Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netlink: annotate accesses to nlk-&gt;cb_running<br /> <br /> Both netlink_recvmsg() and netlink_native_seq_show() read<br /> nlk-&gt;cb_running locklessly. Use READ_ONCE() there.<br /> <br /> Add corresponding WRITE_ONCE() to netlink_dump() and<br /> __netlink_dump_start()<br /> <br /> syzbot reported:<br /> BUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg<br /> <br /> write to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0:<br /> __netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399<br /> netlink_dump_start include/linux/netlink.h:308 [inline]<br /> rtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130<br /> netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577<br /> rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]<br /> netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365<br /> netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942<br /> sock_sendmsg_nosec net/socket.c:724 [inline]<br /> sock_sendmsg net/socket.c:747 [inline]<br /> sock_write_iter+0x1aa/0x230 net/socket.c:1138<br /> call_write_iter include/linux/fs.h:1851 [inline]<br /> new_sync_write fs/read_write.c:491 [inline]<br /> vfs_write+0x463/0x760 fs/read_write.c:584<br /> ksys_write+0xeb/0x1a0 fs/read_write.c:637<br /> __do_sys_write fs/read_write.c:649 [inline]<br /> __se_sys_write fs/read_write.c:646 [inline]<br /> __x64_sys_write+0x42/0x50 fs/read_write.c:646<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> read to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1:<br /> netlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022<br /> sock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017<br /> ____sys_recvmsg+0x2db/0x310 net/socket.c:2718<br /> ___sys_recvmsg net/socket.c:2762 [inline]<br /> do_recvmmsg+0x2e5/0x710 net/socket.c:2856<br /> __sys_recvmmsg net/socket.c:2935 [inline]<br /> __do_sys_recvmmsg net/socket.c:2958 [inline]<br /> __se_sys_recvmmsg net/socket.c:2951 [inline]<br /> __x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> value changed: 0x00 -&gt; 0x01

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> devlink: report devlink_port_type_warn source device<br /> <br /> devlink_port_type_warn is scheduled for port devlink and warning<br /> when the port type is not set. But from this warning it is not easy<br /> found out which device (driver) has no devlink port set.<br /> <br /> [ 3709.975552] Type was not set for devlink port.<br /> [ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20<br /> [ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm<br /> [ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse<br /> [ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1<br /> [ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022<br /> [ 3710.108437] Workqueue: events devlink_port_type_warn<br /> [ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20<br /> [ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87<br /> [ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282<br /> [ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027<br /> [ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8<br /> [ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18<br /> [ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600<br /> [ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905<br /> [ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000<br /> [ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0<br /> [ 3710.108456] PKRU: 55555554<br /> [ 3710.108457] Call Trace:<br /> [ 3710.108458] <br /> [ 3710.108459] process_one_work+0x1e2/0x3b0<br /> [ 3710.108466] ? rescuer_thread+0x390/0x390<br /> [ 3710.108468] worker_thread+0x50/0x3a0<br /> [ 3710.108471] ? rescuer_thread+0x390/0x390<br /> [ 3710.108473] kthread+0xdd/0x100<br /> [ 3710.108477] ? kthread_complete_and_exit+0x20/0x20<br /> [ 3710.108479] ret_from_fork+0x1f/0x30<br /> [ 3710.108485] <br /> [ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]---<br /> <br /> After patch:<br /> [ 402.473064] ice 0000:41:00.0: Type was not set for devlink port.<br /> [ 402.473064] ice 0000:41:00.1: Type was not set for devlink port.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove<br /> <br /> The MBHC resources must be released on component probe failure and<br /> removal so can not be tied to the lifetime of the component device.<br /> <br /> This is specifically needed to allow probe deferrals of the sound card<br /> which otherwise fails when reprobing the codec component:<br /> <br /> snd-sc8280xp sound: ASoC: failed to instantiate card -517<br /> genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr)<br /> wcd938x_codec audio-codec: Failed to request mbhc interrupts -16<br /> wcd938x_codec audio-codec: mbhc initialization failed<br /> wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16<br /> snd-sc8280xp sound: ASoC: failed to instantiate card -16

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: openvswitch: reject negative ifindex<br /> <br /> Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs<br /> in an xarray")) refactored the handling of pre-assigned ifindexes<br /> and let syzbot surface a latent problem in ovs. ovs does not validate<br /> ifindex, making it possible to create netdev ports with negative<br /> ifindex values. It&amp;#39;s easy to repro with YNL:<br /> <br /> $ ./cli.py --spec netlink/specs/ovs_datapath.yaml \<br /> --do new \<br /> --json &amp;#39;{"upcall-pid": 1, "name":"my-dp"}&amp;#39;<br /> $ ./cli.py --spec netlink/specs/ovs_vport.yaml \<br /> --do new \<br /> --json &amp;#39;{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}&amp;#39;<br /> <br /> $ ip link show<br /> -65536: some-port0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000<br /> link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff<br /> ...<br /> <br /> Validate the inputs. Now the second command correctly returns:<br /> <br /> $ ./cli.py --spec netlink/specs/ovs_vport.yaml \<br /> --do new \<br /> --json &amp;#39;{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}&amp;#39;<br /> <br /> lib.ynl.NlError: Netlink error: Numerical result out of range<br /> nl_len = 108 (92) nl_flags = 0x300 nl_type = 2<br /> error: -34 extack: {&amp;#39;msg&amp;#39;: &amp;#39;integer out of range&amp;#39;, &amp;#39;unknown&amp;#39;: [[type:4 len:36] b&amp;#39;\x0c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x03\x00\xff\xff\xff\x7f\x00\x00\x00\x00\x08\x00\x01\x00\x08\x00\x00\x00&amp;#39;], &amp;#39;bad-attr&amp;#39;: &amp;#39;.ifindex&amp;#39;}<br /> <br /> Accept 0 since it used to be silently ignored.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ttm: Don&amp;#39;t leak a resource on swapout move error<br /> <br /> If moving the bo to system for swapout failed, we were leaking<br /> a resource. Fix.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix infinite loop in nilfs_mdt_get_block()<br /> <br /> If the disk image that nilfs2 mounts is corrupted and a virtual block<br /> address obtained by block lookup for a metadata file is invalid,<br /> nilfs_bmap_lookup_at_level() may return the same internal return code as<br /> -ENOENT, meaning the block does not exist in the metadata file.<br /> <br /> This duplication of return codes confuses nilfs_mdt_get_block(), causing<br /> it to read and create a metadata block indefinitely.<br /> <br /> In particular, if this happens to the inode metadata file, ifile,<br /> semaphore i_rwsem can be left held, causing task hangs in lock_mount.<br /> <br /> Fix this issue by making nilfs_bmap_lookup_at_level() treat virtual block<br /> address translation failures with -ENOENT as metadata corruption instead<br /> of returning the error code.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm: fix NULL-deref on snapshot tear down<br /> <br /> In case of early initialisation errors and on platforms that do not use<br /> the DPU controller, the deinitilisation code can be called with the kms<br /> pointer set to NULL.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/525099/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: synchronize atomic write aborts<br /> <br /> To fix a race condition between atomic write aborts, I use the inode<br /> lock and make COW inode to be re-usable thoroughout the whole<br /> atomic file inode lifetime.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dccp: fix data-race around dp-&gt;dccps_mss_cache<br /> <br /> dccp_sendmsg() reads dp-&gt;dccps_mss_cache before locking the socket.<br /> Same thing in do_dccp_getsockopt().<br /> <br /> Add READ_ONCE()/WRITE_ONCE() annotations,<br /> and change dccp_sendmsg() to check again dccps_mss_cache<br /> after socket is locked.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: early: xhci-dbc: Fix a potential out-of-bound memory access<br /> <br /> If xdbc_bulk_write() fails, the values in &amp;#39;buf&amp;#39; can be anything. So the<br /> string is not guaranteed to be NULL terminated when xdbc_trace() is called.<br /> <br /> Reserve an extra byte, which will be zeroed automatically because &amp;#39;buf&amp;#39; is<br /> a static variable, in order to avoid troubles, should it happen.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: read sk-&gt;sk_family once in sk_mc_loop()<br /> <br /> syzbot is playing with IPV6_ADDRFORM quite a lot these days,<br /> and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()<br /> <br /> We have many more similar issues to fix.<br /> <br /> WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260<br /> Modules linked in:<br /> CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023<br /> Workqueue: events_power_efficient gc_worker<br /> RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782<br /> Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48<br /> RSP: 0018:ffffc90000388530 EFLAGS: 00010246<br /> RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980<br /> RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011<br /> RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65<br /> R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000<br /> R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000<br /> FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> [] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83<br /> [] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]<br /> [] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211<br /> [] NF_HOOK_COND include/linux/netfilter.h:298 [inline]<br /> [] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232<br /> [] dst_output include/net/dst.h:444 [inline]<br /> [] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161<br /> [] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]<br /> [] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]<br /> [] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]<br /> [] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677<br /> [] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229<br /> [] netdev_start_xmit include/linux/netdevice.h:4925 [inline]<br /> [] xmit_one net/core/dev.c:3644 [inline]<br /> [] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660<br /> [] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342<br /> [] qdisc_restart net/sched/sch_generic.c:407 [inline]<br /> [] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415<br /> [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125<br /> [] net_tx_action+0x7ac/0x940 net/core/dev.c:5247<br /> [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599<br /> [] invoke_softirq kernel/softirq.c:430 [inline]<br /> [] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683<br /> [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695