Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gfs2: Prevent recursive memory reclaim<br /> <br /> Function new_inode() returns a new inode with inode-&gt;i_mapping-&gt;gfp_mask<br /> set to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so<br /> allocations in that address space can recurse into filesystem memory<br /> reclaim. We don&amp;#39;t want that to happen because it can consume a<br /> significant amount of stack memory.<br /> <br /> Worse than that is that it can also deadlock: for example, in several<br /> places, gfs2_unstuff_dinode() is called inside filesystem transactions.<br /> This calls filemap_grab_folio(), which can allocate a new folio, which<br /> can trigger memory reclaim. If memory reclaim recurses into the<br /> filesystem and starts another transaction, a deadlock will ensue.<br /> <br /> To fix these kinds of problems, prevent memory reclaim from recursing<br /> into filesystem code by making sure that the gfp_mask of inode address<br /> spaces doesn&amp;#39;t include __GFP_FS.<br /> <br /> The "meta" and resource group address spaces were already using GFP_NOFS<br /> as their gfp_mask (which doesn&amp;#39;t include __GFP_FS). The default value<br /> of GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To<br /> avoid being overly limiting, use the default value and only knock off<br /> the __GFP_FS flag. I&amp;#39;m not sure if this will actually make a<br /> difference, but it also shouldn&amp;#39;t hurt.<br /> <br /> This patch is loosely based on commit ad22c7a043c2 ("xfs: prevent stack<br /> overflows from page cache allocation").<br /> <br /> Fixes xfstest generic/273.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fix memory leak when removing provided buffers<br /> <br /> When removing provided buffers, io_buffer structs are not being disposed<br /> of, leading to a memory leak. They can&amp;#39;t be freed individually, because<br /> they are allocated in page-sized groups. They need to be added to some<br /> free list instead, such as io_buffers_cache. All callers already hold<br /> the lock protecting it, apart from when destroying buffers, so had to<br /> extend the lock there.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/64s: Fix VAS mm use after free<br /> <br /> The refcount on mm is dropped before the coprocessor is detached.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: wavefront: Fix integer overflow in sample size validation<br /> <br /> The wavefront_send_sample() function has an integer overflow issue<br /> when validating sample size. The header-&gt;size field is u32 but gets<br /> cast to int for comparison with dev-&gt;freemem<br /> <br /> Fix by using unsigned comparison to avoid integer overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()<br /> <br /> The acpi_get_first_physical_node() function can return NULL, in which<br /> case the get_device() function also returns NULL, but this value is<br /> then dereferenced without checking,so add a check to prevent a crash.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: dice: fix buffer overflow in detect_stream_formats()<br /> <br /> The function detect_stream_formats() reads the stream_count value directly<br /> from a FireWire device without validating it. This can lead to<br /> out-of-bounds writes when a malicious device provides a stream_count value<br /> greater than MAX_STREAMS.<br /> <br /> Fix by applying the same validation to both TX and RX stream counts in<br /> detect_stream_formats().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/net: don&amp;#39;t overflow multishot recv<br /> <br /> Don&amp;#39;t allow overflowing multishot recv CQEs, it might get out of<br /> hand, hurt performance, and in the worst case scenario OOM the task.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check<br /> <br /> The vdpa_nl_policy structure is used to validate the nlattr when parsing<br /> the incoming nlmsg. It will ensure the attribute being described produces<br /> a valid nlattr pointer in info-&gt;attrs before entering into each handler<br /> in vdpa_nl_ops.<br /> <br /> That is to say, the missing part in vdpa_nl_policy may lead to illegal<br /> nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.<br /> <br /> This patch adds the missing nla_policy for vdpa queue index attr to avoid<br /> such bugs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix race when deleting quota root from the dirty cow roots list<br /> <br /> When disabling quotas we are deleting the quota root from the list<br /> fs_info-&gt;dirty_cowonly_roots without taking the lock that protects it,<br /> which is struct btrfs_fs_info::trans_lock. This unsynchronized list<br /> manipulation may cause chaos if there&amp;#39;s another concurrent manipulation<br /> of this list, such as when adding a root to it with<br /> ctree.c:add_root_to_dirty_list().<br /> <br /> This can result in all sorts of weird failures caused by a race, such as<br /> the following crash:<br /> <br /> [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI<br /> [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1<br /> [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014<br /> [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]<br /> [337571.279928] Code: 85 38 06 00 (...)<br /> [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206<br /> [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000<br /> [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070<br /> [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b<br /> [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600<br /> [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48<br /> [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000<br /> [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0<br /> [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [337571.282874] Call Trace:<br /> [337571.283101] <br /> [337571.283327] ? __die_body+0x1b/0x60<br /> [337571.283570] ? die_addr+0x39/0x60<br /> [337571.283796] ? exc_general_protection+0x22e/0x430<br /> [337571.284022] ? asm_exc_general_protection+0x22/0x30<br /> [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]<br /> [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]<br /> [337571.284803] ? _raw_spin_unlock+0x15/0x30<br /> [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]<br /> [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]<br /> [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]<br /> [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410<br /> [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]<br /> [337571.286358] ? mod_objcg_state+0xd2/0x360<br /> [337571.286577] ? refill_obj_stock+0xb0/0x160<br /> [337571.286798] ? seq_release+0x25/0x30<br /> [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0<br /> [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0<br /> [337571.287455] ? __x64_sys_ioctl+0x88/0xc0<br /> [337571.287675] __x64_sys_ioctl+0x88/0xc0<br /> [337571.287901] do_syscall_64+0x38/0x90<br /> [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> [337571.288352] RIP: 0033:0x7f478aaffe9b<br /> <br /> So fix this by locking struct btrfs_fs_info::trans_lock before deleting<br /> the quota root from that list.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps<br /> <br /> The LRU and LRU_PERCPU maps allocate a new element on update before locking the<br /> target hash table bucket. Right after that the maps try to lock the bucket.<br /> If this fails, then maps return -EBUSY to the caller without releasing the<br /> allocated element. This makes the element untracked: it doesn&amp;#39;t belong to<br /> either of free lists, and it doesn&amp;#39;t belong to the hash table, so can&amp;#39;t be<br /> re-used; this eventually leads to the permanent -ENOMEM on LRU map updates,<br /> which is unexpected. Fix this by returning the element to the local free list<br /> if bucket locking fails.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommufd: Make sure to zero vfio_iommu_type1_info before copying to user<br /> <br /> Missed a zero initialization here. Most of the struct is filled with<br /> a copy_from_user(), however minsz for that copy is smaller than the<br /> actual struct by 8 bytes, thus we don&amp;#39;t fill the padding.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: fix underflow in chain reference counter<br /> <br /> Set element addition error path decrements reference counter on chains<br /> twice: once on element release and again via nft_data_release().<br /> <br /> Then, d6b478666ffa ("netfilter: nf_tables: fix underflow in object<br /> reference counter") incorrectly fixed this by removing the stateful<br /> object reference count decrement.<br /> <br /> Restore the stateful object decrement as in b91d90368837 ("netfilter:<br /> nf_tables: fix leaking object reference count") and let<br /> nft_data_release() decrement the chain reference counter, so this is<br /> done only once.