Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: j1939: j1939_session_new(): fix skb reference counting<br /> <br /> Since j1939_session_skb_queue() does an extra skb_get() for each new<br /> skb, do the same for the initial one in j1939_session_new() to avoid<br /> refcount underflow.<br /> <br /> [mkl: clean up commit message]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: avoid possible NULL deref in modify_prefix_route()<br /> <br /> syzbot found a NULL deref [1] in modify_prefix_route(), caused by one<br /> fib6_info without a fib6_table pointer set.<br /> <br /> This can happen for net-&gt;ipv6.fib6_null_entry<br /> <br /> [1]<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> CPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089<br /> Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84<br /> RSP: 0018:ffffc900035d7268 EFLAGS: 00010006<br /> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001<br /> R10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030<br /> R13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849<br /> __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]<br /> _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178<br /> spin_lock_bh include/linux/spinlock.h:356 [inline]<br /> modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831<br /> inet6_addr_modify net/ipv6/addrconf.c:4923 [inline]<br /> inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055<br /> rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920<br /> netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]<br /> netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347<br /> netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg net/socket.c:726 [inline]<br /> ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583<br /> ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637<br /> __sys_sendmsg+0x16e/0x220 net/socket.c:2669<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fd1dcef8b79<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79<br /> RDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004<br /> RBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006<br /> R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c<br /> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Fix icmp host relookup triggering ip_rt_bug<br /> <br /> arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is:<br /> <br /> WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),<br /> BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:ip_rt_bug+0x14/0x20<br /> Call Trace:<br /> <br /> ip_send_skb+0x14/0x40<br /> __icmp_send+0x42d/0x6a0<br /> ipv4_link_failure+0xe2/0x1d0<br /> arp_error_report+0x3c/0x50<br /> neigh_invalidate+0x8d/0x100<br /> neigh_timer_handler+0x2e1/0x330<br /> call_timer_fn+0x21/0x120<br /> __run_timer_base.part.0+0x1c9/0x270<br /> run_timer_softirq+0x4c/0x80<br /> handle_softirqs+0xac/0x280<br /> irq_exit_rcu+0x62/0x80<br /> sysvec_apic_timer_interrupt+0x77/0x90<br /> <br /> The script below reproduces this scenario:<br /> ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \<br /> dir out priority 0 ptype main flag localok icmp<br /> ip l a veth1 type veth<br /> ip a a 192.168.141.111/24 dev veth0<br /> ip l s veth0 up<br /> ping 192.168.141.155 -c 1<br /> <br /> icmp_route_lookup() create input routes for locally generated packets<br /> while xfrm relookup ICMP traffic.Then it will set input route<br /> (dst-&gt;out = ip_rt_bug) to skb for DESTUNREACH.<br /> <br /> For ICMP err triggered by locally generated packets, dst-&gt;dev of output<br /> route is loopback. Generally, xfrm relookup verification is not required<br /> on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1).<br /> <br /> Skip icmp relookup for locally generated packets to fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hsr: avoid potential out-of-bound access in fill_frame_info()<br /> <br /> syzbot is able to feed a packet with 14 bytes, pretending<br /> it is a vlan one.<br /> <br /> Since fill_frame_info() is relying on skb-&gt;mac_len already,<br /> extend the check to cover this case.<br /> <br /> BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline]<br /> BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724<br /> fill_frame_info net/hsr/hsr_forward.c:709 [inline]<br /> hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724<br /> hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235<br /> __netdev_start_xmit include/linux/netdevice.h:5002 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:5011 [inline]<br /> xmit_one net/core/dev.c:3590 [inline]<br /> dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606<br /> __dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434<br /> dev_queue_xmit include/linux/netdevice.h:3168 [inline]<br /> packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276<br /> packet_snd net/packet/af_packet.c:3146 [inline]<br /> packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:726<br /> __sys_sendto+0x594/0x750 net/socket.c:2197<br /> __do_sys_sendto net/socket.c:2204 [inline]<br /> __se_sys_sendto net/socket.c:2200 [inline]<br /> __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200<br /> x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:4091 [inline]<br /> slab_alloc_node mm/slub.c:4134 [inline]<br /> kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587<br /> __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678<br /> alloc_skb include/linux/skbuff.h:1323 [inline]<br /> alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612<br /> sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881<br /> packet_alloc_skb net/packet/af_packet.c:2995 [inline]<br /> packet_snd net/packet/af_packet.c:3089 [inline]<br /> packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:726<br /> __sys_sendto+0x594/0x750 net/socket.c:2197<br /> __do_sys_sendto net/socket.c:2204 [inline]<br /> __se_sys_sendto net/socket.c:2200 [inline]<br /> __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200<br /> x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: enetc: Do not configure preemptible TCs if SIs do not support<br /> <br /> Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure<br /> MQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs()<br /> to configure preemptible TCs. However, only PF is able to configure<br /> preemptible TCs. Because only PF has related registers, while VF does not<br /> have these registers. So for VF, its hw-&gt;port pointer is NULL. Therefore,<br /> VF will access an invalid pointer when accessing a non-existent register,<br /> which will cause a crash issue. The simplified log is as follows.<br /> <br /> root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \<br /> mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1<br /> [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00<br /> [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400<br /> [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400<br /> [ 187.511140] Call trace:<br /> [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400<br /> [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214<br /> [ 187.523374] enetc_vf_setup_tc+0x1c/0x30<br /> [ 187.527306] mqprio_enable_offload+0x144/0x178<br /> [ 187.531766] mqprio_init+0x3ec/0x668<br /> [ 187.535351] qdisc_create+0x15c/0x488<br /> [ 187.539023] tc_modify_qdisc+0x398/0x73c<br /> [ 187.542958] rtnetlink_rcv_msg+0x128/0x378<br /> [ 187.547064] netlink_rcv_skb+0x60/0x130<br /> [ 187.550910] rtnetlink_rcv+0x18/0x24<br /> [ 187.554492] netlink_unicast+0x300/0x36c<br /> [ 187.558425] netlink_sendmsg+0x1a8/0x420<br /> [ 187.606759] ---[ end trace 0000000000000000 ]---<br /> <br /> In addition, some PFs also do not support configuring preemptible TCs,<br /> such as eno1 and eno3 on LS1028A. It won&amp;#39;t crash like it does for VFs,<br /> but we should prevent these PFs from accessing these unimplemented<br /> registers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: x_tables: fix LED ID check in led_tg_check()<br /> <br /> Syzbot has reported the following BUG detected by KASAN:<br /> <br /> BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70<br /> Read of size 1 at addr ffff8881022da0c8 by task repro/5879<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x241/0x360<br /> ? __pfx_dump_stack_lvl+0x10/0x10<br /> ? __pfx__printk+0x10/0x10<br /> ? _printk+0xd5/0x120<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x183/0x530<br /> print_report+0x169/0x550<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x45f/0x530<br /> ? __phys_addr+0xba/0x170<br /> ? strlen+0x58/0x70<br /> kasan_report+0x143/0x180<br /> ? strlen+0x58/0x70<br /> strlen+0x58/0x70<br /> kstrdup+0x20/0x80<br /> led_tg_check+0x18b/0x3c0<br /> xt_check_target+0x3bb/0xa40<br /> ? __pfx_xt_check_target+0x10/0x10<br /> ? stack_depot_save_flags+0x6e4/0x830<br /> ? nft_target_init+0x174/0xc30<br /> nft_target_init+0x82d/0xc30<br /> ? __pfx_nft_target_init+0x10/0x10<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? rcu_is_watching+0x15/0xb0<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? __kmalloc_noprof+0x21a/0x400<br /> nf_tables_newrule+0x1860/0x2980<br /> ? __pfx_nf_tables_newrule+0x10/0x10<br /> ? __nla_parse+0x40/0x60<br /> nfnetlink_rcv+0x14e5/0x2ab0<br /> ? __pfx_validate_chain+0x10/0x10<br /> ? __pfx_nfnetlink_rcv+0x10/0x10<br /> ? __lock_acquire+0x1384/0x2050<br /> ? netlink_deliver_tap+0x2e/0x1b0<br /> ? __pfx_lock_release+0x10/0x10<br /> ? netlink_deliver_tap+0x2e/0x1b0<br /> netlink_unicast+0x7f8/0x990<br /> ? __pfx_netlink_unicast+0x10/0x10<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __check_object_size+0x48e/0x900<br /> netlink_sendmsg+0x8e4/0xcb0<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> ? aa_sock_msg_perm+0x91/0x160<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> __sock_sendmsg+0x223/0x270<br /> ____sys_sendmsg+0x52a/0x7e0<br /> ? __pfx_____sys_sendmsg+0x10/0x10<br /> __sys_sendmsg+0x292/0x380<br /> ? __pfx___sys_sendmsg+0x10/0x10<br /> ? lockdep_hardirqs_on_prepare+0x43d/0x780<br /> ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10<br /> ? exc_page_fault+0x590/0x8c0<br /> ? do_syscall_64+0xb6/0x230<br /> do_syscall_64+0xf3/0x230<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> <br /> Since an invalid (without &amp;#39;\0&amp;#39; byte at all) byte sequence may be passed<br /> from userspace, add an extra check to ensure that such a sequence is<br /> rejected as possible ID and so never passed to &amp;#39;kstrdup()&amp;#39; and further.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: hi311x: hi3110_can_ist(): fix potential use-after-free<br /> <br /> The commit a22bd630cfff ("can: hi311x: do not report txerr and rxerr<br /> during bus-off") removed the reporting of rxerr and txerr even in case<br /> of correct operation (i. e. not bus-off).<br /> <br /> The error count information added to the CAN frame after netif_rx() is<br /> a potential use after free, since there is no guarantee that the skb<br /> is in the same state. It might be freed or reused.<br /> <br /> Fix the issue by postponing the netif_rx() call in case of txerr and<br /> rxerr reporting.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dccp: Fix memory leak in dccp_feat_change_recv<br /> <br /> If dccp_feat_push_confirm() fails after new value for SP feature was accepted<br /> without reconciliation (&amp;#39;entry == NULL&amp;#39; branch), memory allocated for that value<br /> with dccp_feat_clone_sp_val() is never freed.<br /> <br /> Here is the kmemleak stack for this:<br /> <br /> unreferenced object 0xffff88801d4ab488 (size 8):<br /> comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s)<br /> hex dump (first 8 bytes):<br /> 01 b4 4a 1d 80 88 ff ff ..J.....<br /> backtrace:<br /> [] kmemdup+0x23/0x50 mm/util.c:128<br /> [] kmemdup include/linux/string.h:465 [inline]<br /> [] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]<br /> [] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]<br /> [] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]<br /> [] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416<br /> [] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125<br /> [] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650<br /> [] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688<br /> [] sk_backlog_rcv include/net/sock.h:1041 [inline]<br /> [] __release_sock+0x139/0x3b0 net/core/sock.c:2570<br /> [] release_sock+0x54/0x1b0 net/core/sock.c:3111<br /> [] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]<br /> [] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696<br /> [] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735<br /> [] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865<br /> [] __sys_connect+0x165/0x1a0 net/socket.c:1882<br /> [] __do_sys_connect net/socket.c:1892 [inline]<br /> [] __se_sys_connect net/socket.c:1889 [inline]<br /> [] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889<br /> [] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46<br /> [] entry_SYSCALL_64_after_hwframe+0x67/0xd1<br /> <br /> Clean up the allocated memory in case of dccp_feat_push_confirm() failure<br /> and bail out with an error reset code.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: grgpio: Add NULL check in grgpio_probe<br /> <br /> devm_kasprintf() can return a NULL pointer on failure,but this<br /> returned value in grgpio_probe is not checked.<br /> Add NULL check in grgpio_probe, to handle kernel NULL<br /> pointer dereference error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> geneve: do not assume mac header is set in geneve_xmit_skb()<br /> <br /> We should not assume mac header is set in output path.<br /> <br /> Use skb_eth_hdr() instead of eth_hdr() to fix the issue.<br /> <br /> sysbot reported the following :<br /> <br /> WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline]<br /> WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline]<br /> WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline]<br /> WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline]<br /> RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline]<br /> RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline]<br /> RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039<br /> Code: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff<br /> RSP: 0018:ffffc90003b2f870 EFLAGS: 00010283<br /> RAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000<br /> RDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003<br /> RBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff<br /> R10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000<br /> R13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23<br /> FS: 00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __netdev_start_xmit include/linux/netdevice.h:5002 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:5011 [inline]<br /> __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490<br /> dev_direct_xmit include/linux/netdevice.h:3181 [inline]<br /> packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285<br /> packet_snd net/packet/af_packet.c:3146 [inline]<br /> packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg net/socket.c:726 [inline]<br /> __sys_sendto+0x488/0x4f0 net/socket.c:2197<br /> __do_sys_sendto net/socket.c:2204 [inline]<br /> __se_sys_sendto net/socket.c:2200 [inline]<br /> __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ipset: Hold module reference while requesting a module<br /> <br /> User space may unload ip_set.ko while it is itself requesting a set type<br /> backend module, leading to a kernel crash. The race condition may be<br /> provoked by inserting an mdelay() right after the nfnl_unlock() call.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_inner: incorrect percpu area handling under softirq<br /> <br /> Softirq can interrupt ongoing packet from process context that is<br /> walking over the percpu area that contains inner header offsets.<br /> <br /> Disable bh and perform three checks before restoring the percpu inner<br /> header offsets to validate that the percpu area is valid for this<br /> skbuff:<br /> <br /> 1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff<br /> has already been parsed before for inner header fetching to<br /> register.<br /> <br /> 2) Validate that the percpu area refers to this skbuff using the<br /> skbuff pointer as a cookie. If there is a cookie mismatch, then<br /> this skbuff needs to be parsed again.<br /> <br /> 3) Finally, validate if the percpu area refers to this tunnel type.<br /> <br /> Only after these three checks the percpu area is restored to a on-stack<br /> copy and bh is enabled again.<br /> <br /> After inner header fetching, the on-stack copy is stored back to the<br /> percpu area.