Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: aggregator: protect driver attr handlers against module unload<br /> <br /> Both new_device_store and delete_device_store touch module global<br /> resources (e.g. gpio_aggregator_lock). To prevent race conditions with<br /> module unload, a reference needs to be held.<br /> <br /> Add try_module_get() in these handlers.<br /> <br /> For new_device_store, this eliminates what appears to be the most dangerous<br /> scenario: if an id is allocated from gpio_aggregator_idr but<br /> platform_device_register has not yet been called or completed, a concurrent<br /> module unload could fail to unregister/delete the device, leaving behind a<br /> dangling platform device/GPIO forwarder. This can result in various issues.<br /> The following simple reproducer demonstrates these problems:<br /> <br /> #!/bin/bash<br /> while :; do<br /> # note: whether &amp;#39;gpiochip0 0&amp;#39; exists or not does not matter.<br /> echo &amp;#39;gpiochip0 0&amp;#39; &gt; /sys/bus/platform/drivers/gpio-aggregator/new_device<br /> done &amp;<br /> while :; do<br /> modprobe gpio-aggregator<br /> modprobe -r gpio-aggregator<br /> done &amp;<br /> wait<br /> <br /> Starting with the following warning, several kinds of warnings will appear<br /> and the system may become unstable:<br /> <br /> ------------[ cut here ]------------<br /> list_del corruption, ffff888103e2e980-&gt;next is LIST_POISON1 (dead000000000100)<br /> WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120<br /> [...]<br /> RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120<br /> [...]<br /> Call Trace:<br /> <br /> ? __list_del_entry_valid_or_report+0xa3/0x120<br /> ? __warn.cold+0x93/0xf2<br /> ? __list_del_entry_valid_or_report+0xa3/0x120<br /> ? report_bug+0xe6/0x170<br /> ? __irq_work_queue_local+0x39/0xe0<br /> ? handle_bug+0x58/0x90<br /> ? exc_invalid_op+0x13/0x60<br /> ? asm_exc_invalid_op+0x16/0x20<br /> ? __list_del_entry_valid_or_report+0xa3/0x120<br /> gpiod_remove_lookup_table+0x22/0x60<br /> new_device_store+0x315/0x350 [gpio_aggregator]<br /> kernfs_fop_write_iter+0x137/0x1f0<br /> vfs_write+0x262/0x430<br /> ksys_write+0x60/0xd0<br /> do_syscall_64+0x6c/0x180<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [...]<br /> <br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix bug on trap in smb2_lock<br /> <br /> If lock count is greater than 1, flags could be old value.<br /> It should be checked with flags of smb_lock, not flags.<br /> It will cause bug-on trap from locks_free_lock in error handling<br /> routine.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix use-after-free in smb2_lock<br /> <br /> If smb_lock-&gt;zero_len has value, -&gt;llist of smb_lock is not delete and<br /> flock is old one. It will cause use-after-free on error handling<br /> routine.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: appleir: Fix potential NULL dereference at raw event handle<br /> <br /> Syzkaller reports a NULL pointer dereference issue in input_event().<br /> <br /> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]<br /> BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]<br /> BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]<br /> BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395<br /> Read of size 8 at addr 0000000000000028 by task syz-executor199/2949<br /> <br /> CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br /> kasan_report+0xd9/0x110 mm/kasan/report.c:602<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189<br /> instrument_atomic_read include/linux/instrumented.h:68 [inline]<br /> _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]<br /> is_event_supported drivers/input/input.c:67 [inline]<br /> input_event+0x42/0xa0 drivers/input/input.c:395<br /> input_report_key include/linux/input.h:439 [inline]<br /> key_down drivers/hid/hid-appleir.c:159 [inline]<br /> appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232<br /> __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111<br /> hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484<br /> __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650<br /> usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734<br /> dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993<br /> __run_hrtimer kernel/time/hrtimer.c:1739 [inline]<br /> __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803<br /> hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820<br /> handle_softirqs+0x206/0x8d0 kernel/softirq.c:561<br /> __do_softirq kernel/softirq.c:595 [inline]<br /> invoke_softirq kernel/softirq.c:435 [inline]<br /> __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662<br /> irq_exit_rcu+0x9/0x30 kernel/softirq.c:678<br /> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]<br /> sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702<br /> __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185<br /> add_timer+0x62/0x90 kernel/time/timer.c:1295<br /> schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98<br /> usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645<br /> usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784<br /> hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:906 [inline]<br /> __se_sys_ioctl fs/ioctl.c:892 [inline]<br /> __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> This happens due to the malformed report items sent by the emulated device<br /> which results in a report, that has no fields, being added to the report list.<br /> Due to this appleir_input_configured() is never called, hidinput_connect()<br /> fails which results in the HID_CLAIMED_INPUT flag is not being set. However,<br /> it does not make appleir_probe() fail and lets the event callback to be<br /> called without the associated input device.<br /> <br /> Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook<br /> early if the driver didn&amp;#39;t claim any input_dev for some reason. Moreover,<br /> some other hid drivers accessing input_dev in their event callbacks do have<br /> similar checks, too.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix type confusion via race condition when using ipc_msg_send_request<br /> <br /> req-&gt;handle is allocated using ksmbd_acquire_id(&amp;ipc_ida), based on<br /> ida_alloc. req-&gt;handle from ksmbd_ipc_login_request and<br /> FSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion<br /> between messages, resulting in access to unexpected parts of memory after<br /> an incorrect delivery. ksmbd check type of ipc response but missing add<br /> continue to check next ipc reponse.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/hmm: Don&amp;#39;t dereference struct page pointers without notifier lock<br /> <br /> The pnfs that we obtain from hmm_range_fault() point to pages that<br /> we don&amp;#39;t have a reference on, and the guarantee that they are still<br /> in the cpu page-tables is that the notifier lock must be held and the<br /> notifier seqno is still valid.<br /> <br /> So while building the sg table and marking the pages accesses / dirty<br /> we need to hold this lock with a validated seqno.<br /> <br /> However, the lock is reclaim tainted which makes<br /> sg_alloc_table_from_pages_segment() unusable, since it internally<br /> allocates memory.<br /> <br /> Instead build the sg-table manually. For the non-iommu case<br /> this might lead to fewer coalesces, but if that&amp;#39;s a problem it can<br /> be fixed up later in the resource cursor code. For the iommu case,<br /> the whole sg-table may still be coalesced to a single contigous<br /> device va region.<br /> <br /> This avoids marking pages that we don&amp;#39;t own dirty and accessed, and<br /> it also avoid dereferencing struct pages that we don&amp;#39;t own.<br /> <br /> v2:<br /> - Use assert to check whether hmm pfns are valid (Matthew Auld)<br /> - Take into account that large pages may cross range boundaries<br /> (Matthew Auld)<br /> <br /> v3:<br /> - Don&amp;#39;t unnecessarily check for a non-freed sg-table. (Matthew Auld)<br /> - Add a missing up_read() in an error path. (Matthew Auld)<br /> <br /> (cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: abort vma_modify() on merge out of memory failure<br /> <br /> The remainder of vma_modify() relies upon the vmg state remaining pristine<br /> after a merge attempt.<br /> <br /> Usually this is the case, however in the one edge case scenario of a merge<br /> attempt failing not due to the specified range being unmergeable, but<br /> rather due to an out of memory error arising when attempting to commit the<br /> merge, this assumption becomes untrue.<br /> <br /> This results in vmg-&gt;start, end being modified, and thus the proceeding<br /> attempts to split the VMA will be done with invalid start/end values.<br /> <br /> Thankfully, it is likely practically impossible for us to hit this in<br /> reality, as it would require a maple tree node pre-allocation failure that<br /> would likely never happen due to it being &amp;#39;too small to fail&amp;#39;, i.e. the<br /> kernel would simply keep retrying reclaim until it succeeded.<br /> <br /> However, this scenario remains theoretically possible, and what we are<br /> doing here is wrong so we must correct it.<br /> <br /> The safest option is, when this scenario occurs, to simply give up the<br /> operation. If we cannot allocate memory to merge, then we cannot allocate<br /> memory to split either (perhaps moreso!).<br /> <br /> Any scenario where this would be happening would be under very extreme<br /> (likely fatal) memory pressure, so it&amp;#39;s best we give up early.<br /> <br /> So there is no doubt it is appropriate to simply bail out in this<br /> scenario.<br /> <br /> However, in general we must if at all possible never assume VMG state is<br /> stable after a merge attempt, since merge operations update VMG fields. <br /> As a result, additionally also make this clear by storing start, end in<br /> local variables.<br /> <br /> The issue was reported originally by syzkaller, and by Brad Spengler (via<br /> an off-list discussion), and in both instances it manifested as a<br /> triggering of the assert:<br /> <br /> VM_WARN_ON_VMG(start &gt;= end, vmg);<br /> <br /> In vma_merge_existing_range().<br /> <br /> It seems at least one scenario in which this is occurring is one in which<br /> the merge being attempted is due to an madvise() across multiple VMAs<br /> which looks like this:<br /> <br /> start end<br /> ||<br /> |----------|------|<br /> | vma | next |<br /> |----------|------|<br /> <br /> When madvise_walk_vmas() is invoked, we first find vma in the above<br /> (determining prev to be equal to vma as we are offset into vma), and then<br /> enter the loop.<br /> <br /> We determine the end of vma that forms part of the range we are<br /> madvise()&amp;#39;ing by setting &amp;#39;tmp&amp;#39; to this value:<br /> <br /> /* Here vma-&gt;vm_start vm_end;<br /> <br /> We then invoke the madvise() operation via visit(), letting prev get<br /> updated to point to vma as part of the operation:<br /> <br /> /* Here vma-&gt;vm_start start, end get set to perhaps<br /> unintuitive values - we intended to shrink the middle VMA and expand the<br /> next.<br /> <br /> This means vmg-&gt;start, end are set to... vma-&gt;vm_start, start.<br /> <br /> Now the commit_merge() fails, and vmg-&gt;start, end are left like this. <br /> This means we return to the rest of vma_modify() with vmg-&gt;start, end<br /> (here denoted as start&amp;#39;, end&amp;#39;) set as:<br /> <br /> start&amp;#39; end&amp;#39;<br /> ||<br /> |----------|------|<br /> | vma | next |<br /> |----------|------|<br /> <br /> So we now erroneously try to split accordingly. This is where the<br /> unfortunate<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm: pgtable: fix NULL pointer dereference issue<br /> <br /> When update_mmu_cache_range() is called by update_mmu_cache(), the vmf<br /> parameter is NULL, which will cause a NULL pointer dereference issue in<br /> adjust_pte():<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 00000030 when read<br /> Hardware name: Atmel AT91SAM9<br /> PC is at update_mmu_cache_range+0x1e0/0x278<br /> LR is at pte_offset_map_rw_nolock+0x18/0x2c<br /> Call trace:<br /> update_mmu_cache_range from remove_migration_pte+0x29c/0x2ec<br /> remove_migration_pte from rmap_walk_file+0xcc/0x130<br /> rmap_walk_file from remove_migration_ptes+0x90/0xa4<br /> remove_migration_ptes from migrate_pages_batch+0x6d4/0x858<br /> migrate_pages_batch from migrate_pages+0x188/0x488<br /> migrate_pages from compact_zone+0x56c/0x954<br /> compact_zone from compact_node+0x90/0xf0<br /> compact_node from kcompactd+0x1d4/0x204<br /> kcompactd from kthread+0x120/0x12c<br /> kthread from ret_from_fork+0x14/0x38<br /> Exception stack(0xc0d8bfb0 to 0xc0d8bff8)<br /> <br /> To fix it, do not rely on whether &amp;#39;ptl&amp;#39; is equal to decide whether to hold<br /> the pte lock, but decide it by whether CONFIG_SPLIT_PTE_PTLOCKS is<br /> enabled. In addition, if two vmas map to the same PTE page, there is no<br /> need to hold the pte lock again, otherwise a deadlock will occur. Just<br /> add the need_lock parameter to let adjust_pte() know this information.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Fix NULL Pointer Dereference in KFD queue<br /> <br /> Through KFD IOCTL Fuzzing we encountered a NULL pointer derefrence<br /> when calling kfd_queue_acquire_buffers.<br /> <br /> (cherry picked from commit 049e5bf3c8406f87c3d8e1958e0a16804fa1d530)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rapidio: fix an API misues when rio_add_net() fails<br /> <br /> rio_add_net() calls device_register() and fails when device_register()<br /> fails. Thus, put_device() should be used rather than kfree(). Add<br /> "mport-&gt;net = NULL;" to avoid a use after free issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rapidio: add check for rio_add_net() in rio_scan_alloc_net()<br /> <br /> The return value of rio_add_net() should be checked. If it fails,<br /> put_device() should be called to free the memory and give up the reference<br /> initialized in rio_add_net().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()<br /> <br /> Add check for the return value of mgmt_alloc_skb() in<br /> mgmt_device_connected() to prevent null pointer dereference.