Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme-multipath: fix lockdep WARN due to partition scan work<br /> <br /> Blktests test cases nvme/014, 057 and 058 fail occasionally due to a<br /> lockdep WARN. As reported in the Closes tag URL, the WARN indicates that<br /> a deadlock can happen due to the dependency among disk-&gt;open_mutex,<br /> kblockd workqueue completion and partition_scan_work completion.<br /> <br /> To avoid the lockdep WARN and the potential deadlock, cut the dependency<br /> by running the partition_scan_work not by kblockd workqueue but by<br /> nvme_wq.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched_ext: Fix unsafe locking in the scx_dump_state()<br /> <br /> For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted<br /> sleepable spinlock and not disable-irq, so the following scenarios occur:<br /> <br /> inconsistent {IN-HARDIRQ-W} -&gt; {HARDIRQ-ON-W} usage.<br /> irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> (&amp;rq-&gt;__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40<br /> {IN-HARDIRQ-W} state was registered at:<br /> lock_acquire+0x1e1/0x510<br /> _raw_spin_lock_nested+0x42/0x80<br /> raw_spin_rq_lock_nested+0x2b/0x40<br /> sched_tick+0xae/0x7b0<br /> update_process_times+0x14c/0x1b0<br /> tick_periodic+0x62/0x1f0<br /> tick_handle_periodic+0x48/0xf0<br /> timer_interrupt+0x55/0x80<br /> __handle_irq_event_percpu+0x20a/0x5c0<br /> handle_irq_event_percpu+0x18/0xc0<br /> handle_irq_event+0xb5/0x150<br /> handle_level_irq+0x220/0x460<br /> __common_interrupt+0xa2/0x1e0<br /> common_interrupt+0xb0/0xd0<br /> asm_common_interrupt+0x2b/0x40<br /> _raw_spin_unlock_irqrestore+0x45/0x80<br /> __setup_irq+0xc34/0x1a30<br /> request_threaded_irq+0x214/0x2f0<br /> hpet_time_init+0x3e/0x60<br /> x86_late_time_init+0x5b/0xb0<br /> start_kernel+0x308/0x410<br /> x86_64_start_reservations+0x1c/0x30<br /> x86_64_start_kernel+0x96/0xa0<br /> common_startup_64+0x13e/0x148<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> <br /> CPU0<br /> ----<br /> lock(&amp;rq-&gt;__lock);<br /> <br /> lock(&amp;rq-&gt;__lock);<br /> <br /> *** DEADLOCK ***<br /> <br /> stack backtrace:<br /> CPU: 0 UID: 0 PID: 27 Comm: irq_work/0<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x8c/0xd0<br /> dump_stack+0x14/0x20<br /> print_usage_bug+0x42e/0x690<br /> mark_lock.part.44+0x867/0xa70<br /> ? __pfx_mark_lock.part.44+0x10/0x10<br /> ? string_nocheck+0x19c/0x310<br /> ? number+0x739/0x9f0<br /> ? __pfx_string_nocheck+0x10/0x10<br /> ? __pfx_check_pointer+0x10/0x10<br /> ? kvm_sched_clock_read+0x15/0x30<br /> ? sched_clock_noinstr+0xd/0x20<br /> ? local_clock_noinstr+0x1c/0xe0<br /> __lock_acquire+0xc4b/0x62b0<br /> ? __pfx_format_decode+0x10/0x10<br /> ? __pfx_string+0x10/0x10<br /> ? __pfx___lock_acquire+0x10/0x10<br /> ? __pfx_vsnprintf+0x10/0x10<br /> lock_acquire+0x1e1/0x510<br /> ? raw_spin_rq_lock_nested+0x2b/0x40<br /> ? __pfx_lock_acquire+0x10/0x10<br /> ? dump_line+0x12e/0x270<br /> ? raw_spin_rq_lock_nested+0x20/0x40<br /> _raw_spin_lock_nested+0x42/0x80<br /> ? raw_spin_rq_lock_nested+0x2b/0x40<br /> raw_spin_rq_lock_nested+0x2b/0x40<br /> scx_dump_state+0x3b3/0x1270<br /> ? finish_task_switch+0x27e/0x840<br /> scx_ops_error_irq_workfn+0x67/0x80<br /> irq_work_single+0x113/0x260<br /> irq_work_run_list.part.3+0x44/0x70<br /> run_irq_workd+0x6b/0x90<br /> ? __pfx_run_irq_workd+0x10/0x10<br /> smpboot_thread_fn+0x529/0x870<br /> ? __pfx_smpboot_thread_fn+0x10/0x10<br /> kthread+0x305/0x3f0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x40/0x70<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> This commit therefore use rq_lock_irqsave/irqrestore() to replace<br /> rq_lock/unlock() in the scx_dump_state().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process<br /> <br /> Fix a potential deadlock caused by inconsistent spinlock usage<br /> between interrupt and process contexts in the userq fence driver.<br /> <br /> The issue occurs when amdgpu_userq_fence_driver_process() is called<br /> from both:<br /> - Interrupt context: gfx_v11_0_eop_irq() -&gt; amdgpu_userq_fence_driver_process()<br /> - Process context: amdgpu_eviction_fence_suspend_worker() -&gt;<br /> amdgpu_userq_fence_driver_force_completion() -&gt; amdgpu_userq_fence_driver_process()<br /> <br /> In interrupt context, the spinlock was acquired without disabling<br /> interrupts, leaving it in {IN-HARDIRQ-W} state. When the same lock<br /> is acquired in process context, the kernel detects inconsistent<br /> locking since the process context acquisition would enable interrupts<br /> while holding a lock previously acquired in interrupt context.<br /> <br /> Kernel log shows:<br /> [ 4039.310790] inconsistent {IN-HARDIRQ-W} -&gt; {HARDIRQ-ON-W} usage.<br /> [ 4039.310804] kworker/7:2/409 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> [ 4039.310818] ffff9284e1bed000 (&amp;fence_drv-&gt;fence_list_lock){?...}-{3:3},<br /> [ 4039.310993] {IN-HARDIRQ-W} state was registered at:<br /> [ 4039.311004] lock_acquire+0xc6/0x300<br /> [ 4039.311018] _raw_spin_lock+0x39/0x80<br /> [ 4039.311031] amdgpu_userq_fence_driver_process.part.0+0x30/0x180 [amdgpu]<br /> [ 4039.311146] amdgpu_userq_fence_driver_process+0x17/0x30 [amdgpu]<br /> [ 4039.311257] gfx_v11_0_eop_irq+0x132/0x170 [amdgpu]<br /> <br /> Fix by using spin_lock_irqsave()/spin_unlock_irqrestore() to properly<br /> manage interrupt state regardless of calling context.<br /> <br /> (cherry picked from commit ded3ad780cf97a04927773c4600823b84f7f3cc2)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pmdomain: arm: scmi: Fix genpd leak on provider registration failure<br /> <br /> If of_genpd_add_provider_onecell() fails during probe, the previously<br /> created generic power domains are not removed, leading to a memory leak<br /> and potential kernel crash later in genpd_debug_add().<br /> <br /> Add proper error handling to unwind the initialized domains before<br /> returning from probe to ensure all resources are correctly released on<br /> failure.<br /> <br /> Example crash trace observed without this fix:<br /> <br /> | Unable to handle kernel paging request at virtual address fffffffffffffc70<br /> | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT<br /> | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform<br /> | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> | pc : genpd_debug_add+0x2c/0x160<br /> | lr : genpd_debug_init+0x74/0x98<br /> | Call trace:<br /> | genpd_debug_add+0x2c/0x160 (P)<br /> | genpd_debug_init+0x74/0x98<br /> | do_one_initcall+0xd0/0x2d8<br /> | do_initcall_level+0xa0/0x140<br /> | do_initcalls+0x60/0xa8<br /> | do_basic_setup+0x28/0x40<br /> | kernel_init_freeable+0xe8/0x170<br /> | kernel_init+0x2c/0x140<br /> | ret_from_fork+0x10/0x20

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver<br /> <br /> After restructuring and splitting the HDMI codec driver code, each<br /> HDMI codec driver contains the own build_controls and build_pcms ops.<br /> A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both<br /> build_controls and build_pcms are swapped. Unfortunately both<br /> callbacks have the very same form, and the compiler didn&amp;#39;t complain<br /> it, either. This resulted in a NULL dereference because the PCM<br /> instance hasn&amp;#39;t been initialized at calling the build_controls<br /> callback.<br /> <br /> Fix it by passing the proper entries.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_ct: add seqadj extension for natted connections<br /> <br /> Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.<br /> due to need to re-write packet payload (IP, port) on the ftp control<br /> connection. This can require changes to the TCP length and expected<br /> seq / ack_seq.<br /> <br /> The easiest way to reproduce this issue is with PASV mode.<br /> Example ruleset:<br /> table inet ftp_nat {<br /> ct helper ftp_helper {<br /> type "ftp" protocol tcp<br /> l3proto inet<br /> }<br /> <br /> chain prerouting {<br /> type filter hook prerouting priority 0; policy accept;<br /> tcp dport 21 ct state new ct helper set "ftp_helper"<br /> }<br /> }<br /> table ip nat {<br /> chain prerouting {<br /> type nat hook prerouting priority -100; policy accept;<br /> tcp dport 21 dnat ip prefix to ip daddr map {<br /> 192.168.100.1 : 192.168.13.2/32 }<br /> }<br /> <br /> chain postrouting {<br /> type nat hook postrouting priority 100 ; policy accept;<br /> tcp sport 21 snat ip prefix to ip saddr map {<br /> 192.168.13.2 : 192.168.100.1/32 }<br /> }<br /> }<br /> <br /> Note that the ftp helper gets assigned *after* the dnat setup.<br /> <br /> The inverse (nat after helper assign) is handled by an existing<br /> check in nf_nat_setup_info() and will not show the problem.<br /> <br /> Topoloy:<br /> <br /> +-------------------+ +----------------------------------+<br /> | FTP: 192.168.13.2 | | NAT: 192.168.13.3, 192.168.100.1 |<br /> +-------------------+ +----------------------------------+<br /> |<br /> +-----------------------+<br /> | Client: 192.168.100.2 |<br /> +-----------------------+<br /> <br /> ftp nat changes do not work as expected in this case:<br /> Connected to 192.168.100.1.<br /> [..]<br /> ftp&gt; epsv<br /> EPSV/EPRT on IPv4 off.<br /> ftp&gt; ls<br /> 227 Entering passive mode (192,168,100,1,209,129).<br /> 421 Service not available, remote server has closed connection.<br /> <br /> Kernel logs:<br /> Missing nfct_seqadj_ext_add() setup call<br /> WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41<br /> [..]<br /> __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]<br /> nf_nat_ftp+0x142/0x280 [nf_nat_ftp]<br /> help+0x4d1/0x880 [nf_conntrack_ftp]<br /> nf_confirm+0x122/0x2e0 [nf_conntrack]<br /> nf_hook_slow+0x3c/0xb0<br /> ..<br /> <br /> Fix this by adding the required extension when a conntrack helper is assigned<br /> to a connection that has a nat binding.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/guc: Synchronize Dead CT worker with unbind<br /> <br /> Cancel and wait for any Dead CT worker to complete before continuing<br /> with device unbinding. Else the worker will end up using resources freed<br /> by the undind operation.<br /> <br /> (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: account for current allocated stack depth in widen_imprecise_scalars()<br /> <br /> The usage pattern for widen_imprecise_scalars() looks as follows:<br /> <br /> prev_st = find_prev_entry(env, ...);<br /> queued_st = push_stack(...);<br /> widen_imprecise_scalars(env, prev_st, queued_st);<br /> <br /> Where prev_st is an ancestor of the queued_st in the explored states<br /> tree. This ancestor is not guaranteed to have same allocated stack<br /> depth as queued_st. E.g. in the following case:<br /> <br /> def main():<br /> for i in 1..2:<br /> foo(i) // same callsite, differnt param<br /> <br /> def foo(i):<br /> if i == 1:<br /> use 128 bytes of stack<br /> iterator based loop<br /> <br /> Here, for a second &amp;#39;foo&amp;#39; call prev_st-&gt;allocated_stack is 128,<br /> while queued_st-&gt;allocated_stack is much smaller.<br /> widen_imprecise_scalars() needs to take this into account and avoid<br /> accessing bpf_verifier_state-&gt;frame[*]-&gt;stack out of bounds.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlx5: Fix default values in create CQ<br /> <br /> Currently, CQs without a completion function are assigned the<br /> mlx5_add_cq_to_tasklet function by default. This is problematic since<br /> only user CQs created through the mlx5_ib driver are intended to use<br /> this function.<br /> <br /> Additionally, all CQs that will use doorbells instead of polling for<br /> completions must call mlx5_cq_arm. However, the default CQ creation flow<br /> leaves a valid value in the CQ&amp;#39;s arm_db field, allowing FW to send<br /> interrupts to polling-only CQs in certain corner cases.<br /> <br /> These two factors would allow a polling-only kernel CQ to be triggered<br /> by an EQ interrupt and call a completion function intended only for user<br /> CQs, causing a null pointer exception.<br /> <br /> Some areas in the driver have prevented this issue with one-off fixes<br /> but did not address the root cause.<br /> <br /> This patch fixes the described issue by adding defaults to the create CQ<br /> flow. It adds a default dummy completion function to protect against<br /> null pointer exceptions, and it sets an invalid command sequence number<br /> by default in kernel CQs to prevent the FW from sending an interrupt to<br /> the CQ until it is armed. User CQs are responsible for their own<br /> initialization values.<br /> <br /> Callers of mlx5_core_create_cq are responsible for changing the<br /> completion function and arming the CQ per their needs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: avoid infinite loop due to incomplete zstd-compressed data<br /> <br /> Currently, the decompression logic incorrectly spins if compressed<br /> data is truncated in crafted (deliberately corrupted) images.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/guc: Add devm release action to safely tear down CT<br /> <br /> When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE<br /> flag, the driver initiates TLB invalidation requests via the CTB mechanism<br /> while releasing the BO. However a premature release of the CTB BO can lead<br /> to system crashes, as observed in:<br /> <br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> RIP: 0010:h2g_write+0x2f3/0x7c0 [xe]<br /> Call Trace:<br /> guc_ct_send_locked+0x8b/0x670 [xe]<br /> xe_guc_ct_send_locked+0x19/0x60 [xe]<br /> send_tlb_invalidation+0xb4/0x460 [xe]<br /> xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe]<br /> ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe]<br /> ggtt_node_remove+0x110/0x140 [xe]<br /> xe_ggtt_node_remove+0x40/0xa0 [xe]<br /> xe_ggtt_remove_bo+0x87/0x250 [xe]<br /> <br /> Introduce a devm-managed release action during xe_guc_ct_init() and<br /> xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before<br /> resource deallocation, preventing the use-after-free scenario.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: imon: make send_packet() more robust<br /> <br /> syzbot is reporting that imon has three problems which result in<br /> hung tasks due to forever holding device lock [1].<br /> <br /> First problem is that when usb_rx_callback_intf0() once got -EPROTO error<br /> after ictx-&gt;dev_present_intf0 became true, usb_rx_callback_intf0()<br /> resubmits urb after printk(), and resubmitted urb causes<br /> usb_rx_callback_intf0() to again get -EPROTO error. This results in<br /> printk() flooding (RCU stalls).<br /> <br /> Alan Stern commented [2] that<br /> <br /> In theory it&amp;#39;s okay to resubmit _if_ the driver has a robust<br /> error-recovery scheme (such as giving up after some fixed limit on the<br /> number of errors or after some fixed time has elapsed, perhaps with a<br /> time delay to prevent a flood of errors). Most drivers don&amp;#39;t bother to<br /> do this; they simply give up right away. This makes them more<br /> vulnerable to short-term noise interference during USB transfers, but in<br /> reality such interference is quite rare. There&amp;#39;s nothing really wrong<br /> with giving up right away.<br /> <br /> but imon has a poor error-recovery scheme which just retries forever;<br /> this behavior should be fixed.<br /> <br /> Since I&amp;#39;m not sure whether it is safe for imon users to give up upon any<br /> error code, this patch takes care of only union of error codes chosen from<br /> modules in drivers/media/rc/ directory which handle -EPROTO error (i.e.<br /> ir_toy, mceusb and igorplugusb).<br /> <br /> Second problem is that when usb_rx_callback_intf0() once got -EPROTO error<br /> before ictx-&gt;dev_present_intf0 becomes true, usb_rx_callback_intf0() always<br /> resubmits urb due to commit 8791d63af0cf ("[media] imon: don&amp;#39;t wedge<br /> hardware after early callbacks"). Move the ictx-&gt;dev_present_intf0 test<br /> introduced by commit 6f6b90c9231a ("[media] imon: don&amp;#39;t parse scancodes<br /> until intf configured") to immediately before imon_incoming_packet(), or<br /> the first problem explained above happens without printk() flooding (i.e.<br /> hung task).<br /> <br /> Third problem is that when usb_rx_callback_intf0() is not called for some<br /> reason (e.g. flaky hardware; the reproducer for this problem sometimes<br /> prevents usb_rx_callback_intf0() from being called),<br /> wait_for_completion_interruptible() in send_packet() never returns (i.e.<br /> hung task). As a workaround for such situation, change send_packet() to<br /> wait for completion with timeout of 10 seconds.