Peng Fan

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 Description: A vulnerability in the Linux kernel has been resolved, related to the mm and slub modules. The issue arises when the `init on free` option is enabled, causing the full object size, including the redzone, to be cleared. This leads to the `check object` function treating the entire object as a redzone, resulting in a BUG report. The vulnerability is addressed by using `orig size` to clear the used area and restoring the value of `orig size` after clearing the remaining area. Recommendations: To resolve the issue, update to a version of the Linux kernel that includes the fix for this vulnerability. Specifically, for versions prior to 6.11.0-rc3-next-20240814-00004-g61844c55c3f4, apply the patch that addresses the mm and slub modules to avoid zeroing the kmalloc redzone. As a temporary workaround, consider disabling the `init on free` option until a patched version is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue occurs when the kernel is booted with "earlycon initcall debug=1 loglevel=8" in bootargs, causing the kernel to sometimes hang during boot. This happens because the normal console is not ready, but runtime suspend is called, resulting in the early console putchar hanging while waiting for TRDE to be set in UARTSTAT. The lpuart driver has an auto suspend delay of 3000ms, and during uart add one port, a child device serial ctrl is added and probed with its pm runtime enabled. The runtime suspend call path involves device add, bus probe device, device initial probe, and device attach, ultimately leading to pm runtime get sync, pm request idle, and pm runtime put. To address the issue, marking last busy just after pm runtime enable is sufficient, as three seconds is long enough to switch from bootconsole to normal console. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.23-06226-g4986cc3e1b75-dirty #250 **Description** The vulnerability is related to the drm/fbdev-dma module in the Linux kernel. It occurs when the `smem start` is set, which can break systems where DMA memory is backed by vmalloc address space. The issue arises because DMA memory is assumed to be contiguous in physical address space, which is not guaranteed by `vmalloc()`. To resolve this, the module flag `drm leak fbdev smem` should be checked when DRM allocates the instance of `struct fb info`. The `fbdev-dma` then only sets `smem start` if required, and the framebuffer should not be located in `vmalloc` address space. **Recommendations** To resolve the issue, check the module flag `drm leak fbdev smem` when DRM allocates the instance of `struct fb info`. Then, only set `smem start` if required via `FBINFO HIDE SMEM START`. Also, ensure the framebuffer is not located in `vmalloc` address space. As a temporary workaround, consider disabling the `drm fbdev dma helper fb probe` function until a patch is available. Restrict access to the `drm fbdev dma` module to minimize the risk of exploitation. Avoid using the `smem start` parameter in the affected kernel versions until the issue is resolved.