CVE-2021-47173 – misc/uss720: fix memory leak in uss720_probe
https://notcve.org/view.php?id=CVE-2021-47173
In the Linux kernel, the following vulnerability has been resolved: misc/uss720: fix memory leak in uss720_probe uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. Fix this by decreasing the refcount of usbdev by usb_put_dev. BUG: memory leak unreferenced object 0xffff888101113800 (size 2048): comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) hex dump (first 32 bytes): ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ backtrace: [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline] [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline] [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline] [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline] [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292 [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: misc/uss720: corrige la pérdida de memoria en uss720_probe uss720_probe olvida disminuir el recuento de usbdev en uss720_probe. Solucione este problema disminuyendo el recuento de usbdev por usb_put_dev. ERROR: pérdida de memoria, objeto sin referencia 0xffff888101113800 (tamaño 2048): comunicación "kworker/0:1", pid 7, jiffies 4294956777 (edad 28,870 s) volcado hexadecimal (primeros 32 bytes): ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1.......... 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................. ... seguimiento: [] kmalloc include/linux/slab.h:554 [en línea] [] kzalloc include/linux/slab.h:684 [en línea] [] usb_alloc_dev+0x32/ 0x450 controladores/usb/core/usb.c:582 [] hub_port_connect drivers/usb/core/hub.c:5129 [en línea] [] hub_port_connect_change drivers/usb/core/hub.c:5363 [ en línea] [] port_event drivers/usb/core/hub.c:5509 [en línea] [] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 [] Process_one_work+ 0x2c9/0x600 kernel/workqueue.c:2275 [] trabajador_thread+0x59/0x5d0 kernel/workqueue.c:2421 [] kthread+0x178/0x1b0 kernel/kthread.c:292 [ ] ret_from_fork +0x1f/0x30 arco/x86/entrada/entrada_64.S:294 • https://git.kernel.org/stable/c/0f36163d3abefbda1b21a330b3fdf3c2dc076d94 https://git.kernel.org/stable/c/5f46b2410db2c8f26b8bb91b40deebf4ec184391 https://git.kernel.org/stable/c/7889c70e6173ef358f3cd7578db127a489035a42 https://git.kernel.org/stable/c/bcb30cc8f8befcbdbcf7a016e4dfd4747c54a364 https://git.kernel.org/stable/c/386918878ce4cd676e4607233866e03c9399a46a https://git.kernel.org/stable/c/36b5ff1db1a4ef4fdbc2bae364344279f033ad88 https://git.kernel.org/stable/c/5394ae9d8c7961dd93807fdf1b12a1dde96b0a55 https://git.kernel.org/stable/c/a3c3face38cb49932c62adcc1289914f1 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2021-47170 – USB: usbfs: Don't WARN about excessively large memory allocations
https://notcve.org/view.php?id=CVE-2021-47170
In the Linux kernel, the following vulnerability has been resolved: USB: usbfs: Don't WARN about excessively large memory allocations Syzbot found that the kernel generates a WARNing if the user tries to submit a bulk transfer through usbfs with a buffer that is way too large. This isn't a bug in the kernel; it's merely an invalid request from the user and the usbfs code does handle it correctly. In theory the same thing can happen with async transfers, or with the packet descriptor table for isochronous transfers. To prevent the MM subsystem from complaining about these bad allocation requests, add the __GFP_NOWARN flag to the kmalloc calls for these buffers. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: USB: usbfs: No ADVERTIR sobre asignaciones de memoria excesivamente grandes. Syzbot descubrió que el kernel genera una ADVERTENCIA si el usuario intenta enviar una transferencia masiva a través de usbfs con un búfer demasiado grande. Esto no es un error en el kernel; es simplemente una solicitud no válida del usuario y el código usbfs la maneja correctamente. • https://git.kernel.org/stable/c/2ab21d6e1411999b5fb43434f421f00bf50002eb https://git.kernel.org/stable/c/2c835fede13e03f2743a333e4370b5ed2db91e83 https://git.kernel.org/stable/c/8d83f109e920d2776991fa142bb904d985dca2ed https://git.kernel.org/stable/c/9f7cb3f01a10d9064cf13b3d26fb7e7a5827d098 https://git.kernel.org/stable/c/4f2629ea67e7225c3fd292c7fe4f5b3c9d6392de •
CVE-2021-47169 – serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'
https://notcve.org/view.php?id=CVE-2021-47169
In the Linux kernel, the following vulnerability has been resolved: serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait' In 'rp2_probe', the driver registers 'rp2_uart_interrupt' then calls 'rp2_fw_cb' through 'request_firmware_nowait'. In 'rp2_fw_cb', if the firmware don't exists, function just return without initializing ports of 'rp2_card'. But now the interrupt handler function has been registered, and when an interrupt comes, 'rp2_uart_interrupt' may access those ports then causing NULL pointer dereference or other bugs. Because the driver does some initialization work in 'rp2_fw_cb', in order to make the driver ready to handle interrupts, 'request_firmware' should be used instead of asynchronous 'request_firmware_nowait'. This report reveals it: INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xec/0x156 lib/dump_stack.c:118 assign_lock_key kernel/locking/lockdep.c:727 [inline] register_lock_class+0x14e5/0x1ba0 kernel/locking/lockdep.c:753 __lock_acquire+0x187/0x3750 kernel/locking/lockdep.c:3303 lock_acquire+0x124/0x340 kernel/locking/lockdep.c:3907 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x32/0x50 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] rp2_ch_interrupt drivers/tty/serial/rp2.c:466 [inline] rp2_asic_interrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493 rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504 __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149 handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189 handle_irq_event+0xac/0x140 kernel/irq/handle.c:206 handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87 do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 </IRQ> RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8 8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200 RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840 R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002 R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x6f/0x360 arch/x86/kernel/process.c:557 arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548 default_idle_call+0x3b/0x60 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369 start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline] RIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline] RIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c: 493 Co ---truncated--- En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: serial: rp2: use 'request_firmware' en lugar de 'request_firmware_nowait' En 'rp2_probe', el controlador registra 'rp2_uart_interrupt' y luego llama a 'rp2_fw_cb' a través de 'request_firmware_nowait'. En 'rp2_fw_cb', si el firmware no existe, la función simplemente regresa sin inicializar los puertos de 'rp2_card'. Pero ahora la función de manejo de interrupciones ha sido registrada, y cuando llega una interrupción, 'rp2_uart_interrupt' puede acceder a esos puertos y causar desreferencia al puntero NULL u otros errores. • https://git.kernel.org/stable/c/1e04d5d5fe5e76af68f834e1941fcbfa439653be https://git.kernel.org/stable/c/c697244ce940ec07e2d745ccb63ca97fc0266fbc https://git.kernel.org/stable/c/1cc57cb32c84e059bd158494f746b665fc14d1b1 https://git.kernel.org/stable/c/35265552c7fe9553c75e324c80f45e28ff14eb6e https://git.kernel.org/stable/c/915452f40e2f495e187276c4407a4f567ec2307e https://git.kernel.org/stable/c/6a931ceb0b9401fe18d0c500e08164bf9cc7be4b https://git.kernel.org/stable/c/9b07b6973f7359e2dd6a9fe6db0c142634c823b7 https://git.kernel.org/stable/c/016002848c82eeb5d460489ce392d91fe •
CVE-2021-47149 – net: fujitsu: fix potential null-ptr-deref
https://notcve.org/view.php?id=CVE-2021-47149
In the Linux kernel, the following vulnerability has been resolved: net: fujitsu: fix potential null-ptr-deref In fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer deref. To fix this, check the return value of ioremap and return -1 to the caller in case of failure. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: fujitsu: corrige el potencial null-ptr-deref En fmvj18x_get_hwinfo(), si ioremap falla, habrá un puntero NULL deref. Para solucionar este problema, verifique el valor de retorno de ioremap y devuelva -1 a la persona que llama en caso de falla. • https://git.kernel.org/stable/c/b92170e209f7746ed72eaac98f2c2f4b9af734e6 https://git.kernel.org/stable/c/6dbf1101594f7c76990b63c35b5a40205a914b6b https://git.kernel.org/stable/c/c4f1c23edbe921ab2ecd6140d700e756cd44c5f7 https://git.kernel.org/stable/c/7883d3895d0fbb0ba9bff0f8665f99974b45210f https://git.kernel.org/stable/c/22049c3d40f08facd1867548716a484dad6b3251 https://git.kernel.org/stable/c/71723a796ab7881f491d663c6cd94b29be5fba50 https://git.kernel.org/stable/c/f14bf57a08779a5dee9936f63ada0149ea89c5e6 https://git.kernel.org/stable/c/52202be1cd996cde6e8969a128dc27ee4 •
CVE-2021-47145 – btrfs: do not BUG_ON in link_to_fixup_dir
https://notcve.org/view.php?id=CVE-2021-47145
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not BUG_ON in link_to_fixup_dir While doing error injection testing I got the following panic kernel BUG at fs/btrfs/tree-log.c:1862! invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 RIP: 0010:link_to_fixup_dir+0xd5/0xe0 RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216 RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0 RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000 RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001 R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800 R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065 FS: 00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0 Call Trace: replay_one_buffer+0x409/0x470 ? btree_read_extent_buffer_pages+0xd0/0x110 walk_up_log_tree+0x157/0x1e0 walk_log_tree+0xa6/0x1d0 btrfs_recover_log_trees+0x1da/0x360 ? replay_one_extent+0x7b0/0x7b0 open_ctree+0x1486/0x1720 btrfs_mount_root.cold+0x12/0xea ? __kmalloc_track_caller+0x12f/0x240 legacy_get_tree+0x24/0x40 vfs_get_tree+0x22/0xb0 vfs_kern_mount.part.0+0x71/0xb0 btrfs_mount+0x10d/0x380 ? • https://git.kernel.org/stable/c/76bfd8ac20bebeae599452a03dfc5724c0475dcf https://git.kernel.org/stable/c/e934c4ee17b33bafb0444f2f9766cda7166d3c40 https://git.kernel.org/stable/c/0eaf383c6a4a83c09f60fd07a1bea9f1a9181611 https://git.kernel.org/stable/c/6eccfb28f8dca70c9b1b3bb3194ca54cbe73a9fa https://git.kernel.org/stable/c/0ed102453aa1cd12fefde8f6b60b9519b0b1f003 https://git.kernel.org/stable/c/7e13db503918820e6333811cdc6f151dcea5090a https://git.kernel.org/stable/c/b545442133580dcb2f2496133bf850824d41255c https://git.kernel.org/stable/c/91df99a6eb50d5a1bc70fff4a09a0b7ae •