec() to mitigate spectre attacks when the value<br /> is used<br /> <br /> v3(Matthew Auld)<br /> - Put the declarations at the start of the block<br /> <br /> (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle<br /> <br /> dma_free_coherent() in error path takes priv-&gt;rx_buf.alloc_len as<br /> the dma handle. This would lead to improper unmapping of the buffer.<br /> <br /> Change the dma handle to priv-&gt;rx_buf.alloc_phys.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port<br /> <br /> The function ionic_query_port() calls ib_device_get_netdev() without<br /> checking the return value which could lead to NULL pointer dereference,<br /> Fix it by checking the return value and return -ENODEV if the &amp;#39;ndev&amp;#39; is<br /> NULL.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()<br /> <br /> Although it is guided that `#mbox-cells` must be at least 1, there are<br /> many instances of `#mbox-cells = ;` in the device tree. If that is<br /> the case and the corresponding mailbox controller does not provide<br /> `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will<br /> be used by default and out-of-bounds accesses could occur due to lack of<br /> bounds check in that function.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> APEI/GHES: ensure that won&amp;#39;t go past CPER allocated record<br /> <br /> The logic at ghes_new() prevents allocating too large records, by<br /> checking if they&amp;#39;re bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).<br /> Yet, the allocation is done with the actual number of pages from the<br /> CPER bios table location, which can be smaller.<br /> <br /> Yet, a bad firmware could send data with a different size, which might<br /> be bigger than the allocated memory, causing an OOPS:<br /> <br /> Unable to handle kernel paging request at virtual address fff00000f9b40000<br /> Mem abort info:<br /> ESR = 0x0000000096000007<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x07: level 3 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000<br /> [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000<br /> Internal error: Oops: 0000000096000007 [#1] SMP<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT<br /> Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022<br /> Workqueue: kacpi_notify acpi_os_execute_deferred<br /> pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> pc : hex_dump_to_buffer+0x30c/0x4a0<br /> lr : hex_dump_to_buffer+0x328/0x4a0<br /> sp : ffff800080e13880<br /> x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083<br /> x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004<br /> x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083<br /> x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010<br /> x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020<br /> x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008<br /> x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000<br /> x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020<br /> x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000<br /> x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008<br /> Call trace:<br /> hex_dump_to_buffer+0x30c/0x4a0 (P)<br /> print_hex_dump+0xac/0x170<br /> cper_estatus_print_section+0x90c/0x968<br /> cper_estatus_print+0xf0/0x158<br /> __ghes_print_estatus+0xa0/0x148<br /> ghes_proc+0x1bc/0x220<br /> ghes_notify_hed+0x5c/0xb8<br /> notifier_call_chain+0x78/0x148<br /> blocking_notifier_call_chain+0x4c/0x80<br /> acpi_hed_notify+0x28/0x40<br /> acpi_ev_notify_dispatch+0x50/0x80<br /> acpi_os_execute_deferred+0x24/0x48<br /> process_one_work+0x15c/0x3b0<br /> worker_thread+0x2d0/0x400<br /> kthread+0x148/0x228<br /> ret_from_fork+0x10/0x20<br /> Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44)<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Prevent that by taking the actual allocated are into account when<br /> checking for CPER length.<br /> <br /> [ rjw: Subject tweaks ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm: clear cloned request bio pointer when last clone bio completes<br /> <br /> Stale rq-&gt;bio values have been observed to cause double-initialization of<br /> cloned bios in request-based device-mapper targets, leading to<br /> use-after-free and double-free scenarios.<br /> <br /> One such case occurs when using dm-multipath on top of a PCIe NVMe<br /> namespace, where cloned request bios are freed during<br /> blk_complete_request(), but rq-&gt;bio is left intact. Subsequent clone<br /> teardown then attempts to free the same bios again via<br /> blk_rq_unprep_clone().<br /> <br /> The resulting double-free path looks like:<br /> <br /> nvme_pci_complete_batch()<br /> nvme_complete_batch()<br /> blk_mq_end_request_batch()<br /> blk_complete_request() // called on a DM clone request<br /> bio_endio() // first free of all clone bios<br /> ...<br /> rq-&gt;end_io() // end_clone_request()<br /> dm_complete_request(tio-&gt;orig)<br /> dm_softirq_done()<br /> dm_done()<br /> dm_end_request()<br /> blk_rq_unprep_clone() // second free of clone bios<br /> <br /> Fix this by clearing the clone request&amp;#39;s bio pointer when the last cloned<br /> bio completes, ensuring that later teardown paths do not attempt to free<br /> already-released bios.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Flush exception handling work when RPM level is zero<br /> <br /> Ensure that the exception event handling work is explicitly flushed during<br /> suspend when the runtime power management level is set to UFS_PM_LVL_0.<br /> <br /> When the RPM level is zero, the device power mode and link state both<br /> remain active. Previously, the UFS core driver bypassed flushing exception<br /> event handling jobs in this configuration. This created a race condition<br /> where the driver could attempt to access the host controller to handle an<br /> exception after the system had already entered a deep power-down state,<br /> resulting in a system crash.<br /> <br /> Explicitly flush this work and disable auto BKOPs before the suspend<br /> callback proceeds. This guarantees that pending exception tasks complete<br /> and prevents illegal hardware access during the power-down sequence.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()<br /> <br /> The cluster_cfg array is dynamically allocated to hold per-CPU<br /> configuration structures, with its size based on the number of online<br /> CPUs. Previously, this array was indexed using hartid, which may be<br /> non-contiguous or exceed the bounds of the array, leading to<br /> out-of-bounds access.<br /> Switch to using cpuid as the index, as it is guaranteed to be within<br /> the valid range provided by for_each_online_cpu().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mana: Fix double destroy_workqueue on service rescan PCI path<br /> <br /> While testing corner cases in the driver, a use-after-free crash<br /> was found on the service rescan PCI path.<br /> <br /> When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup()<br /> destroys gc-&gt;service_wq. If the subsequent mana_gd_resume() fails<br /> with -ETIMEDOUT or -EPROTO, the code falls through to<br /> mana_serv_rescan() which triggers pci_stop_and_remove_bus_device().<br /> This invokes the PCI .remove callback (mana_gd_remove), which calls<br /> mana_gd_cleanup() a second time, attempting to destroy the already-<br /> freed workqueue. Fix this by NULL-checking gc-&gt;service_wq in<br /> mana_gd_cleanup() and setting it to NULL after destruction.<br /> <br /> Call stack of issue for reference:<br /> [Sat Feb 21 18:53:48 2026] Call Trace:<br /> [Sat Feb 21 18:53:48 2026] <br /> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana]<br /> [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana]<br /> [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0<br /> [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70<br /> [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250<br /> [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20<br /> [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90<br /> [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30<br /> [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana]<br /> [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana]<br /> [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0<br /> [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0<br /> [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130<br /> [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10<br /> [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10<br /> [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350<br /> [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10<br /> [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30<br /> [Sat Feb 21 18:53:48 2026]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback<br /> <br /> After several commits, the slab memory increases. Some drm_crtc_commit<br /> objects are not freed. The atomic_destroy_state callback only put the<br /> framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function<br /> to put all the objects that are no longer needed.<br /> <br /> It has been seen after hours of usage of a graphics application or using<br /> kmemleak:<br /> <br /> unreferenced object 0xc63a6580 (size 64):<br /> comm "egt_basic", pid 171, jiffies 4294940784<br /> hex dump (first 32 bytes):<br /> 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:.<br /> 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:.<br /> backtrace (crc c25aa925):<br /> kmemleak_alloc+0x34/0x3c<br /> __kmalloc_cache_noprof+0x150/0x1a4<br /> drm_atomic_helper_setup_commit+0x1e8/0x7bc<br /> drm_atomic_helper_commit+0x3c/0x15c<br /> drm_atomic_commit+0xc0/0xf4<br /> drm_atomic_helper_set_config+0x84/0xb8<br /> drm_mode_setcrtc+0x32c/0x810<br /> drm_ioctl+0x20c/0x488<br /> sys_ioctl+0x14c/0xc20<br /> ret_fast_syscall+0x0/0x54

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md-cluster: fix NULL pointer dereference in process_metadata_update<br /> <br /> The function process_metadata_update() blindly dereferences the &amp;#39;thread&amp;#39;<br /> pointer (acquired via rcu_dereference_protected) within the wait_event()<br /> macro.<br /> <br /> While the code comment states "daemon thread must exist", there is a valid<br /> race condition window during the MD array startup sequence (md_run):<br /> <br /> 1. bitmap_load() is called, which invokes md_cluster_ops-&gt;join().<br /> 2. join() starts the "cluster_recv" thread (recv_daemon).<br /> 3. At this point, recv_daemon is active and processing messages.<br /> 4. However, mddev-&gt;thread (the main MD thread) is not initialized until<br /> later in md_run().<br /> <br /> If a METADATA_UPDATED message is received from a remote node during this<br /> specific window, process_metadata_update() will be called while<br /> mddev-&gt;thread is still NULL, leading to a kernel panic.<br /> <br /> To fix this, we must validate the &amp;#39;thread&amp;#39; pointer. If it is NULL, we<br /> release the held lock (no_new_dev_lockres) and return early, safely<br /> ignoring the update request as the array is not yet fully ready to<br /> process it.