CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2021-47490 – drm/ttm: fix memleak in ttm_transfered_destroy
https://notcve.org/view.php?id=CVE-2021-47490
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix memleak in ttm_transfered_destroy We need to cleanup the fences for ghost objects as well. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214029 Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214447 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/ttm: corrige memleak en ttm_transfered_destroy También necesitamos limpiar las barreras para detectar objetos fantasma. Error: https://bugzilla.kernel.org/show_bug.cgi?id=214029 Error: https://bugzilla.kernel.org/show_bug.cgi? • https://git.kernel.org/stable/c/bd99782f3ca491879e8524c89b1c0f40071903bd https://git.kernel.org/stable/c/960b1fdfc39aba8f41e9e27b2de0c925c74182d9 https://git.kernel.org/stable/c/c21b4002214c1c7e7b627b9b53375612f7aab6db https://git.kernel.org/stable/c/bbc920fb320f1c241cc34ac85edaa0058922246a https://git.kernel.org/stable/c/132a3d998d6753047f22152731fba2b0d6b463dd https://git.kernel.org/stable/c/0db55f9a1bafbe3dac750ea669de9134922389b5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47485 – IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
https://notcve.org/view.php?id=CVE-2021-47485
In the Linux kernel, the following vulnerability has been resolved: IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields Overflowing either addrlimit or bytes_togo can allow userspace to trigger a buffer overflow of kernel memory. Check for overflows in all the places doing math on user controlled buffers. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/qib: Protege contra el desbordamiento del búfer en los campos de struct qib_user_sdma_pkt. El desbordamiento de addrlimit o bytes_togo puede permitir que el espacio de usuario desencadene un desbordamiento del búfer de la memoria del kernel. Compruebe si hay desbordamientos en todos los lugares que realizan cálculos en búferes controlados por el usuario. • https://git.kernel.org/stable/c/f931551bafe1f10ded7f5282e2aa162c267a2e5d https://git.kernel.org/stable/c/bda41654b6e0c125a624ca35d6d20beb8015b5d0 https://git.kernel.org/stable/c/3f57c3f67fd93b4da86aeffea1ca32c484d054ad https://git.kernel.org/stable/c/60833707b968d5ae02a75edb7886dcd4a957cf0d https://git.kernel.org/stable/c/73d2892148aa4397a885b4f4afcfc5b27a325c42 https://git.kernel.org/stable/c/0f8cdfff06829a0b0348b6debc29ff6a61967724 https://git.kernel.org/stable/c/c3e17e58f571f34c51aeb17274ed02c2ed5cf780 https://git.kernel.org/stable/c/0d4395477741608d123dad51def9fe50b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47483 – regmap: Fix possible double-free in regcache_rbtree_exit()
https://notcve.org/view.php?id=CVE-2021-47483
In the Linux kernel, the following vulnerability has been resolved: regmap: Fix possible double-free in regcache_rbtree_exit() In regcache_rbtree_insert_to_block(), when 'present' realloc failed, the 'blk' which is supposed to assign to 'rbnode->block' will be freed, so 'rbnode->block' points a freed memory, in the error handling path of regcache_rbtree_init(), 'rbnode->block' will be freed again in regcache_rbtree_exit(), KASAN will report double-free as follows: BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390 Call Trace: slab_free_freelist_hook+0x10d/0x240 kfree+0xce/0x390 regcache_rbtree_exit+0x15d/0x1a0 regcache_rbtree_init+0x224/0x2c0 regcache_init+0x88d/0x1310 __regmap_init+0x3151/0x4a80 __devm_regmap_init+0x7d/0x100 madera_spi_probe+0x10f/0x333 [madera_spi] spi_probe+0x183/0x210 really_probe+0x285/0xc30 To fix this, moving up the assignment of rbnode->block to immediately after the reallocation has succeeded so that the data structure stays valid even if the second reallocation fails. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: regmap: corrige posible doble liberación en regcache_rbtree_exit() En regcache_rbtree_insert_to_block(), cuando la realloc 'presente' fallaba, el 'blk' que se supone debe asignarse a 'rbnode->block ' se liberará, por lo que 'rbnode->block' apunta a una memoria liberada, en la ruta de manejo de errores de regcache_rbtree_init(), 'rbnode->block' se liberará nuevamente en regcache_rbtree_exit(), KASAN informará la doble liberación de la siguiente manera : ERROR: KASAN: doble libre o no válido en kfree+0xce/0x390 Rastreo de llamadas: slab_free_freelist_hook+0x10d/0x240 kfree+0xce/0x390 regcache_rbtree_exit+0x15d/0x1a0 regcache_rbtree_init+0x224/0x2c0 regcache_init+0x88d/ 0x1310 __regmap_init+0x3151/ 0x4a80 __devm_regmap_init+0x7d/0x100 madera_spi_probe+0x10f/0x333 [madera_spi] spi_probe+0x183/0x210 Actually_probe+0x285/0xc30 Para solucionar este problema, mueva hacia arriba la asignación de rbnode->block inmediatamente después de que la reasignación se haya realizado correctamente para que la estructura de datos permanezca válido incluso si la segunda reasignación falla. • https://git.kernel.org/stable/c/3f4ff561bc88b074d5e868dde4012d89cbb06c87 https://git.kernel.org/stable/c/e72dce9afbdbfa70d9b44f5908a50ff6c4858999 https://git.kernel.org/stable/c/fc081477b47dfc3a6cb50a96087fc29674013fc2 https://git.kernel.org/stable/c/758ced2c3878ff789801e6fee808e185c5cf08d6 https://git.kernel.org/stable/c/3dae1a4eced3ee733d7222e69b8a55caf2d61091 https://git.kernel.org/stable/c/1cead23c1c0bc766dacb900a3b0269f651ad596f https://git.kernel.org/stable/c/36e911a16b377bde0ad91a8c679069d0d310b1a6 https://git.kernel.org/stable/c/50cc1462a668dc62949a1127388bc3af7 •
CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47482 – net: batman-adv: fix error handling
https://notcve.org/view.php?id=CVE-2021-47482
In the Linux kernel, the following vulnerability has been resolved: net: batman-adv: fix error handling Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was in wrong error handling in batadv_mesh_init(). Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case of any batadv_*_init() calls failure. This approach may work well, when there is some kind of indicator, which can tell which parts of batadv are initialized; but there isn't any. All written above lead to cleaning up uninitialized fields. Even if we hide ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1] To fix these bugs we can unwind batadv_*_init() calls one by one. It is good approach for 2 reasons: 1) It fixes bugs on error handling path 2) It improves the performance, since we won't call unneeded batadv_*_free() functions. So, this patch makes all batadv_*_init() clean up all allocated memory before returning with an error to no call correspoing batadv_*_free() and open-codes batadv_mesh_free() with proper order to avoid touching uninitialized fields. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: batman-adv: corrección de manejo de errores Syzbot informó advertencia ODEBUG en batadv_nc_mesh_free(). • https://git.kernel.org/stable/c/c6c8fea29769d998d94fcec9b9f14d4b52b349d3 https://git.kernel.org/stable/c/0c6b199f09be489c48622537a550787fc80aea73 https://git.kernel.org/stable/c/07533f1a673ce1126d0a72ef1e4b5eaaa3dd6d20 https://git.kernel.org/stable/c/e50f957652190b5a88a8ebce7e5ab14ebd0d3f00 https://git.kernel.org/stable/c/fbf150b16a3635634b7dfb7f229d8fcd643c6c51 https://git.kernel.org/stable/c/6422e8471890273994fe8cc6d452b0dcd2c9483e https://git.kernel.org/stable/c/b0a2cd38553c77928ef1646ed1518486b1e70ae8 https://git.kernel.org/stable/c/a8f7359259dd5923adc6129284fdad12f • CWE-544: Missing Standardized Error Handling Mechanism •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47480 – scsi: core: Put LLD module refcnt after SCSI device is released
https://notcve.org/view.php?id=CVE-2021-47480
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Put LLD module refcnt after SCSI device is released SCSI host release is triggered when SCSI device is freed. We have to make sure that the low-level device driver module won't be unloaded before SCSI host instance is released because shost->hostt is required in the release handler. Make sure to put LLD module refcnt after SCSI device is released. Fixes a kernel panic of 'BUG: unable to handle page fault for address' reported by Changhui and Yi. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: colocar el módulo LLD refcnt después de liberar el dispositivo SCSI. La liberación del host SCSI se activa cuando se libera el dispositivo SCSI. Tenemos que asegurarnos de que el módulo del controlador de dispositivo de bajo nivel no se descargue antes de que se lance la instancia del host SCSI porque se requiere shost->hostt en el controlador de lanzamiento. • https://git.kernel.org/stable/c/1105573d964f7b78734348466b01f5f6ba8a1813 https://git.kernel.org/stable/c/8e4814a461787e15a31d322d9efbe0d4f6822428 https://git.kernel.org/stable/c/61a0faa89f21861d1f8d059123b5c285a5d9ffee https://git.kernel.org/stable/c/c2df161f69fb1c67f63adbd193368b47f511edc0 https://git.kernel.org/stable/c/1ce287eff9f23181d5644db787f472463a61f68b https://git.kernel.org/stable/c/7b57c38d12aed1b5d92f74748bed25e0d041729f https://git.kernel.org/stable/c/f30822c0b4c35ec86187ab055263943dc71a6836 https://git.kernel.org/stable/c/f2b85040acec9a928b4eb1b57a989324e •