Linux: >> Linux Kernel >> 4.16.14 Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: brcmnand: fix PM resume warning
Fixed warning on PM resume as shown below caused due to uninitialized
struct nand_operation that checks chip select field :
WARN_ON(op->cs >= nanddev_ntargets(&chip->base)
[ 14.588522] ------------[ cut here ]------------
[ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8
[ 14.588553] Modules linked in: bdc udc_core
[ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16
[ 14.588590] Tainted: [W]=WARN
[ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree)
[ 14.588598] Call trace:
[ 14.588604] dump_backtrace from show_stack+0x18/0x1c
[ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c
[ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c
[ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c
[ 14.588653] r5:c08d40b0 r4:c1003cb0
[ 14.588656] dump_stack from __warn+0x84/0xe4
[ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194
[ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000
[ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8
[ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048
[ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150
[ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040
[ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54
[ 14.588735] r5:00000010 r4:c0840a50
[ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c
[ 14.588757] dpm_run_callback from device_resume+0xc0/0x324
[ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010
[ 14.588779] device_resume from dpm_resume+0x130/0x160
[ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0
[ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20
[ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414
[ 14.588826] r4:00000010
[ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8
[ 14.588848] r5:c228a414 r4:00000000
[ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc
[ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000
[ 14.588871] r4:00000003
[ 14.588874] pm_suspend from state_store+0x74/0xd0
[ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003
[ 14.588892] state_store from kobj_attr_store+0x1c/0x28
[ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250
[ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c
[ 14.588936] r5:c3502900 r4:c0d92a48
[ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0
[ 14.588956] r5:c3502900 r4:c3501f40
[ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420
[ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00
[ 14.588983] r4:c042a88c
[ 14.588987] vfs_write from ksys_write+0x74/0xe4
[ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00
[ 14.589008] r4:c34f7f00
[ 14.589011] ksys_write from sys_write+0x10/0x14
[ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004
[ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c
[ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)
[ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001
[ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78
[ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8
[ 14.589065] ---[ end trace 0000000000000000 ]---
The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when
doing PM resume operation in compliance with the controller support for single
die nand chip. Switching from nand_reset_op() to nan
---truncated---
CVSS Score
7.8
EPSS Score
0.0
Published
2025-05-09
In the Linux kernel, the following vulnerability has been resolved:
pm: cpupower: bench: Prevent NULL dereference on malloc failure
If malloc returns NULL due to low memory, 'config' pointer can be NULL.
Add a check to prevent NULL dereference.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-05-09
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()
cpufreq_cpu_get_raw() can return NULL when the target CPU is not present
in the policy->cpus mask. scpi_cpufreq_get_rate() does not check for
this case, which results in a NULL pointer dereference.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-05-08
In the Linux kernel, the following vulnerability has been resolved:
mm/vmscan: don't try to reclaim hwpoison folio
Syzkaller reports a bug as follows:
Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000
Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users
Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed
page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e
memcg:ffff0000dd6d9000
anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff)
raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9
raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000
page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio))
------------[ cut here ]------------
kernel BUG at mm/swap_state.c:184!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
Modules linked in:
CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3
Hardware name: linux,dummy-virt (DT)
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : add_to_swap+0xbc/0x158
lr : add_to_swap+0xbc/0x158
sp : ffff800087f37340
x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780
x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0
x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4
x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000
x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c
x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b
x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000
x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001
x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000
Call trace:
add_to_swap+0xbc/0x158
shrink_folio_list+0x12ac/0x2648
shrink_inactive_list+0x318/0x948
shrink_lruvec+0x450/0x720
shrink_node_memcgs+0x280/0x4a8
shrink_node+0x128/0x978
balance_pgdat+0x4f0/0xb20
kswapd+0x228/0x438
kthread+0x214/0x230
ret_from_fork+0x10/0x20
I can reproduce this issue with the following steps:
1) When a dirty swapcache page is isolated by reclaim process and the
page isn't locked, inject memory failure for the page.
me_swapcache_dirty() clears uptodate flag and tries to delete from lru,
but fails. Reclaim process will put the hwpoisoned page back to lru.
2) The process that maps the hwpoisoned page exits, the page is deleted
the page will never be freed and will be in the lru forever.
3) If we trigger a reclaim again and tries to reclaim the page,
add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is
cleared.
To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the
hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap
it in shrink_folio_list(), otherwise the folio will fail to be unmaped by
hwpoison_user_mappings() since the folio isn't in lru list.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-05-08
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
With ACPI in place, gicv2m_get_fwnode() is registered with the pci
subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime
during a PCI host bridge probe. But, the call back is wrongly marked as
__init, causing it to be freed, while being registered with the PCI
subsystem and could trigger:
Unable to handle kernel paging request at virtual address ffff8000816c0400
gicv2m_get_fwnode+0x0/0x58 (P)
pci_set_bus_msi_domain+0x74/0x88
pci_register_host_bridge+0x194/0x548
This is easily reproducible on a Juno board with ACPI boot.
Retain the function for later use.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-05-08
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
Similarly to the previous patch, we need to safe guard hfsc_dequeue()
too. But for this one, we don't have a reliable reproducer.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-05-08
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: check that event count does not exceed event buffer length
The event count is read from register DWC3_GEVNTCOUNT.
There is a check for the count being zero, but not for exceeding the
event buffer length.
Check that event count does not exceed event buffer length,
avoiding an out-of-bounds access when memcpy'ing the event.
Crash log:
Unable to handle kernel paging request at virtual address ffffffc0129be000
pc : __memcpy+0x114/0x180
lr : dwc3_check_event_buf+0xec/0x348
x3 : 0000000000000030 x2 : 000000000000dfc4
x1 : ffffffc0129be000 x0 : ffffff87aad60080
Call trace:
__memcpy+0x114/0x180
dwc3_interrupt+0x24/0x34
CVSS Score
7.8
EPSS Score
0.0
Published
2025-05-08
In the Linux kernel, the following vulnerability has been resolved:
mcb: fix a double free bug in chameleon_parse_gdd()
In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev'
would be released in mcb_device_register() via put_device().
Thus, goto 'err' label and free 'mdev' again causes a double free.
Just return if mcb_device_register() fails.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-05-08
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-imx: Add check for spi_imx_setupxfer()
Add check for the return value of spi_imx_setupxfer().
spi_imx->rx and spi_imx->tx function pointer can be NULL when
spi_imx_setupxfer() return error, and make NULL pointer dereference.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Call trace:
0x0
spi_imx_pio_transfer+0x50/0xd8
spi_imx_transfer_one+0x18c/0x858
spi_transfer_one_message+0x43c/0x790
__spi_pump_transfer_message+0x238/0x5d4
__spi_sync+0x2b0/0x454
spi_write_then_read+0x11c/0x200
CVSS Score
5.5
EPSS Score
0.0
Published
2025-05-08
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix WARNING "do not call blocking ops when !TASK_RUNNING"
wait_event_timeout() will set the state of the current
task to TASK_UNINTERRUPTIBLE, before doing the condition check. This
means that ksmbd_durable_scavenger_alive() will try to acquire the mutex
while already in a sleeping state. The scheduler warns us by giving
the following warning:
do not call blocking ops when !TASK_RUNNING; state=2 set at
[<0000000061515a6f>] prepare_to_wait_event+0x9f/0x6c0
WARNING: CPU: 2 PID: 4147 at kernel/sched/core.c:10099 __might_sleep+0x12f/0x160
mutex lock is not needed in ksmbd_durable_scavenger_alive().
CVSS Score
5.5
EPSS Score
0.0
Published
2025-05-08