Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: tegra: Fix a memory leak in tegra_slink_probe()<br /> <br /> In tegra_slink_probe(), when platform_get_irq() fails, it directly<br /> returns from the function with an error code, which causes a memory leak.<br /> <br /> Replace it with a goto label to ensure proper cleanup.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: Sanitize syscall table indexing under speculation<br /> <br /> The syscall number is a user-controlled value used to index into the<br /> syscall table. Use array_index_nospec() to clamp this value after the<br /> bounds check to prevent speculative out-of-bounds access and subsequent<br /> data leakage via cache side channels.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb/server: fix refcount leak in parse_durable_handle_context()<br /> <br /> When the command is a replay operation and -ENOEXEC is returned,<br /> the refcount of ksmbd_file must be released.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()<br /> <br /> When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()<br /> <br /> Add proper locking in mmp_pdma_residue() to prevent use-after-free when<br /> accessing descriptor list and descriptor contents.<br /> <br /> The race occurs when multiple threads call tx_status() while the tasklet<br /> on another CPU is freeing completed descriptors:<br /> <br /> CPU 0 CPU 1<br /> ----- -----<br /> mmp_pdma_tx_status()<br /> mmp_pdma_residue()<br /> -&gt; NO LOCK held<br /> list_for_each_entry(sw, ..)<br /> DMA interrupt<br /> dma_do_tasklet()<br /> -&gt; spin_lock(&amp;desc_lock)<br /> list_move(sw-&gt;node, ...)<br /> spin_unlock(&amp;desc_lock)<br /> | dma_pool_free(sw) access sw-&gt;desc 1).<br /> <br /> Fix by protecting the chain_running list iteration and descriptor access<br /> with the chan-&gt;desc_lock spinlock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wlcore: ensure skb headroom before skb_push<br /> <br /> This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is<br /> less than needed (typically 110 - 94 = 16 bytes).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb/server: fix refcount leak in smb2_open()<br /> <br /> When ksmbd_vfs_getattr() fails, the reference count of ksmbd_file<br /> must be released.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: ocb: skip rx_no_sta when interface is not joined<br /> <br /> ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only<br /> present after JOIN_OCB.<br /> <br /> RX may run before JOIN_OCB is executed, in which case the OCB interface<br /> is not operational. Skip RX peer handling when the interface is not<br /> joined to avoid warnings in the RX path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> flex_proportions: make fprop_new_period() hardirq safe<br /> <br /> Bernd has reported a lockdep splat from flexible proportions code that is<br /> essentially complaining about the following race:<br /> <br /> <br /> run_timer_softirq - we are in softirq context<br /> call_timer_fn<br /> writeout_period<br /> fprop_new_period<br /> write_seqcount_begin(&amp;p-&gt;sequence);<br /> <br /> <br /> ...<br /> blk_mq_end_request()<br /> blk_update_request()<br /> ext4_end_bio()<br /> folio_end_writeback()<br /> __wb_writeout_add()<br /> __fprop_add_percpu_max()<br /> if (unlikely(max_frac sequence);<br /> - sees odd sequence so loops indefinitely<br /> <br /> Note that a deadlock like this is only possible if the bdi has configured<br /> maximum fraction of writeout throughput which is very rare in general but<br /> frequent for example for FUSE bdis. To fix this problem we have to make<br /> sure write section of the sequence counter is irqsafe.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()<br /> <br /> syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()<br /> and/or mptcp_pm_nl_is_backup()<br /> <br /> Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()<br /> which is not RCU ready.<br /> <br /> list_splice_init_rcu() can not be called here while holding pernet-&gt;lock<br /> spinlock.<br /> <br /> Many thanks to Eulgyu Kim for providing a repro and testing our patches.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/imx/tve: fix probe device leak<br /> <br /> Make sure to drop the reference taken to the DDC device during probe on<br /> probe failure (e.g. probe deferral) and on driver unbind.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bonding: fix use-after-free due to enslave fail after slave array update<br /> <br /> Fix a use-after-free which happens due to enslave failure after the new<br /> slave has been added to the array. Since the new slave can be used for Tx<br /> immediately, we can use it after it has been freed by the enslave error<br /> cleanup path which frees the allocated slave memory. Slave update array is<br /> supposed to be called last when further enslave failures are not expected.<br /> Move it after xdp setup to avoid any problems.<br /> <br /> It is very easy to reproduce the problem with a simple xdp_pass prog:<br /> ip l add bond1 type bond mode balance-xor<br /> ip l set bond1 up<br /> ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass<br /> ip l add dumdum type dummy<br /> <br /> Then run in parallel:<br /> while :; do ip l set dumdum master bond1 1&gt;/dev/null 2&gt;&amp;1; done;<br /> mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"<br /> <br /> The crash happens almost immediately:<br /> [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI<br /> [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]<br /> [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)<br /> [ 605.602979] Tainted: [B]=BAD_PAGE<br /> [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210<br /> [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89<br /> [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213<br /> [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000<br /> [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be<br /> [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c<br /> [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000<br /> [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84<br /> [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000<br /> [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0<br /> [ 605.603373] Call Trace:<br /> [ 605.603392] <br /> [ 605.603410] __dev_queue_xmit+0x448/0x32a0<br /> [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10<br /> [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10<br /> [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10<br /> [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]<br /> [ 605.603546] ? _printk+0xcb/0x100<br /> [ 605.603566] ? __pfx__printk+0x10/0x10<br /> [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]<br /> [ 605.603627] ? add_taint+0x5e/0x70<br /> [ 605.603648] ? add_taint+0x2a/0x70<br /> [ 605.603670] ? end_report.cold+0x51/0x75<br /> [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]<br /> [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]