[Kernel-packages] [Bug 2125053] Re: UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer dereference

Launchpad Bug Tracker Thu, 25 Sep 2025 07:56:28 -0700

This bug was fixed in the package linux - 6.17.0-5.5

---------------
linux (6.17.0-5.5) questing; urgency=medium


  * questing/linux: 6.17.0-5.5 -proposed tracker (LP: #2125319)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/d2025.09.22)

  * [SRU] Failed to create source package: Unmet build dependencies:
    bpftool:native (LP: #2122310)
    - [Packaging] fix build profile spec for bpftool

  * UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer
    dereference (LP: #2125053)
    - SAUCE: fan: vxlan: check memory allocation for map

  * iproute2 breaking netplan DEP-8 tests in Questing, unexpected "fan-map" in
    JSON output (LP: #2124257)
    - SAUCE: fan: don't enforce a specific enum value for IFLA_VXLAN_FAN_MAP

  * memory leaks when configuring a small rate limit in audit (LP: #2122554)
    - SAUCE: audit: fix skb leak when audit rate limit is exceeded

  * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)
    - SAUCE: media: platform: amd: Introduce amd isp4 capture driver
    - SAUCE: media: platform: amd: low level support for isp4 firmware
    - SAUCE: media: platform: amd: Add isp4 fw and hw interface
    - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling
      added
    - SAUCE: media: platform: amd: isp4 video node and buffers handling added
    - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive
      errors
    - SAUCE: Documentation: add documentation of AMD isp 4 driver
    - [Config] Enable AMD_ISP4

  * 25.10 Snapdragon X Elite: Sync concept kernel changes (LP: #2121477)
    - phy: qcom: qmp-combo: Rename 'mode' to 'phy_mode'
    - phy: qcom: qmp-combo: store DP phy power state
    - phy: qcom: qmp-combo: introduce QMPPHY_MODE
    - phy: qcom: qmp-combo: register a typec mux to change the QMPPHY_MODE
    - arm64: dts: qcom: x1e80100-crd: Add USB multiport fingerprint reader
    - dt-bindings: arm: qcom: Add Dell Latitude 7455
    - dt-bindings: display: panel: samsung,atna40cu11: document ATNA40CU11
    - dt-bindings: display: panel: samsung,atna40ct06: document ATNA40CT06
    - drm/panel-edp: Add BOE NV140WUM-N64
    - arm64: dts: qcom: x1-crd: Enable HBR3 on external DPs
    - SAUCE: drm/dp: drm_edp_backlight_set_level: do not always send 3-byte
      commands
    - SAUCE: drm/edp-panel: Add touchscreen panel used by Lenovo X13s
    - SAUCE: net: qrtr: mhi: synchronize qrtr and mhi preparation
    - SAUCE: arm64: dts: qcom: x1e78100-t14s-oled: add eDP panel
    - SAUCE: wip: arm64: dts: qcom: x1e80100-crd: Add WiFi/BT pwrseq
    - SAUCE: wip: arm64: dts: qcom: x1e78100-t14s: enable bluetooth
    - SAUCE: drm/dp: clamp PWM bit count to advertised MIN and MAX
      capabilities
    - SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default
    - SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: Add Left/Right
      Speakers and Tweeter
    - SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: enable MICs LDO
    - SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: Mark audio channels
      as left-right swapped
    - SAUCE: arm64: dts: qcom: sc8280xp-lenovo-thinkpad-x13: Set up 4-lane DP
    - SAUCE: dt-bindings: phy: qcom,sc8280xp-qmp-usb43dp-phy: Document default
      phy mode
    - SAUCE: phy: qcom: qmp-combo: get default qmpphy_mode from DT
    - SAUCE: arm64: dts: qcom: x1e78100-lenovo-thinkpad-t14s: add HDMI nodes
    - SAUCE: dt-bindings: phy: qcom,sc8280xp-qmp-usb43dp: Reference usb-
      switch.yaml to allow mode-switch
    - SAUCE: dt-bindings: arm: qcom: Add Asus Zenbook A14 UX3407QA LCD/OLED
      variants
    - SAUCE: arm64: dts: qcom: Rework X1-based Asus Zenbook A14's displays
    - SAUCE: arm64: dts: qcom: x1e80100-asus-zenbook-a14: Enable WiFi,
      Bluetooth
    - SAUCE: arm64: dts: qcom: Add support for Dell Inspiron 7441 / Latitude
      7455
    - SAUCE: firmware: qcom: scm: Allow QSEECOM on Dell Inspiron 7441 /
      Latitude 7455
    - SAUCE: dt-bindings: arm: qcom: Add Acer Swift 14 AI
    - SAUCE: arm64: dts: qcom: x1-acer-swift-14: Add support for Acer Swift 14
    - SAUCE: arm64: dts: qcom: x1e80100: allow mode-switch events to reach the
      QMP Combo PHYs
    - SAUCE: arm64: dts: qcom: x1e80100: move dp0/1/2 data-lanes to SoC dtsi
    - SAUCE: arm64: dts: qcom: x1e80100: Set up 4-lane DP
    - SAUCE: arm64: dts: qcom: x1e80100: move remaining dp0/1/2 data-lanes to
      SoC dtsi
    - Revert "UBUNTU: SAUCE: Change: cracking sound fix"

  * UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:452:16
    (LP: #2119713)
    - EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller

  * Miscellaneous Ubuntu changes
    - [Config] updateconfigs for v6.17-rc6 rebase

 -- Timo Aaltonen <[email protected]>  Mon, 22 Sep 2025
10:33:58 +0300

** Changed in: linux (Ubuntu Questing)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2125053

Title:
  UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer
  dereference

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Jammy:
  In Progress
Status in linux source package in Noble:
  In Progress
Status in linux source package in Plucky:
  In Progress
Status in linux source package in Questing:
  Fix Released

Bug description:
  [Impact]

  In the UBUNTU SAUCE VXLAN implementation for fan, in
  'vxlan_fan_add_map()' a memory chunk is allocated to hold the a
  fan_map structure. However, the return of 'kmalloc()' is not checked,
  therefore it can lead to a NULL pointer dereference on allocation
  failure.

  ---
  static int vxlan_fan_add_map(struct vxlan_dev *vxlan, struct ifla_fan_map 
*map)
  {
  [...]
          fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
          fan_map->underlay = map->underlay;
  ---

  The issue was introduced by commit "UBUNTU: SAUCE: fan: add VXLAN
  implementation".

  [Fix]

  The fix is a simple check whether the memory allocation failed and
  return an error if so. The function doesn't perform any other
  operation prior to calling 'kmalloc()' that needs to be rolled back on
  error, therefore it can simply return -ENOMEM.

  ---
    fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
  +        if (!fan_map)
  +                return -ENOMEM;
  ---

  [Test plan]

  I have not tested the fix functionally, as the issue is hard to
  reproduce. This code path is exercised by  the 'ubuntu_fan_smoke_test'
  regression tests.

  [Where problems could occur]

  The fix is straightforward, however if issues are to occur they will
  happen while creating new fan interface.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2125053/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 2125053] Re: UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer dereference

Reply via email to