group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #15362
[Bug 1694733] Re: ubuntu/rsi driver has several issues as picked up by static analysis
This bug was fixed in the package linux - 4.4.0-89.112
---------------
linux (4.4.0-89.112) xenial; urgency=low
* CVE-2017-7533
- dentry name snapshots
linux (4.4.0-88.111) xenial; urgency=low
* linux: 4.4.0-88.111 -proposed tracker (LP: #1705270)
* [Xenial] nvme: Quirks for PM1725 controllers (LP: #1704435)
- nvme: Quirks for PM1725 controllers
* Upgrade Redpine WLAN/BT driver to ver. 1.2 (production release)
(LP: #1697829)
- SAUCE: Redpine: Upgrade to ver. 1.2 production release
* ubuntu/rsi driver has several issues as picked up by static analysis
(LP: #1694733)
- SAUCE: Redpine: Upgrade to ver. 1.2 production release
* Redpine vendor driver - Switching to AP mode causes kernel panic
(LP: #1700941)
- SAUCE: Redpine: Upgrade to ver. 1.2 production release
* CVE-2017-10810
- drm/virtio: don't leak bo on drm_gem_object_init failure
* Ath10k to read different board data file if specify in SMBIOS (LP: #1666742)
- ath10k: search SMBIOS for OEM board file extension
* make snap-pkg support (LP: #1700747)
- SAUCE: make snap-pkg support
* ISST-LTE: Briggs:Stratton:UbuntuKVM: ics_opal_set_affinity on host kernel
log using Intel X710 (i40e driver) (LP: #1703663)
- i40e: use valid online CPU on q_vector initialization
* Update snapcraft.yaml (LP: #1700480)
- snapcraft.yaml: various improvements
* Xenial update to 4.4.76 stable release (LP: #1702863)
- ipv6: release dst on error in ip6_dst_lookup_tail
- net: don't call strlen on non-terminated string in dev_set_alias()
- decnet: dn_rtmsg: Improve input length sanitization in
dnrmg_receive_user_skb
- net: Zero ifla_vf_info in rtnl_fill_vfinfo()
- af_unix: Add sockaddr length checks before accessing sa_family in bind and
connect handlers
- Fix an intermittent pr_emerg warning about lo becoming free.
- net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
- igmp: acquire pmc lock for ip_mc_clear_src()
- igmp: add a missing spin_lock_init()
- ipv6: fix calling in6_ifa_hold incorrectly for dad work
- net/mlx5: Wait for FW readiness before initializing command interface
- decnet: always not take dst->__refcnt when inserting dst into hash table
- net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
- sfc: provide dummy definitions of vswitch functions
- ipv6: Do not leak throw route references
- rtnetlink: add IFLA_GROUP to ifla_policy
- netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
- netfilter: synproxy: fix conntrackd interaction
- NFSv4: fix a reference leak caused WARNING messages
- drm/ast: Handle configuration without P2A bridge
- mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff()
- MIPS: Avoid accidental raw backtrace
- MIPS: pm-cps: Drop manual cache-line alignment of ready_count
- MIPS: Fix IRQ tracing & lockdep when rescheduling
- ALSA: hda - Fix endless loop of codec configure
- ALSA: hda - set input_path bitmap to zero after moving it to new place
- drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr
- usb: gadget: f_fs: Fix possibe deadlock
- sysctl: enable strict writes
- mm: numa: avoid waiting on freed migrated pages
- KVM: x86: fix fixing of hypercalls
- scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type
- scsi: lpfc: Set elsiocb contexts to NULL after freeing it
- qla2xxx: Fix erroneous invalid handle message
- ARM: dts: BCM5301X: Correct GIC_PPI interrupt flags
- net: mvneta: Fix for_each_present_cpu usage
- MIPS: ath79: fix regression in PCI window initialization
- net: korina: Fix NAPI versus resources freeing
- MIPS: ralink: MT7688 pinmux fixes
- MIPS: ralink: fix USB frequency scaling
- MIPS: ralink: Fix invalid assignment of SoC type
- MIPS: ralink: fix MT7628 pinmux typos
- MIPS: ralink: fix MT7628 wled_an pinmux gpio
- mtd: bcm47xxpart: limit scanned flash area on BCM47XX (MIPS) only
- bgmac: fix a missing check for build_skb
- mtd: bcm47xxpart: don't fail because of bit-flips
- bgmac: Fix reversed test of build_skb() return value.
- net: bgmac: Fix SOF bit checking
- net: bgmac: Start transmit queue in bgmac_open
- net: bgmac: Remove superflous netif_carrier_on()
- powerpc/eeh: Enable IO path on permanent error
- gianfar: Do not reuse pages from emergency reserve
- Btrfs: fix truncate down when no_holes feature is enabled
- virtio_console: fix a crash in config_work_handler
- swiotlb-xen: update dev_addr after swapping pages
- xen-netfront: Fix Rx stall during network stress and OOM
- scsi: virtio_scsi: Reject commands when virtqueue is broken
- platform/x86: ideapad-laptop: handle ACPI event 1
- amd-xgbe: Check xgbe_init() return code
- net: dsa: Check return value of phy_connect_direct()
- drm/amdgpu: check ring being ready before using
- vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null
- virtio_net: fix PAGE_SIZE > 64k
- vxlan: do not age static remote mac entries
- ibmveth: Add a proper check for the availability of the checksum features
- kernel/panic.c: add missing \n
- HID: i2c-hid: Add sleep between POWER ON and RESET
- scsi: lpfc: avoid double free of resource identifiers
- spi: davinci: use dma_mapping_error()
- mac80211: initialize SMPS field in HT capabilities
- x86/mpx: Use compatible types in comparison to fix sparse error
- coredump: Ensure proper size of sparse core files
- swiotlb: ensure that page-sized mappings are page-aligned
- s390/ctl_reg: make __ctl_load a full memory barrier
- be2net: fix status check in be_cmd_pmac_add()
- perf probe: Fix to show correct locations for events on modules
- net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
- sctp: check af before verify address in sctp_addr_id2transport
- ravb: Fix use-after-free on `ifconfig eth0 down`
- jump label: fix passing kbuild_cflags when checking for asm goto support
- xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
- xfrm: NULL dereference on allocation failure
- xfrm: Oops on error in pfkey_msg2xfrm_state()
- watchdog: bcm281xx: Fix use of uninitialized spinlock.
- sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting
- ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation
- ARM: 8685/1: ensure memblock-limit is pmd-aligned
- x86/mpx: Correctly report do_mpx_bt_fault() failures to user-space
- x86/mm: Fix flush_tlb_page() on Xen
- ocfs2: o2hb: revert hb threshold to keep compatible
- iommu/vt-d: Don't over-free page table directories
- iommu: Handle default domain attach failure
- iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
- cpufreq: s3c2416: double free on driver init error path
- KVM: x86: fix emulation of RSM and IRET instructions
- KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh()
- KVM: x86: zero base3 of unusable segments
- KVM: nVMX: Fix exception injection
- Linux 4.4.76
* Xenial update to 4.4.75 stable release (LP: #1702118)
- fs/exec.c: account for argv/envp pointers
- autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL
- lib/cmdline.c: fix get_options() overflow while parsing ranges
- KVM: PPC: Book3S HV: Preserve userspace HTM state properly
- CIFS: Improve readdir verbosity
- HID: Add quirk for Dell PIXART OEM mouse
- signal: Only reschedule timers on signals timers have sent
- powerpc/kprobes: Pause function_graph tracing during jprobes handling
- Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list
- time: Fix clock->read(clock) race around clocksource changes
- target: Fix kref->refcount underflow in transport_cmd_finish_abort
- iscsi-target: Reject immediate data underflow larger than SCSI transfer
length
- drm/radeon: add a PX quirk for another K53TK variant
- drm/radeon: add a quirk for Toshiba Satellite L20-183
- drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating
- drm/amdgpu: adjust default display clock
- USB: usbip: fix nonconforming hub descriptor
- rxrpc: Fix several cases where a padded len isn't checked in ticket decode
- of: Add check to of_scan_flat_dt() before accessing initial_boot_params
- mtd: spi-nor: fix spansion quad enable
- powerpc/slb: Force a full SLB flush when we insert for a bad EA
- usb: gadget: f_fs: avoid out of bounds access on comp_desc
- net: phy: Initialize mdio clock at probe function
- net: phy: fix marvell phy status reading
- Linux 4.4.75
* Xenial update to 4.4.74 stable release (LP: #1702104)
- configfs: Fix race between create_link and configfs_rmdir
- can: gs_usb: fix memory leak in gs_cmd_reset()
- cpufreq: conservative: Allow down_threshold to take values from 1 to 10
- vb2: Fix an off by one error in 'vb2_plane_vaddr'
- mac80211: don't look at the PM bit of BAR frames
- mac80211/wpa: use constant time memory comparison for MACs
- mac80211: fix CSA in IBSS mode
- mac80211: fix IBSS presp allocation size
- serial: efm32: Fix parity management in 'efm32_uart_console_get_options()'
- x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init()
- mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
- staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data()
- iio: proximity: as3935: recalibrate RCO after resume
- USB: hub: fix SS max number of ports
- usb: core: fix potential memory leak in error path during hcd creation
- pvrusb2: reduce stack usage pvr2_eeprom_analyze()
- USB: gadget: dummy_hcd: fix hub-descriptor removable fields
- usb: r8a66597-hcd: select a different endpoint on timeout
- usb: r8a66597-hcd: decrease timeout
- drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of
IS_ERR()
- usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk
- USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks
- mm/memory-failure.c: use compound_head() flags for huge pages
- swap: cond_resched in swap_cgroup_prepare()
- genirq: Release resources in __setup_irq() error path
- alarmtimer: Prevent overflow of relative timers
- usb: dwc3: exynos fix axius clock error path to do cleanup
- MIPS: Fix bnezc/jialc return address calculation
- alarmtimer: Rate limit periodic intervals
- Linux 4.4.74
* Side Button (Display Toggle) fails on Dell AIO systems (LP: #1702541)
- dell-wmi: Add a WMI event code for display on/off
* Intel i40e PF reset under load (LP: #1700834)
- i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per packet
* update ENA driver to 1.2.0k from net-next (LP: #1701575)
- net: ena: remove superfluous check in ena_remove()
- net: ena: fix rare uncompleted admin command false alarm
- net: ena: add missing return when ena_com_get_io_handlers() fails
- net: ena: fix race condition between submit and completion admin command
- net: ena: add missing unmap bars on device removal
- net: ena: fix theoretical Rx hang on low memory systems
- net: ena: disable admin msix while working in polling mode
- net: ena: bug fix in lost tx packets detection mechanism
- net: ena: update ena driver to version 1.1.7
- net: ena: change return value for unsupported features unsupported return
value
- net: ena: add hardware hints capability to the driver
- net: ena: change sizeof() argument to be the type pointer
- net: ena: add reset reason for each device FLR
- net: ena: add support for out of order rx buffers refill
- net: ena: use napi_schedule_irqoff when possible
- net: ena: separate skb allocation to dedicated function
- net: ena: use lower_32_bits()/upper_32_bits() to split dma address
- net: ena: update driver's rx drop statistics
- net: ena: update ena driver to version 1.2.0
-- Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> Mon, 31 Jul
2017 14:50:32 -0300
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10810
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7533
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1694733
Title:
ubuntu/rsi driver has several issues as picked up by static analysis
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Xenial:
Fix Released
Bug description:
** CID 1438209: Memory - corruptions (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()
________________________________________________________________________________________________________
*** CID 1438209: Memory - corruptions (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()
346
347 if (status) {
348 mutex_unlock(&common->tx_lock);
349 break;
350 }
351
>>> CID 1438209: Memory - corruptions (OVERRUN)
>>> Overrunning array "common->tx_stats.total_tx_pkt_send" of 5 4-byte elements at element index 5 (byte offset 20) using index "q_num" (which evaluates to 5).
352 common->tx_stats.total_tx_pkt_send[q_num]++;
353
354 tstamp_2 = jiffies;
355 mutex_unlock(&common->tx_lock);
356
357 if (tstamp_2 > tstamp_1 + (300 * HZ / 1000))
** CID 1438210: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()
________________________________________________________________________________________________________
*** CID 1438210: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()
268 cmd_frame->q_no = RSI_BT_MGMT_Q;
269 cmd_frame->pkt_type = RSI_BT_PKT_TYPE_DEREGISTR;
270
271 skb_put(skb, sizeof(struct rsi_bt_cmd_frame));
272
273 //return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>> CID 1438210: Resource leaks (RESOURCE_LEAK)
>>> Variable "skb" going out of scope leaks the storage it points to.
274 return common->priv->host_intf_ops->write_pkt(common->priv, skb->data, skb->len);
275 }
276 EXPORT_SYMBOL_GPL(rsi_deregister_bt);
277
278 int rsi_hci_recv_pkt(struct rsi_common *common, u8 *pkt)
279 {
** CID 1438211: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()
________________________________________________________________________________________________________
*** CID 1438211: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()
243 cmd_frame->bt_rf_tx_power_mode = 0;
244 cmd_frame->bt_rf_tx_power_mode = 0;
245
246 skb_put(skb, sizeof(struct rsi_bt_rfmode_frame));
247
248 // return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>> CID 1438211: Resource leaks (RESOURCE_LEAK)
>>> Variable "skb" going out of scope leaks the storage it points to.
249 return common->priv->host_intf_ops->write_pkt(common->priv, skb->data, skb->len);
250 }
251 EXPORT_SYMBOL_GPL(rsi_send_rfmode_frame);
252
253 int rsi_deregister_bt(struct rsi_common *common)
254 {
** CID 1438212: Null pointer dereferences (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()
________________________________________________________________________________________________________
*** CID 1438212: Null pointer dereferences (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()
1382 struct rsi_91x_sdiodev *sdev =
1383 (struct rsi_91x_sdiodev *)adapter->rsi_dev;
1384 #endif
1385
1386 ven_rsi_dbg(INFO_ZONE, "SDIO Bus freeze ===>\n");
1387
>>> CID 1438212: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "adapter" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1388 if (!adapter) {
1389 ven_rsi_dbg(ERR_ZONE, "Device is not ready\n");
1390 return -ENODEV;
1391 }
1392
1393 common->suspend_in_prog = true;
** CID 1438213: Control flow issues (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()
________________________________________________________________________________________________________
*** CID 1438213: Control flow issues (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()
491 struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev;
492 int status;
493 u32 buf_status = 0;
494
495 return QUEUE_NOT_FULL;
496
>>> CID 1438213: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "if (adapter->priv->fsm_stat...".
497 if (adapter->priv->fsm_state != FSM_MAC_INIT_DONE)
498 return QUEUE_NOT_FULL;
499
500 status = rsi_usb_reg_read(dev->usbdev, adapter->usb_buffer_status_reg,
501 &buf_status, 2);
502 if (status < 0)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1694733/+subscriptions
