Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/mempool: fix poisoning order&gt;0 pages with HIGHMEM<br /> <br /> The kernel test has reported:<br /> <br /> BUG: unable to handle page fault for address: fffba000<br /> #PF: supervisor write access in kernel mode<br /> #PF: error_code(0x0002) - not-present page<br /> *pde = 03171067 *pte = 00000000<br /> Oops: Oops: 0002 [#1]<br /> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca<br /> Tainted: [T]=RANDSTRUCT<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)<br /> Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56<br /> EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b<br /> ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8<br /> DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287<br /> CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690<br /> Call Trace:<br /> poison_element (mm/mempool.c:83 mm/mempool.c:102)<br /> mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)<br /> mempool_init_noprof (mm/mempool.c:250 (discriminator 1))<br /> ? mempool_alloc_pages (mm/mempool.c:640)<br /> bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))<br /> ? mempool_alloc_pages (mm/mempool.c:640)<br /> do_one_initcall (init/main.c:1283)<br /> <br /> Christoph found out this is due to the poisoning code not dealing<br /> properly with CONFIG_HIGHMEM because only the first page is mapped but<br /> then the whole potentially high-order page is accessed.<br /> <br /> We could give up on HIGHMEM here, but it&amp;#39;s straightforward to fix this<br /> with a loop that&amp;#39;s mapping, poisoning or checking and unmapping<br /> individual pages.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> veth: more robust handing of race to avoid txq getting stuck<br /> <br /> Commit dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to<br /> reduce TX drops") introduced a race condition that can lead to a permanently<br /> stalled TXQ. This was observed in production on ARM64 systems (Ampere Altra<br /> Max).<br /> <br /> The race occurs in veth_xmit(). The producer observes a full ptr_ring and<br /> stops the queue (netif_tx_stop_queue()). The subsequent conditional logic,<br /> intended to re-wake the queue if the consumer had just emptied it (if<br /> (__ptr_ring_empty(...)) netif_tx_wake_queue()), can fail. This leads to a<br /> "lost wakeup" where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) and<br /> traffic halts.<br /> <br /> This failure is caused by an incorrect use of the __ptr_ring_empty() API<br /> from the producer side. As noted in kernel comments, this check is not<br /> guaranteed to be correct if a consumer is operating on another CPU. The<br /> empty test is based on ptr_ring-&gt;consumer_head, making it reliable only for<br /> the consumer. Using this check from the producer side is fundamentally racy.<br /> <br /> This patch fixes the race by adopting the more robust logic from an earlier<br /> version V4 of the patchset, which always flushed the peer:<br /> <br /> (1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier<br /> are removed. Instead, after stopping the queue, we unconditionally call<br /> __veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled,<br /> making it solely responsible for re-waking the TXQ.<br /> This handles the race where veth_poll() consumes all packets and completes<br /> NAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue.<br /> The __veth_xdp_flush(rq) will observe rx_notify_masked is false and schedule<br /> NAPI.<br /> <br /> (2) On the consumer side, the logic for waking the peer TXQ is moved out of<br /> veth_xdp_rcv() and placed at the end of the veth_poll() function. This<br /> placement is part of fixing the race, as the netif_tx_queue_stopped() check<br /> must occur after rx_notify_masked is potentially set to false during NAPI<br /> completion.<br /> This handles the race where veth_poll() consumes all packets, but haven&amp;#39;t<br /> finished (rx_notify_masked is still true). The producer veth_xmit() stops the<br /> TXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaning<br /> not starting NAPI. Then veth_poll() change rx_notify_masked to false and<br /> stops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wake<br /> it up.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/tegra: Add call to put_pid()<br /> <br /> Add a call to put_pid() corresponding to get_task_pid().<br /> host1x_memory_context_alloc() does not take ownership of the PID so we<br /> need to free it here to avoid leaking.<br /> <br /> [mperttunen@nvidia.com: reword commit message]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix incomplete backport in cfids_invalidation_worker()<br /> <br /> The previous commit bdb596ceb4b7 ("smb: client: fix potential UAF in<br /> smb2_close_cached_fid()") was an incomplete backport and missed one<br /> kref_put() call in cfids_invalidation_worker() that should have been<br /> converted to close_cached_dir().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: Fix proto fallback detection with BPF<br /> <br /> The sockmap feature allows bpf syscall from userspace, or based<br /> on bpf sockops, replacing the sk_prot of sockets during protocol stack<br /> processing with sockmap&amp;#39;s custom read/write interfaces.<br /> &amp;#39;&amp;#39;&amp;#39;<br /> tcp_rcv_state_process()<br /> syn_recv_sock()/subflow_syn_recv_sock()<br /> tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)<br /> bpf_skops_established ops.<br /> <br /> This fix uses the more generic sk_family for the comparison instead.<br /> <br /> Additionally, this also prevents a WARNING from occurring:<br /> <br /> result from ./scripts/decode_stacktrace.sh:<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \<br /> (net/mptcp/protocol.c:4005)<br /> Modules linked in:<br /> ...<br /> <br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> do_accept (net/socket.c:1989)<br /> __sys_accept4 (net/socket.c:2028 net/socket.c:2057)<br /> __x64_sys_accept (net/socket.c:2067)<br /> x64_sys_call (arch/x86/entry/syscall_64.c:41)<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> RIP: 0033:0x7f87ac92b83d<br /> <br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/plane: Fix create_in_format_blob() return value<br /> <br /> create_in_format_blob() is either supposed to return a valid<br /> pointer or an error, but never NULL. The caller will dereference<br /> the blob when it is not an error, and thus will oops if NULL<br /> returned. Return proper error values in the failure cases.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: fix memory leak in smb3_fs_context_parse_param error path<br /> <br /> Add proper cleanup of ctx-&gt;source and fc-&gt;source to the<br /> cifs_parse_mount_err error handler. This ensures that memory allocated<br /> for the source strings is correctly freed on all error paths, matching<br /> the cleanup already performed in the success path by<br /> smb3_cleanup_fs_context_contents().<br /> Pointers are also set to NULL after freeing to prevent potential<br /> double-free issues.<br /> <br /> This change fixes a memory leak originally detected by syzbot. The<br /> leak occurred when processing Opt_source mount options if an error<br /> happened after ctx-&gt;source and fc-&gt;source were successfully<br /> allocated but before the function completed.<br /> <br /> The specific leak sequence was:<br /> 1. ctx-&gt;source = smb3_fs_context_fullpath(ctx, &amp;#39;/&amp;#39;) allocates memory<br /> 2. fc-&gt;source = kstrdup(ctx-&gt;source, GFP_KERNEL) allocates more memory<br /> 3. A subsequent error jumps to cifs_parse_mount_err<br /> 4. The old error handler freed passwords but not the source strings,<br /> causing the memory to leak.<br /> <br /> This issue was not addressed by commit e8c73eb7db0a ("cifs: client:<br /> fix memory leak in smb3_fs_context_parse_param"), which only fixed<br /> leaks from repeated fsconfig() calls but not this error path.<br /> <br /> Patch updated with minor change suggested by kernel test robot

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error<br /> <br /> Make knav_dma_open_channel consistently return NULL on error instead<br /> of ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h<br /> returns NULL when the driver is disabled, but the driver<br /> implementation does not even return NULL or ERR_PTR on failure,<br /> causing inconsistency in the users. This results in a crash in<br /> netcp_free_navigator_resources as followed (trimmed):<br /> <br /> Unhandled fault: alignment exception (0x221) at 0xfffffff2<br /> [fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000<br /> Internal error: : 221 [#1] SMP ARM<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE<br /> Hardware name: Keystone<br /> PC is at knav_dma_close_channel+0x30/0x19c<br /> LR is at netcp_free_navigator_resources+0x2c/0x28c<br /> <br /> [... TRIM...]<br /> <br /> Call trace:<br /> knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c<br /> netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c<br /> netcp_ndo_open from __dev_open+0x114/0x29c<br /> __dev_open from __dev_change_flags+0x190/0x208<br /> __dev_change_flags from netif_change_flags+0x1c/0x58<br /> netif_change_flags from dev_change_flags+0x38/0xa0<br /> dev_change_flags from ip_auto_config+0x2c4/0x11f0<br /> ip_auto_config from do_one_initcall+0x58/0x200<br /> do_one_initcall from kernel_init_freeable+0x1cc/0x238<br /> kernel_init_freeable from kernel_init+0x1c/0x12c<br /> kernel_init from ret_from_fork+0x14/0x38<br /> [... TRIM...]<br /> <br /> Standardize the error handling by making the function return NULL on<br /> all error conditions. The API is used in just the netcp_core.c so the<br /> impact is limited.<br /> <br /> Note, this change, in effect reverts commit 5b6cb43b4d62 ("net:<br /> ethernet: ti: netcp_core: return error while dma channel open issue"),<br /> but provides a less error prone implementation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix address removal logic in mptcp_pm_nl_rm_addr<br /> <br /> Fix inverted WARN_ON_ONCE condition that prevented normal address<br /> removal counter updates. The current code only executes decrement<br /> logic when the counter is already 0 (abnormal state), while<br /> normal removals (counter &gt; 0) are ignored.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc<br /> <br /> s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its<br /> fields are initialized. Notably, num_custom_params is used in<br /> pinconf_generic_parse_dt_config(), resulting in intermittent allocation<br /> errors, such as the following splat when probing i2c-imx:<br /> <br /> WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300<br /> [...]<br /> Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)<br /> [...]<br /> Call trace:<br /> __alloc_pages_noprof+0x290/0x300 (P)<br /> ___kmalloc_large_node+0x84/0x168<br /> __kmalloc_large_node_noprof+0x34/0x120<br /> __kmalloc_noprof+0x2ac/0x378<br /> pinconf_generic_parse_dt_config+0x68/0x1a0<br /> s32_dt_node_to_map+0x104/0x248<br /> dt_to_map_one_config+0x154/0x1d8<br /> pinctrl_dt_to_map+0x12c/0x280<br /> create_pinctrl+0x6c/0x270<br /> pinctrl_get+0xc0/0x170<br /> devm_pinctrl_get+0x50/0xa0<br /> pinctrl_bind_pins+0x60/0x2a0<br /> really_probe+0x60/0x3a0<br /> [...]<br /> __platform_driver_register+0x2c/0x40<br /> i2c_adap_imx_init+0x28/0xff8 [i2c_imx]<br /> [...]<br /> <br /> This results in later parse failures that can cause issues in dependent<br /> drivers:<br /> <br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property<br /> [...]<br /> pca953x 0-0022: failed writing register: -6<br /> i2c i2c-0: IMX I2C adapter registered<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property<br /> i2c i2c-1: IMX I2C adapter registered<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property<br /> i2c i2c-2: IMX I2C adapter registered<br /> <br /> Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of<br /> devm_kmalloc() in s32_pinctrl_probe(), which sets the previously<br /> uninitialized fields to zero.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: delete radeon_fence_process in is_signaled, no deadlock<br /> <br /> Delete the attempt to progress the queue when checking if fence is<br /> signaled. This avoids deadlock.<br /> <br /> dma-fence_ops::signaled can be called with the fence lock in unknown<br /> state. For radeon, the fence lock is also the wait queue lock. This can<br /> cause a self deadlock when signaled() tries to make forward progress on<br /> the wait queue. But advancing the queue is unneeded because incorrectly<br /> returning false from signaled() is perfectly acceptable.<br /> <br /> (cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: core: Fix a regression triggered by scsi_host_busy()<br /> <br /> Commit 995412e23bb2 ("blk-mq: Replace tags-&gt;lock with SRCU for tag<br /> iterators") introduced the following regression:<br /> <br /> Call trace:<br /> __srcu_read_lock+0x30/0x80 (P)<br /> blk_mq_tagset_busy_iter+0x44/0x300<br /> scsi_host_busy+0x38/0x70<br /> ufshcd_print_host_state+0x34/0x1bc<br /> ufshcd_link_startup.constprop.0+0xe4/0x2e0<br /> ufshcd_init+0x944/0xf80<br /> ufshcd_pltfrm_init+0x504/0x820<br /> ufs_rockchip_probe+0x2c/0x88<br /> platform_probe+0x5c/0xa4<br /> really_probe+0xc0/0x38c<br /> __driver_probe_device+0x7c/0x150<br /> driver_probe_device+0x40/0x120<br /> __driver_attach+0xc8/0x1e0<br /> bus_for_each_dev+0x7c/0xdc<br /> driver_attach+0x24/0x30<br /> bus_add_driver+0x110/0x230<br /> driver_register+0x68/0x130<br /> __platform_driver_register+0x20/0x2c<br /> ufs_rockchip_pltform_init+0x1c/0x28<br /> do_one_initcall+0x60/0x1e0<br /> kernel_init_freeable+0x248/0x2c4<br /> kernel_init+0x20/0x140<br /> ret_from_fork+0x10/0x20<br /> <br /> Fix this regression by making scsi_host_busy() check whether the SCSI<br /> host tag set has already been initialized. tag_set-&gt;ops is set by<br /> scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This<br /> fix is based on the assumption that scsi_host_busy() and<br /> scsi_mq_setup_tags() calls are serialized. This is the case in the UFS<br /> driver.