Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/vmscape: Add conditional IBPB mitigation<br /> <br /> VMSCAPE is a vulnerability that exploits insufficient branch predictor<br /> isolation between a guest and a userspace hypervisor (like QEMU). Existing<br /> mitigations already protect kernel/KVM from a malicious guest. Userspace<br /> can additionally be protected by flushing the branch predictors after a<br /> VMexit.<br /> <br /> Since it is the userspace that consumes the poisoned branch predictors,<br /> conditionally issue an IBPB after a VMexit and before returning to<br /> userspace. Workloads that frequently switch between hypervisor and<br /> userspace will incur the most overhead from the new IBPB.<br /> <br /> This new IBPB is not integrated with the existing IBPB sites. For<br /> instance, a task can use the existing speculation control prctl() to<br /> get an IBPB at context switch time. With this implementation, the<br /> IBPB is doubled up: one at context switch and another before running<br /> userspace.<br /> <br /> The intent is to integrate and optimize these cases post-embargo.<br /> <br /> [ dhansen: elaborate on suboptimal IBPB solution ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm: dm-crypt: Do not partially accept write BIOs with zoned targets<br /> <br /> Read and write operations issued to a dm-crypt target may be split<br /> according to the dm-crypt internal limits defined by the max_read_size<br /> and max_write_size module parameters (default is 128 KB). The intent is<br /> to improve processing time of large BIOs by splitting them into smaller<br /> operations that can be parallelized on different CPUs.<br /> <br /> For zoned dm-crypt targets, this BIO splitting is still done but without<br /> the parallel execution to ensure that the issuing order of write<br /> operations to the underlying devices remains sequential. However, the<br /> splitting itself causes other problems:<br /> <br /> 1) Since dm-crypt relies on the block layer zone write plugging to<br /> handle zone append emulation using regular write operations, the<br /> reminder of a split write BIO will always be plugged into the target<br /> zone write plugged. Once the on-going write BIO finishes, this<br /> reminder BIO is unplugged and issued from the zone write plug work.<br /> If this reminder BIO itself needs to be split, the reminder will be<br /> re-issued and plugged again, but that causes a call to a<br /> blk_queue_enter(), which may block if a queue freeze operation was<br /> initiated. This results in a deadlock as DM submission still holds<br /> BIOs that the queue freeze side is waiting for.<br /> <br /> 2) dm-crypt relies on the emulation done by the block layer using<br /> regular write operations for processing zone append operations. This<br /> still requires to properly return the written sector as the BIO<br /> sector of the original BIO. However, this can be done correctly only<br /> and only if there is a single clone BIO used for processing the<br /> original zone append operation issued by the user. If the size of a<br /> zone append operation is larger than dm-crypt max_write_size, then<br /> the orginal BIO will be split and processed as a chain of regular<br /> write operations. Such chaining result in an incorrect written sector<br /> being returned to the zone append issuer using the original BIO<br /> sector. This in turn results in file system data corruptions using<br /> xfs or btrfs.<br /> <br /> Fix this by modifying get_max_request_size() to always return the size<br /> of the BIO to avoid it being split with dm_accpet_partial_bio() in<br /> crypt_map(). get_max_request_size() is renamed to<br /> get_max_request_sectors() to clarify the unit of the value returned<br /> and its interface is changed to take a struct dm_target pointer and a<br /> pointer to the struct bio being processed. In addition to this change,<br /> to ensure that crypt_alloc_buffer() works correctly, set the dm-crypt<br /> device max_hw_sectors limit to be at most<br /> BIO_MAX_VECS

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: x86/aegis - Add missing error checks<br /> <br /> The skcipher_walk functions can allocate memory and can fail, so<br /> checking for errors is necessary.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jbd2: prevent softlockup in jbd2_log_do_checkpoint()<br /> <br /> Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()<br /> periodically release j_list_lock after processing a batch of buffers to<br /> avoid long hold times on the j_list_lock. However, since both functions<br /> contend for j_list_lock, the combined time spent waiting and processing<br /> can be significant.<br /> <br /> jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when<br /> need_resched() is true to avoid softlockups during prolonged operations.<br /> But jbd2_log_do_checkpoint() only exits its loop when need_resched() is<br /> true, relying on potentially sleeping functions like __flush_batch() or<br /> wait_on_buffer() to trigger rescheduling. If those functions do not sleep,<br /> the kernel may hit a softlockup.<br /> <br /> watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]<br /> CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10<br /> Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017<br /> Workqueue: writeback wb_workfn (flush-7:2)<br /> pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : native_queued_spin_lock_slowpath+0x358/0x418<br /> lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]<br /> Call trace:<br /> native_queued_spin_lock_slowpath+0x358/0x418<br /> jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]<br /> __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]<br /> add_transaction_credits+0x3bc/0x418 [jbd2]<br /> start_this_handle+0xf8/0x560 [jbd2]<br /> jbd2__journal_start+0x118/0x228 [jbd2]<br /> __ext4_journal_start_sb+0x110/0x188 [ext4]<br /> ext4_do_writepages+0x3dc/0x740 [ext4]<br /> ext4_writepages+0xa4/0x190 [ext4]<br /> do_writepages+0x94/0x228<br /> __writeback_single_inode+0x48/0x318<br /> writeback_sb_inodes+0x204/0x590<br /> __writeback_inodes_wb+0x54/0xf8<br /> wb_writeback+0x2cc/0x3d8<br /> wb_do_writeback+0x2e0/0x2f8<br /> wb_workfn+0x80/0x2a8<br /> process_one_work+0x178/0x3e8<br /> worker_thread+0x234/0x3b8<br /> kthread+0xf0/0x108<br /> ret_from_fork+0x10/0x20<br /> <br /> So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid<br /> softlockup.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: endpoint: Fix configfs group list head handling<br /> <br /> Doing a list_del() on the epf_group field of struct pci_epf_driver in<br /> pci_epf_remove_cfs() is not correct as this field is a list head, not<br /> a list entry. This list_del() call triggers a KASAN warning when an<br /> endpoint function driver which has a configfs attribute group is torn<br /> down:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198<br /> Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319<br /> <br /> CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE<br /> Hardware name: Radxa ROCK 5B (DT)<br /> Call trace:<br /> show_stack+0x2c/0x84 (C)<br /> dump_stack_lvl+0x70/0x98<br /> print_report+0x17c/0x538<br /> kasan_report+0xb8/0x190<br /> __asan_report_store8_noabort+0x20/0x2c<br /> pci_epf_remove_cfs+0x17c/0x198<br /> pci_epf_unregister_driver+0x18/0x30<br /> nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]<br /> __arm64_sys_delete_module+0x264/0x424<br /> invoke_syscall+0x70/0x260<br /> el0_svc_common.constprop.0+0xac/0x230<br /> do_el0_svc+0x40/0x58<br /> el0_svc+0x48/0xdc<br /> el0t_64_sync_handler+0x10c/0x138<br /> el0t_64_sync+0x198/0x19c<br /> ...<br /> <br /> Remove this incorrect list_del() call from pci_epf_remove_cfs().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: mdt_loader: Ensure we don&amp;#39;t read past the ELF header<br /> <br /> When the MDT loader is used in remoteproc, the ELF header is sanitized<br /> beforehand, but that&amp;#39;s not necessary the case for other clients.<br /> <br /> Validate the size of the firmware buffer to ensure that we don&amp;#39;t read<br /> past the end as we iterate over the header. e_phentsize and e_shentsize<br /> are validated as well, to ensure that the assumptions about step size in<br /> the traversal are valid.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: ad7173: fix channels index for syscalib_mode<br /> <br /> Fix the index used to look up the channel when accessing the<br /> syscalib_mode attribute. The address field is a 0-based index (same<br /> as scan_index) that it used to access the channel in the<br /> ad7173_channels array throughout the driver. The channels field, on<br /> the other hand, may not match the address field depending on the<br /> channel configuration specified in the device tree and could result<br /> in an out-of-bounds access.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/hisilicon/hibmc: fix irq_request()&amp;#39;s irq name variable is local<br /> <br /> The local variable is passed in request_irq (), and there will be use<br /> after free problem, which will make request_irq failed. Using the global<br /> irq name instead of it to fix.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: Fix link speed calculation on retrain failure<br /> <br /> When pcie_failed_link_retrain() fails to retrain, it tries to revert to the<br /> previous link speed. However it calculates that speed from the Link<br /> Control 2 register without masking out non-speed bits first.<br /> <br /> PCIE_LNKCTL2_TLS2SPEED() converts such incorrect values to<br /> PCI_SPEED_UNKNOWN (0xff), which in turn causes a WARN splat in<br /> pcie_set_target_speed():<br /> <br /> pci 0000:00:01.1: [1022:14ed] type 01 class 0x060400 PCIe Root Port<br /> pci 0000:00:01.1: broken device, retraining non-functional downstream link at 2.5GT/s<br /> pci 0000:00:01.1: retraining failed<br /> WARNING: CPU: 1 PID: 1 at drivers/pci/pcie/bwctrl.c:168 pcie_set_target_speed<br /> RDX: 0000000000000001 RSI: 00000000000000ff RDI: ffff9acd82efa000<br /> pcie_failed_link_retrain<br /> pci_device_add<br /> pci_scan_single_device<br /> <br /> Mask out the non-speed bits in PCIE_LNKCTL2_TLS2SPEED() and<br /> PCIE_LNKCAP_SLS2SPEED() so they don&amp;#39;t incorrectly return PCI_SPEED_UNKNOWN.<br /> <br /> [bhelgaas: commit log, add details from https://lore.kernel.org/r/1c92ef6bcb314ee6977839b46b393282e4f52e74.1750684771.git.lukas@wunner.de]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Drop WARN_ON_ONCE() from flush_cache_vmap<br /> <br /> I have observed warning to occassionally trigger.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: fix soft lockup in br_multicast_query_expired()<br /> <br /> When set multicast_query_interval to a large value, the local variable<br /> &amp;#39;time&amp;#39; in br_multicast_send_query() may overflow. If the time is smaller<br /> than jiffies, the timer will expire immediately, and then call mod_timer()<br /> again, which creates a loop and may trigger the following soft lockup<br /> issue.<br /> <br /> watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]<br /> CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)<br /> Call Trace:<br /> <br /> __netdev_alloc_skb+0x2e/0x3a0<br /> br_ip6_multicast_alloc_query+0x212/0x1b70<br /> __br_multicast_send_query+0x376/0xac0<br /> br_multicast_send_query+0x299/0x510<br /> br_multicast_query_expired.constprop.0+0x16d/0x1b0<br /> call_timer_fn+0x3b/0x2a0<br /> __run_timers+0x619/0x950<br /> run_timer_softirq+0x11c/0x220<br /> handle_softirqs+0x18e/0x560<br /> __irq_exit_rcu+0x158/0x1a0<br /> sysvec_apic_timer_interrupt+0x76/0x90<br /> <br /> <br /> This issue can be reproduced with:<br /> ip link add br0 type bridge<br /> echo 1 &gt; /sys/class/net/br0/bridge/multicast_querier<br /> echo 0xffffffffffffffff &gt;<br /> /sys/class/net/br0/bridge/multicast_query_interval<br /> ip link set dev br0 up<br /> <br /> The multicast_startup_query_interval can also cause this issue. Similar to<br /> the commit 99b40610956a ("net: bridge: mcast: add and enforce query<br /> interval minimum"), add check for the query interval maximum to fix this<br /> issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/debug_vm_pgtable: clear page table entries at destroy_args()<br /> <br /> The mm/debug_vm_pagetable test allocates manually page table entries for<br /> the tests it runs, using also its manually allocated mm_struct. That in<br /> itself is ok, but when it exits, at destroy_args() it fails to clear those<br /> entries with the *_clear functions.<br /> <br /> The problem is that leaves stale entries. If another process allocates an<br /> mm_struct with a pgd at the same address, it may end up running into the<br /> stale entry. This is happening in practice on a debug kernel with<br /> CONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra<br /> debugging I added (it prints a warning trace if pgtables_bytes goes<br /> negative, in addition to the warning at check_mm() function):<br /> <br /> [ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000<br /> [ 2.539366] kmem_cache info<br /> [ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508<br /> [ 2.539447] debug_vm_pgtable: [init_args ]: args-&gt;mm is 0x000000002267cc9e<br /> (...)<br /> [ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0<br /> [ 2.552816] Modules linked in:<br /> [ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY<br /> [ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries<br /> [ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90<br /> [ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug)<br /> [ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a<br /> [ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0<br /> [ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001<br /> [ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff<br /> [ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000<br /> [ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb<br /> [ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0<br /> [ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000<br /> [ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001<br /> [ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760<br /> [ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0<br /> [ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0<br /> [ 2.553199] Call Trace:<br /> [ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)<br /> [ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0<br /> [ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570<br /> [ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650<br /> [ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290<br /> [ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0<br /> [ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870<br /> [ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150<br /> [ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50<br /> [ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0<br /> [ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec<br /> (...)<br /> [ 2.558892] ---[ end trace 0000000000000000 ]---<br /> [ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1<br /> [ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144<br /> <br /> Here the modprobe process ended up with an allocated mm_struct from the<br /> mm_struct slab that was used before by the debug_vm_pgtable test. That is<br /> not a problem, since the mm_stru<br /> ---truncated---