Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: nexthop: fix percpu use-after-free in remove_nh_grp_entry<br /> <br /> When removing a nexthop from a group, remove_nh_grp_entry() publishes<br /> the new group via rcu_assign_pointer() then immediately frees the<br /> removed entry&amp;#39;s percpu stats with free_percpu(). However, the<br /> synchronize_net() grace period in the caller remove_nexthop_from_groups()<br /> runs after the free. RCU readers that entered before the publish still<br /> see the old group and can dereference the freed stats via<br /> nh_grp_entry_stats_inc() -&gt; get_cpu_ptr(nhge-&gt;stats), causing a<br /> use-after-free on percpu memory.<br /> <br /> Fix by deferring the free_percpu() until after synchronize_net() in the<br /> caller. Removed entries are chained via nh_list onto a local deferred<br /> free list. After the grace period completes and all RCU readers have<br /> finished, the percpu stats are safely freed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ncsi: fix skb leak in error paths<br /> <br /> Early return paths in NCSI RX and AEN handlers fail to release<br /> the received skb, resulting in a memory leak.<br /> <br /> Specifically, ncsi_aen_handler() returns on invalid AEN packets<br /> without consuming the skb. Similarly, ncsi_rcv_rsp() exits early<br /> when failing to resolve the NCSI device, response handler, or<br /> request, leaving the skb unfreed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: microchip: Fix error path in PTP IRQ setup<br /> <br /> If request_threaded_irq() fails during the PTP message IRQ setup, the<br /> newly created IRQ mapping is never disposed. Indeed, the<br /> ksz_ptp_irq_setup()&amp;#39;s error path only frees the mappings that were<br /> successfully set up.<br /> <br /> Dispose the newly created mapping if the associated<br /> request_threaded_irq() fails at setup.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: macb: Shuffle the tx ring before enabling tx<br /> <br /> Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board,<br /> the rootfs may take an extended time to recover after a suspend.<br /> Upon investigation, it was determined that the issue originates from a<br /> problem in the macb driver.<br /> <br /> According to the Zynq UltraScale TRM [1], when transmit is disabled,<br /> the transmit buffer queue pointer resets to point to the address<br /> specified by the transmit buffer queue base address register.<br /> <br /> In the current implementation, the code merely resets `queue-&gt;tx_head`<br /> and `queue-&gt;tx_tail` to &amp;#39;0&amp;#39;. This approach presents several issues:<br /> <br /> - Packets already queued in the tx ring are silently lost,<br /> leading to memory leaks since the associated skbs cannot be released.<br /> <br /> - Concurrent write access to `queue-&gt;tx_head` and `queue-&gt;tx_tail` may<br /> occur from `macb_tx_poll()` or `macb_start_xmit()` when these values<br /> are reset to &amp;#39;0&amp;#39;.<br /> <br /> - The transmission may become stuck on a packet that has already been sent<br /> out, with its &amp;#39;TX_USED&amp;#39; bit set, but has not yet been processed. However,<br /> due to the manipulation of &amp;#39;queue-&gt;tx_head&amp;#39; and &amp;#39;queue-&gt;tx_tail&amp;#39;,<br /> `macb_tx_poll()` incorrectly assumes there are no packets to handle<br /> because `queue-&gt;tx_head == queue-&gt;tx_tail`. This issue is only resolved<br /> when a new packet is placed at this position. This is the root cause of<br /> the prolonged recovery time observed for the NFS root filesystem.<br /> <br /> To resolve this issue, shuffle the tx ring and tx skb array so that<br /> the first unsent packet is positioned at the start of the tx ring.<br /> Additionally, ensure that updates to `queue-&gt;tx_head` and<br /> `queue-&gt;tx_tail` are properly protected with the appropriate lock.<br /> <br /> [1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix use-after-free race in VM acquire<br /> <br /> Replace non-atomic vm-&gt;process_info assignment with cmpxchg()<br /> to prevent race when parent/child processes sharing a drm_file<br /> both try to acquire the same VM after fork().<br /> <br /> (cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd: Fix NULL pointer dereference in device cleanup<br /> <br /> When GPU initialization fails due to an unsupported HW block<br /> IP blocks may have a NULL version pointer. During cleanup in<br /> amdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and<br /> amdgpu_device_set_cg_state which iterate over all IP blocks and access<br /> adev-&gt;ip_blocks[i].version without NULL checks, leading to a kernel<br /> NULL pointer dereference.<br /> <br /> Add NULL checks for adev-&gt;ip_blocks[i].version in both<br /> amdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent<br /> dereferencing NULL pointers during GPU teardown when initialization has<br /> failed.<br /> <br /> (cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915: Fix potential overflow of shmem scatterlist length<br /> <br /> When a scatterlists table of a GEM shmem object of size 4 GB or more is<br /> populated with pages allocated from a folio, unsigned int .length<br /> attribute of a scatterlist may get overflowed if total byte length of<br /> pages allocated to that single scatterlist happens to reach or cross the<br /> 4GB limit. As a consequence, users of the object may suffer from hitting<br /> unexpected, premature end of the object&amp;#39;s backing pages.<br /> <br /> [278.780187] ------------[ cut here ]------------<br /> [278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915]<br /> ...<br /> [278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary)<br /> [278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER<br /> [278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024<br /> [278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915]<br /> ...<br /> [278.780786] Call Trace:<br /> [278.780787] <br /> [278.780788] ? __apply_to_page_range+0x3e6/0x910<br /> [278.780795] ? __pfx_remap_sg+0x10/0x10 [i915]<br /> [278.780906] apply_to_page_range+0x14/0x30<br /> [278.780908] remap_io_sg+0x14d/0x260 [i915]<br /> [278.781013] vm_fault_cpu+0xd2/0x330 [i915]<br /> [278.781137] __do_fault+0x3a/0x1b0<br /> [278.781140] do_fault+0x322/0x640<br /> [278.781143] __handle_mm_fault+0x938/0xfd0<br /> [278.781150] handle_mm_fault+0x12c/0x300<br /> [278.781152] ? lock_mm_and_find_vma+0x4b/0x760<br /> [278.781155] do_user_addr_fault+0x2d6/0x8e0<br /> [278.781160] exc_page_fault+0x96/0x2c0<br /> [278.781165] asm_exc_page_fault+0x27/0x30<br /> ...<br /> <br /> That issue was apprehended by the author of a change that introduced it,<br /> and potential risk even annotated with a comment, but then never addressed.<br /> <br /> When adding folio pages to a scatterlist table, take care of byte length<br /> of any single scatterlist not exceeding max_segment.<br /> <br /> (cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd: Fix a few more NULL pointer dereference in device cleanup<br /> <br /> I found a few more paths that cleanup fails due to a NULL version pointer<br /> on unsupported hardware.<br /> <br /> Add NULL checks as applicable.<br /> <br /> (cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix in-place encryption corruption in SMB2_write()<br /> <br /> SMB2_write() places write payload in iov[1..n] as part of rq_iov.<br /> smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()<br /> encrypts iov[1] in-place, replacing the original plaintext with<br /> ciphertext. On a replayable error, the retry sends the same iov[1]<br /> which now contains ciphertext instead of the original data,<br /> resulting in corruption.<br /> <br /> The corruption is most likely to be observed when connections are<br /> unstable, as reconnects trigger write retries that re-send the<br /> already-encrypted data.<br /> <br /> This affects SFU mknod, MF symlinks, etc. On kernels before<br /> 6.10 (prior to the netfs conversion), sync writes also used<br /> this path and were similarly affected. The async write path<br /> wasn&amp;#39;t unaffected as it uses rq_iter which gets deep-copied.<br /> <br /> Fix by moving the write payload into rq_iter via iov_iter_kvec(),<br /> so smb3_init_transform_rq() deep-copies it before encryption.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/apic: Disable x2apic on resume if the kernel expects so<br /> <br /> When resuming from s2ram, firmware may re-enable x2apic mode, which may have<br /> been disabled by the kernel during boot either because it doesn&amp;#39;t support IRQ<br /> remapping or for other reasons. This causes the kernel to continue using the<br /> xapic interface, while the hardware is in x2apic mode, which causes hangs.<br /> This happens on defconfig + bare metal + s2ram.<br /> <br /> Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be<br /> disabled, i.e. when x2apic_mode = 0.<br /> <br /> The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the<br /> pre-sleep configuration or initial boot configuration for each CPU, including<br /> MSR state:<br /> <br /> When executing from the power-on reset vector as a result of waking from an<br /> S2 or S3 sleep state, the platform firmware performs only the hardware<br /> initialization required to restore the system to either the state the<br /> platform was in prior to the initial operating system boot, or to the<br /> pre-sleep configuration state. In multiprocessor systems, non-boot<br /> processors should be placed in the same state as prior to the initial<br /> operating system boot.<br /> <br /> (further ahead)<br /> <br /> If this is an S2 or S3 wake, then the platform runtime firmware restores<br /> minimum context of the system before jumping to the waking vector. This<br /> includes:<br /> <br /> CPU configuration. Platform runtime firmware restores the pre-sleep<br /> configuration or initial boot configuration of each CPU (MSR, MTRR,<br /> firmware update, SMBase, and so on). Interrupts must be disabled (for<br /> IA-32 processors, disabled by CLI instruction).<br /> <br /> (and other things)<br /> <br /> So at least as per the spec, re-enablement of x2apic by the firmware is<br /> allowed if "x2apic on" is a part of the initial boot configuration.<br /> <br /> [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization<br /> <br /> [ bp: Massage. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ublk: fix NULL pointer dereference in ublk_ctrl_set_size()<br /> <br /> ublk_ctrl_set_size() unconditionally dereferences ub-&gt;ub_disk via<br /> set_capacity_and_notify() without checking if it is NULL.<br /> <br /> ub-&gt;ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only<br /> assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs<br /> (ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE<br /> handler performs no state validation, a user can trigger a NULL pointer<br /> dereference by sending UPDATE_SIZE to a device that has been added but<br /> not yet started, or one that has been stopped.<br /> <br /> Fix this by checking ub-&gt;ub_disk under ub-&gt;mutex before dereferencing<br /> it, and returning -ENODEV if the disk is not available.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: fix undersized l_iclog_roundoff values<br /> <br /> If the superblock doesn&amp;#39;t list a log stripe unit, we set the incore log<br /> roundoff value to 512. This leads to corrupt logs and unmountable<br /> filesystems in generic/617 on a disk with 4k physical sectors...<br /> <br /> XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c<br /> XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.<br /> XFS (sda1): failed to locate log tail<br /> XFS (sda1): log mount/recovery failed: error -74<br /> XFS (sda1): log mount failed<br /> XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c<br /> XFS (sda1): Ending clean mount<br /> <br /> ...on the current xfsprogs for-next which has a broken mkfs. xfs_info<br /> shows this...<br /> <br /> meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks<br /> = sectsz=4096 attr=2, projid32bit=1<br /> = crc=1 finobt=1, sparse=1, rmapbt=1<br /> = reflink=1 bigtime=1 inobtcount=1 nrext64=1<br /> = exchange=1 metadir=1<br /> data = bsize=4096 blocks=2579968, imaxpct=25<br /> = sunit=0 swidth=0 blks<br /> naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1<br /> log =internal log bsize=4096 blocks=16384, version=2<br /> = sectsz=4096 sunit=0 blks, lazy-count=1<br /> realtime =none extsz=4096 blocks=0, rtextents=0<br /> = rgcount=0 rgsize=268435456 extents<br /> = zoned=0 start=0 reserved=0<br /> <br /> ...observe that the log section has sectsz=4096 sunit=0, which means<br /> that the roundoff factor is 512, not 4096 as you&amp;#39;d expect. We should<br /> fix mkfs not to generate broken filesystems, but anyone can fuzz the<br /> ondisk superblock so we should be more cautious. I think the inadequate<br /> logic predates commit a6a65fef5ef8d0, but that&amp;#39;s clearly going to<br /> require a different backport.