Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: abort vma_modify() on merge out of memory failure<br /> <br /> The remainder of vma_modify() relies upon the vmg state remaining pristine<br /> after a merge attempt.<br /> <br /> Usually this is the case, however in the one edge case scenario of a merge<br /> attempt failing not due to the specified range being unmergeable, but<br /> rather due to an out of memory error arising when attempting to commit the<br /> merge, this assumption becomes untrue.<br /> <br /> This results in vmg-&gt;start, end being modified, and thus the proceeding<br /> attempts to split the VMA will be done with invalid start/end values.<br /> <br /> Thankfully, it is likely practically impossible for us to hit this in<br /> reality, as it would require a maple tree node pre-allocation failure that<br /> would likely never happen due to it being &amp;#39;too small to fail&amp;#39;, i.e. the<br /> kernel would simply keep retrying reclaim until it succeeded.<br /> <br /> However, this scenario remains theoretically possible, and what we are<br /> doing here is wrong so we must correct it.<br /> <br /> The safest option is, when this scenario occurs, to simply give up the<br /> operation. If we cannot allocate memory to merge, then we cannot allocate<br /> memory to split either (perhaps moreso!).<br /> <br /> Any scenario where this would be happening would be under very extreme<br /> (likely fatal) memory pressure, so it&amp;#39;s best we give up early.<br /> <br /> So there is no doubt it is appropriate to simply bail out in this<br /> scenario.<br /> <br /> However, in general we must if at all possible never assume VMG state is<br /> stable after a merge attempt, since merge operations update VMG fields. <br /> As a result, additionally also make this clear by storing start, end in<br /> local variables.<br /> <br /> The issue was reported originally by syzkaller, and by Brad Spengler (via<br /> an off-list discussion), and in both instances it manifested as a<br /> triggering of the assert:<br /> <br /> VM_WARN_ON_VMG(start &gt;= end, vmg);<br /> <br /> In vma_merge_existing_range().<br /> <br /> It seems at least one scenario in which this is occurring is one in which<br /> the merge being attempted is due to an madvise() across multiple VMAs<br /> which looks like this:<br /> <br /> start end<br /> ||<br /> |----------|------|<br /> | vma | next |<br /> |----------|------|<br /> <br /> When madvise_walk_vmas() is invoked, we first find vma in the above<br /> (determining prev to be equal to vma as we are offset into vma), and then<br /> enter the loop.<br /> <br /> We determine the end of vma that forms part of the range we are<br /> madvise()&amp;#39;ing by setting &amp;#39;tmp&amp;#39; to this value:<br /> <br /> /* Here vma-&gt;vm_start vm_end;<br /> <br /> We then invoke the madvise() operation via visit(), letting prev get<br /> updated to point to vma as part of the operation:<br /> <br /> /* Here vma-&gt;vm_start start, end get set to perhaps<br /> unintuitive values - we intended to shrink the middle VMA and expand the<br /> next.<br /> <br /> This means vmg-&gt;start, end are set to... vma-&gt;vm_start, start.<br /> <br /> Now the commit_merge() fails, and vmg-&gt;start, end are left like this. <br /> This means we return to the rest of vma_modify() with vmg-&gt;start, end<br /> (here denoted as start&amp;#39;, end&amp;#39;) set as:<br /> <br /> start&amp;#39; end&amp;#39;<br /> ||<br /> |----------|------|<br /> | vma | next |<br /> |----------|------|<br /> <br /> So we now erroneously try to split accordingly. This is where the<br /> unfortunate<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rapidio: add check for rio_add_net() in rio_scan_alloc_net()<br /> <br /> The return value of rio_add_net() should be checked. If it fails,<br /> put_device() should be called to free the memory and give up the reference<br /> initialized in rio_add_net().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix &amp;#39;scheduling while atomic&amp;#39; in mptcp_pm_nl_append_new_local_addr<br /> <br /> If multiple connection requests attempt to create an implicit mptcp<br /> endpoint in parallel, more than one caller may end up in<br /> mptcp_pm_nl_append_new_local_addr because none found the address in<br /> local_addr_list during their call to mptcp_pm_nl_get_local_id. In this<br /> case, the concurrent new_local_addr calls may delete the address entry<br /> created by the previous caller. These deletes use synchronize_rcu, but<br /> this is not permitted in some of the contexts where this function may be<br /> called. During packet recv, the caller may be in a rcu read critical<br /> section and have preemption disabled.<br /> <br /> An example stack:<br /> <br /> BUG: scheduling while atomic: swapper/2/0/0x00000302<br /> <br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))<br /> dump_stack (lib/dump_stack.c:124)<br /> __schedule_bug (kernel/sched/core.c:5943)<br /> schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970)<br /> __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621)<br /> schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818)<br /> schedule_timeout (kernel/time/timer.c:2160)<br /> wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148)<br /> __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444)<br /> synchronize_rcu (kernel/rcu/tree.c:3609)<br /> mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061)<br /> mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164)<br /> mptcp_pm_get_local_id (net/mptcp/pm.c:420)<br /> subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213)<br /> subflow_v4_route_req (net/mptcp/subflow.c:305)<br /> tcp_conn_request (net/ipv4/tcp_input.c:7216)<br /> subflow_v4_conn_request (net/mptcp/subflow.c:651)<br /> tcp_rcv_state_process (net/ipv4/tcp_input.c:6709)<br /> tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934)<br /> tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334)<br /> ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))<br /> ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234)<br /> ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254)<br /> ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580)<br /> ip_sublist_rcv (net/ipv4/ip_input.c:640)<br /> ip_list_rcv (net/ipv4/ip_input.c:675)<br /> __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631)<br /> netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774)<br /> napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114)<br /> igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb<br /> __napi_poll (net/core/dev.c:6582)<br /> net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787)<br /> handle_softirqs (kernel/softirq.c:553)<br /> __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636)<br /> irq_exit_rcu (kernel/softirq.c:651)<br /> common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))<br /> <br /> <br /> This problem seems particularly prevalent if the user advertises an<br /> endpoint that has a different external vs internal address. In the case<br /> where the external address is advertised and multiple connections<br /> already exist, multiple subflow SYNs arrive in parallel which tends to<br /> trigger the race during creation of the first local_addr_list entries<br /> which have the internal address instead.<br /> <br /> Fix by skipping the replacement of an existing implicit local address if<br /> called via mptcp_pm_nl_get_local_id.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/hmm: Don&amp;#39;t dereference struct page pointers without notifier lock<br /> <br /> The pnfs that we obtain from hmm_range_fault() point to pages that<br /> we don&amp;#39;t have a reference on, and the guarantee that they are still<br /> in the cpu page-tables is that the notifier lock must be held and the<br /> notifier seqno is still valid.<br /> <br /> So while building the sg table and marking the pages accesses / dirty<br /> we need to hold this lock with a validated seqno.<br /> <br /> However, the lock is reclaim tainted which makes<br /> sg_alloc_table_from_pages_segment() unusable, since it internally<br /> allocates memory.<br /> <br /> Instead build the sg-table manually. For the non-iommu case<br /> this might lead to fewer coalesces, but if that&amp;#39;s a problem it can<br /> be fixed up later in the resource cursor code. For the iommu case,<br /> the whole sg-table may still be coalesced to a single contigous<br /> device va region.<br /> <br /> This avoids marking pages that we don&amp;#39;t own dirty and accessed, and<br /> it also avoid dereferencing struct pages that we don&amp;#39;t own.<br /> <br /> v2:<br /> - Use assert to check whether hmm pfns are valid (Matthew Auld)<br /> - Take into account that large pages may cross range boundaries<br /> (Matthew Auld)<br /> <br /> v3:<br /> - Don&amp;#39;t unnecessarily check for a non-freed sg-table. (Matthew Auld)<br /> - Add a missing up_read() in an error path. (Matthew Auld)<br /> <br /> (cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix null check for pipe_ctx-&gt;plane_state in resource_build_scaling_params<br /> <br /> Null pointer dereference issue could occur when pipe_ctx-&gt;plane_state<br /> is null. The fix adds a check to ensure &amp;#39;pipe_ctx-&gt;plane_state&amp;#39; is not<br /> null before accessing. This prevents a null pointer dereference.<br /> <br /> Found by code review.<br /> <br /> (cherry picked from commit 63e6a77ccf239337baa9b1e7787cde9fa0462092)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Fix NULL Pointer Dereference in KFD queue<br /> <br /> Through KFD IOCTL Fuzzing we encountered a NULL pointer derefrence<br /> when calling kfd_queue_acquire_buffers.<br /> <br /> (cherry picked from commit 049e5bf3c8406f87c3d8e1958e0a16804fa1d530)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()<br /> <br /> Add check for the return value of mgmt_alloc_skb() in<br /> mgmt_remote_name() to prevent null pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()<br /> <br /> Add check for the return value of mgmt_alloc_skb() in<br /> mgmt_device_connected() to prevent null pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rapidio: fix an API misues when rio_add_net() fails<br /> <br /> rio_add_net() calls device_register() and fails when device_register()<br /> fails. Thus, put_device() should be used rather than kfree(). Add<br /> "mport-&gt;net = NULL;" to avoid a use after free issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm: pgtable: fix NULL pointer dereference issue<br /> <br /> When update_mmu_cache_range() is called by update_mmu_cache(), the vmf<br /> parameter is NULL, which will cause a NULL pointer dereference issue in<br /> adjust_pte():<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 00000030 when read<br /> Hardware name: Atmel AT91SAM9<br /> PC is at update_mmu_cache_range+0x1e0/0x278<br /> LR is at pte_offset_map_rw_nolock+0x18/0x2c<br /> Call trace:<br /> update_mmu_cache_range from remove_migration_pte+0x29c/0x2ec<br /> remove_migration_pte from rmap_walk_file+0xcc/0x130<br /> rmap_walk_file from remove_migration_ptes+0x90/0xa4<br /> remove_migration_ptes from migrate_pages_batch+0x6d4/0x858<br /> migrate_pages_batch from migrate_pages+0x188/0x488<br /> migrate_pages from compact_zone+0x56c/0x954<br /> compact_zone from compact_node+0x90/0xf0<br /> compact_node from kcompactd+0x1d4/0x204<br /> kcompactd from kthread+0x120/0x12c<br /> kthread from ret_from_fork+0x14/0x38<br /> Exception stack(0xc0d8bfb0 to 0xc0d8bff8)<br /> <br /> To fix it, do not rely on whether &amp;#39;ptl&amp;#39; is equal to decide whether to hold<br /> the pte lock, but decide it by whether CONFIG_SPLIT_PTE_PTLOCKS is<br /> enabled. In addition, if two vmas map to the same PTE page, there is no<br /> need to hold the pte lock again, otherwise a deadlock will occur. Just<br /> add the need_lock parameter to let adjust_pte() know this information.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error<br /> <br /> During the initialization of ptp, hclge_ptp_get_cycle might return an error<br /> and returned directly without unregister clock and free it. To avoid that,<br /> call hclge_ptp_destroy_clock to unregist and free clock if<br /> hclge_ptp_get_cycle failed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> llc: do not use skb_get() before dev_queue_xmit()<br /> <br /> syzbot is able to crash hosts [1], using llc and devices<br /> not supporting IFF_TX_SKB_SHARING.<br /> <br /> In this case, e1000 driver calls eth_skb_pad(), while<br /> the skb is shared.<br /> <br /> Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c<br /> <br /> Note that e1000 driver might have an issue with pktgen,<br /> because it does not clear IFF_TX_SKB_SHARING, this is an<br /> orthogonal change.<br /> <br /> We need to audit other skb_get() uses in net/llc.<br /> <br /> [1]<br /> <br /> kernel BUG at net/core/skbuff.c:2178 !<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> CPU: 0 UID: 0 PID: 16371 Comm: syz.2.2764 Not tainted 6.14.0-rc4-syzkaller-00052-gac9c34d1e45a #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:pskb_expand_head+0x6ce/0x1240 net/core/skbuff.c:2178<br /> Call Trace:<br /> <br /> __skb_pad+0x18a/0x610 net/core/skbuff.c:2466<br /> __skb_put_padto include/linux/skbuff.h:3843 [inline]<br /> skb_put_padto include/linux/skbuff.h:3862 [inline]<br /> eth_skb_pad include/linux/etherdevice.h:656 [inline]<br /> e1000_xmit_frame+0x2d99/0x5800 drivers/net/ethernet/intel/e1000/e1000_main.c:3128<br /> __netdev_start_xmit include/linux/netdevice.h:5151 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:5160 [inline]<br /> xmit_one net/core/dev.c:3806 [inline]<br /> dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3822<br /> sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343<br /> __dev_xmit_skb net/core/dev.c:4045 [inline]<br /> __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4621<br /> dev_queue_xmit include/linux/netdevice.h:3313 [inline]<br /> llc_sap_action_send_test_c+0x268/0x320 net/llc/llc_s_ac.c:144<br /> llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]<br /> llc_sap_next_state net/llc/llc_sap.c:182 [inline]<br /> llc_sap_state_process+0x239/0x510 net/llc/llc_sap.c:209<br /> llc_ui_sendmsg+0xd0d/0x14e0 net/llc/af_llc.c:993<br /> sock_sendmsg_nosec net/socket.c:718 [inline]