Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: hisilicon/qm - request reserved interrupt for virtual function<br /> <br /> The device interrupt vector 3 is an error interrupt for<br /> physical function and a reserved interrupt for virtual function.<br /> However, the driver has not registered the reserved interrupt for<br /> virtual function. When allocating interrupts, the number of interrupts<br /> is allocated based on powers of two, which includes this interrupt.<br /> When the system enables GICv4 and the virtual function passthrough<br /> to the virtual machine, releasing the interrupt in the driver<br /> triggers a warning.<br /> <br /> The WARNING report is:<br /> WARNING: CPU: 62 PID: 14889 at arch/arm64/kvm/vgic/vgic-its.c:852 its_free_ite+0x94/0xb4<br /> <br /> Therefore, register a reserved interrupt for VF and set the<br /> IRQF_NO_AUTOEN flag to avoid that warning.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to truncate first page in error path of f2fs_truncate()<br /> <br /> syzbot reports a bug as below:<br /> <br /> loop0: detected capacity change from 0 to 40427<br /> F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072)<br /> F2FS-fs (loop0): Can&amp;#39;t find valid F2FS filesystem in 1th superblock<br /> F2FS-fs (loop0): invalid crc value<br /> F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix.<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/inode.c:753!<br /> RIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753<br /> Call Trace:<br /> <br /> evict+0x504/0x9c0 fs/inode.c:810<br /> f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047<br /> get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692<br /> vfs_get_tree+0x8f/0x2b0 fs/super.c:1815<br /> do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808<br /> do_mount fs/namespace.c:4136 [inline]<br /> __do_sys_mount fs/namespace.c:4347 [inline]<br /> __se_sys_mount+0x317/0x410 fs/namespace.c:4324<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> During f2fs_evict_inode(), clear_inode() detects that we missed to truncate<br /> all page cache before destorying inode, that is because in below path, we<br /> will create page #0 in cache, but missed to drop it in error path, let&amp;#39;s fix<br /> it.<br /> <br /> - evict<br /> - f2fs_evict_inode<br /> - f2fs_truncate<br /> - f2fs_convert_inline_inode<br /> - f2fs_grab_cache_folio<br /> : create page #0 in cache<br /> - f2fs_convert_inline_folio<br /> : sanity check failed, return -EFSCORRUPTED<br /> - clear_inode detects that inode-&gt;i_data.nrpages is not zero

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency()<br /> <br /> syzbot reported a f2fs bug as below:<br /> <br /> Oops: gen[ 107.736417][ T5848] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> CPU: 1 UID: 0 PID: 5848 Comm: syz-executor263 Tainted: G W 6.17.0-rc1-syzkaller-00014-g0e39a731820a #0 PREEMPT_{RT,(full)}<br /> RIP: 0010:strcmp+0x3c/0xc0 lib/string.c:284<br /> Call Trace:<br /> <br /> f2fs_check_quota_consistency fs/f2fs/super.c:1188 [inline]<br /> f2fs_check_opt_consistency+0x1378/0x2c10 fs/f2fs/super.c:1436<br /> __f2fs_remount fs/f2fs/super.c:2653 [inline]<br /> f2fs_reconfigure+0x482/0x1770 fs/f2fs/super.c:5297<br /> reconfigure_super+0x224/0x890 fs/super.c:1077<br /> do_remount fs/namespace.c:3314 [inline]<br /> path_mount+0xd18/0xfe0 fs/namespace.c:4112<br /> do_mount fs/namespace.c:4133 [inline]<br /> __do_sys_mount fs/namespace.c:4344 [inline]<br /> __se_sys_mount+0x317/0x410 fs/namespace.c:4321<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> The direct reason is f2fs_check_quota_consistency() may suffer null-ptr-deref<br /> issue in strcmp().<br /> <br /> The bug can be reproduced w/ below scripts:<br /> mkfs.f2fs -f /dev/vdb<br /> mount -t f2fs -o usrquota /dev/vdb /mnt/f2fs<br /> quotacheck -uc /mnt/f2fs/<br /> umount /mnt/f2fs<br /> mount -t f2fs -o usrjquota=aquota.user,jqfmt=vfsold /dev/vdb /mnt/f2fs<br /> mount -t f2fs -o remount,usrjquota=,jqfmt=vfsold /dev/vdb /mnt/f2fs<br /> umount /mnt/f2fs<br /> <br /> So, before old_qname and new_qname comparison, we need to check whether<br /> they are all valid pointers, fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().<br /> <br /> smc_clc_prfx_set() is called during connect() and not under RCU<br /> nor RTNL.<br /> <br /> Using sk_dst_get(sk)-&gt;dev could trigger UAF.<br /> <br /> Let&amp;#39;s use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()<br /> after kernel_getsockname().<br /> <br /> Note that the returned value of smc_clc_prfx_set() is not used<br /> in the caller.<br /> <br /> While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()<br /> not to touch dst there.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast<br /> <br /> syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.<br /> This is the sequence of events that leads to the warning:<br /> <br /> rtl8150_start_xmit() {<br /> netif_stop_queue();<br /> usb_submit_urb(dev-&gt;tx_urb);<br /> }<br /> <br /> rtl8150_set_multicast() {<br /> netif_stop_queue();<br /> netif_wake_queue(); tx_urb);

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: ISO: Fix possible UAF on iso_conn_free<br /> <br /> This attempt to fix similar issue to sco_conn_free where if the<br /> conn-&gt;sk is not set to NULL may lead to UAF on iso_conn_free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix symbolic link reading when bs &gt; ps<br /> <br /> [BUG DURING BS &gt; PS TEST]<br /> When running the following script on a btrfs whose block size is larger<br /> than page size, e.g. 8K block size and 4K page size, it will trigger a<br /> kernel BUG:<br /> <br /> # mkfs.btrfs -s 8k $dev<br /> # mount $dev $mnt<br /> # mkdir $mnt/dir<br /> # ln -s dir $mnt/link<br /> # ls $mnt/link<br /> <br /> The call trace looks like this:<br /> <br /> BTRFS warning (device dm-2): support for block size 8192 with page size 4096 is experimental, some features may be missing<br /> BTRFS info (device dm-2): checking UUID tree<br /> BTRFS info (device dm-2): enabling ssd optimizations<br /> BTRFS info (device dm-2): enabling free space tree<br /> ------------[ cut here ]------------<br /> kernel BUG at /home/adam/linux/include/linux/highmem.h:275!<br /> Oops: invalid opcode: 0000 [#1] SMP<br /> CPU: 8 UID: 0 PID: 667 Comm: ls Tainted: G OE 6.17.0-rc4-custom+ #283 PREEMPT(full)<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022<br /> RIP: 0010:zero_user_segments.constprop.0+0xdc/0xe0 [btrfs]<br /> Call Trace:<br /> <br /> btrfs_get_extent.cold+0x85/0x101 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f]<br /> btrfs_do_readpage+0x244/0x750 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f]<br /> btrfs_read_folio+0x9c/0x100 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f]<br /> filemap_read_folio+0x37/0xe0<br /> do_read_cache_folio+0x94/0x3e0<br /> __page_get_link.isra.0+0x20/0x90<br /> page_get_link+0x16/0x40<br /> step_into+0x69b/0x830<br /> path_lookupat+0xa7/0x170<br /> filename_lookup+0xf7/0x200<br /> ? set_ptes.isra.0+0x36/0x70<br /> vfs_statx+0x7a/0x160<br /> do_statx+0x63/0xa0<br /> __x64_sys_statx+0x90/0xe0<br /> do_syscall_64+0x82/0xae0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> <br /> Please note bs &gt; ps support is still under development and the<br /> enablement patch is not even in btrfs development branch.<br /> <br /> [CAUSE]<br /> Btrfs reuses its data folio read path to handle symbolic links, as the<br /> symbolic link target is stored as an inline data extent.<br /> <br /> But for newly created inodes, btrfs only set the minimal order if the<br /> target inode is a regular file.<br /> <br /> Thus for above newly created symbolic link, it doesn&amp;#39;t properly respect<br /> the minimal folio order, and triggered the above crash.<br /> <br /> [FIX]<br /> Call btrfs_set_inode_mapping_order() unconditionally inside<br /> btrfs_create_new_inode().<br /> <br /> For symbolic links this will fix the crash as now the folio will meet<br /> the minimal order.<br /> <br /> For regular files this brings no change.<br /> <br /> For directory/bdev/char and all the other types of inodes, they won&amp;#39;t<br /> go through the data read path, thus no effect either.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx<br /> <br /> In __blk_mq_update_nr_hw_queues() the return value of<br /> blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx<br /> fails, later changing the number of hw_queues or removing disk will<br /> trigger the following warning:<br /> <br /> kernfs: can not remove &amp;#39;nr_tags&amp;#39;, no directory<br /> WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160<br /> Call Trace:<br /> remove_files.isra.1+0x38/0xb0<br /> sysfs_remove_group+0x4d/0x100<br /> sysfs_remove_groups+0x31/0x60<br /> __kobject_del+0x23/0xf0<br /> kobject_del+0x17/0x40<br /> blk_mq_unregister_hctx+0x5d/0x80<br /> blk_mq_sysfs_unregister_hctxs+0x94/0xd0<br /> blk_mq_update_nr_hw_queues+0x124/0x760<br /> nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]<br /> nullb_device_submit_queues_store+0x92/0x120 [null_blk]<br /> <br /> kobjct_del() was called unconditionally even if sysfs creation failed.<br /> Fix it by checkig the kobject creation statusbefore deleting it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC<br /> <br /> The referenced commit introduced exception handlers on user-space memory<br /> references in copy_from_user and copy_to_user. These handlers return from<br /> the respective function and calculate the remaining bytes left to copy<br /> using the current register contents. This commit fixes a couple of bad<br /> calculations. This will fix the return value of copy_from_user and<br /> copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwrng: ks-sa - fix division by zero in ks_sa_rng_init<br /> <br /> Fix division by zero in ks_sa_rng_init caused by missing clock<br /> pointer initialization. The clk_get_rate() call is performed on<br /> an uninitialized clk pointer, resulting in division by zero when<br /> calculating delay values.<br /> <br /> Add clock initialization code before using the clock.<br /> <br /> <br /> drivers/char/hw_random/ks-sa-rng.c | 7 +++++++<br /> 1 file changed, 7 insertions(+)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sunrpc: fix null pointer dereference on zero-length checksum<br /> <br /> In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes<br /> checksum.data to be set to NULL. This triggers a NPD when accessing<br /> checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that<br /> the value of checksum.len is not less than XDR_UNIT.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix data race in CPU latency PM QoS request handling<br /> <br /> The cpu_latency_qos_add/remove/update_request interfaces lack internal<br /> synchronization by design, requiring the caller to ensure thread safety.<br /> The current implementation relies on the &amp;#39;pm_qos_enabled&amp;#39; flag, which is<br /> insufficient to prevent concurrent access and cannot serve as a proper<br /> synchronization mechanism. This has led to data races and list<br /> corruption issues.<br /> <br /> A typical race condition call trace is:<br /> <br /> [Thread A]<br /> ufshcd_pm_qos_exit()<br /> --&gt; cpu_latency_qos_remove_request()<br /> --&gt; cpu_latency_qos_apply();<br /> --&gt; pm_qos_update_target()<br /> --&gt; plist_del memset(req, 0, sizeof(*req));<br /> --&gt; hba-&gt;pm_qos_enabled = false;<br /> <br /> [Thread B]<br /> ufshcd_devfreq_target<br /> --&gt; ufshcd_devfreq_scale<br /> --&gt; ufshcd_scale_clks<br /> --&gt; ufshcd_pm_qos_update cpu_latency_qos_update_request<br /> --&gt; pm_qos_update_target<br /> --&gt; plist_del