Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> landlock: Fix warning from KUnit tests<br /> <br /> get_id_range() expects a positive value as first argument but<br /> get_random_u8() can return 0. Fix this by clamping it.<br /> <br /> Validated by running the test in a for loop for 1000 times.<br /> <br /> Note that MAX() is wrong as it is only supposed to be used for<br /> constants, but max() is good here.<br /> <br /> [..] ok 9 test_range2_rand1<br /> [..] ok 10 test_range2_rand2<br /> [..] ok 11 test_range2_rand15<br /> [..] ------------[ cut here ]------------<br /> [..] WARNING: CPU: 6 PID: 104 at security/landlock/id.c:99 test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1))<br /> [..] Modules linked in:<br /> [..] CPU: 6 UID: 0 PID: 104 Comm: kunit_try_catch Tainted: G N 6.16.0-rc1-dev-00001-g314a2f98b65f #1 PREEMPT(undef)<br /> [..] Tainted: [N]=TEST<br /> [..] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [..] RIP: 0010:test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1))<br /> [..] Code: 49 c7 c0 10 70 30 82 4c 89 ff 48 c7 c6 a0 63 1e 83 49 c7 45 a0 e0 63 1e 83 e8 3f 95 17 00 e9 1f ff ff ff 0f 0b e9 df fd ff ff 0b ba 01 00 00 00 e9 68 fe ff ff 49 89 45 a8 49 8d 4d a0 45 31<br /> <br /> [..] RSP: 0000:ffff888104eb7c78 EFLAGS: 00010246<br /> [..] RAX: 0000000000000000 RBX: 000000000870822c RCX: 0000000000000000<br /> ^^^^^^^^^^^^^^^^<br /> [..]<br /> [..] Call Trace:<br /> [..]<br /> [..] ---[ end trace 0000000000000000 ]---<br /> [..] ok 12 test_range2_rand16<br /> [..] # landlock_id: pass:12 fail:0 skip:0 total:12<br /> [..] # Totals: pass:12 fail:0 skip:0 total:12<br /> [..] ok 1 landlock_id<br /> <br /> [mic: Minor cosmetic improvements]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: sar: drop lockdep assertion in rtw89_set_sar_from_acpi<br /> <br /> The following assertion is triggered on the rtw89 driver startup. It<br /> looks meaningless to hold wiphy lock on the early init stage so drop the<br /> assertion.<br /> <br /> WARNING: CPU: 7 PID: 629 at drivers/net/wireless/realtek/rtw89/sar.c:502 rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core]<br /> CPU: 7 UID: 0 PID: 629 Comm: (udev-worker) Not tainted 6.15.0+ #29 PREEMPT(lazy)<br /> Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN50WW 09/27/2024<br /> RIP: 0010:rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core]<br /> Call Trace:<br /> <br /> rtw89_sar_init+0x68/0x2c0 [rtw89_core]<br /> rtw89_core_init+0x188e/0x1e50 [rtw89_core]<br /> rtw89_pci_probe+0x530/0xb50 [rtw89_pci]<br /> local_pci_probe+0xd9/0x190<br /> pci_call_probe+0x183/0x540<br /> pci_device_probe+0x171/0x2c0<br /> really_probe+0x1e1/0x890<br /> __driver_probe_device+0x18c/0x390<br /> driver_probe_device+0x4a/0x120<br /> __driver_attach+0x1a0/0x530<br /> bus_for_each_dev+0x10b/0x190<br /> bus_add_driver+0x2eb/0x540<br /> driver_register+0x1a3/0x3a0<br /> do_one_initcall+0xd5/0x450<br /> do_init_module+0x2cc/0x8f0<br /> init_module_from_file+0xe1/0x150<br /> idempotent_init_module+0x226/0x760<br /> __x64_sys_finit_module+0xcd/0x150<br /> do_syscall_64+0x94/0x380<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Found by Linux Verification Center (linuxtesting.org).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: reject TDLS operations when station is not associated<br /> <br /> syzbot triggered a WARN in ieee80211_tdls_oper() by sending<br /> NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,<br /> before association completed and without prior TDLS setup.<br /> <br /> This left internal state like sdata-&gt;u.mgd.tdls_peer uninitialized,<br /> leading to a WARN_ON() in code paths that assumed it was valid.<br /> <br /> Reject the operation early if not in station mode or not associated.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Check device memory pointer before usage<br /> <br /> Add a NULL check before accessing device memory to prevent a crash if<br /> dev-&gt;dm allocation in mlx5_init_once() fails.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Disable migration in nf_hook_run_bpf().<br /> <br /> syzbot reported that the netfilter bpf prog can be called without<br /> migration disabled in xmit path.<br /> <br /> Then the assertion in __bpf_prog_run() fails, triggering the splat<br /> below. [0]<br /> <br /> Let&amp;#39;s use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf().<br /> <br /> [0]:<br /> BUG: assuming non migratable context at ./include/linux/filter.h:703<br /> in_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session<br /> 3 locks held by sshd-session/5829:<br /> #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline]<br /> #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395<br /> #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]<br /> #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]<br /> #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470<br /> #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]<br /> #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]<br /> #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241<br /> CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120<br /> __cant_migrate kernel/sched/core.c:8860 [inline]<br /> __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834<br /> __bpf_prog_run include/linux/filter.h:703 [inline]<br /> bpf_prog_run include/linux/filter.h:725 [inline]<br /> nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20<br /> nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]<br /> nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623<br /> nf_hook+0x370/0x680 include/linux/netfilter.h:272<br /> NF_HOOK_COND include/linux/netfilter.h:305 [inline]<br /> ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433<br /> dst_output include/net/dst.h:459 [inline]<br /> ip_local_out net/ipv4/ip_output.c:129 [inline]<br /> __ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527<br /> __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479<br /> tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline]<br /> tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838<br /> __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021<br /> tcp_push+0x225/0x700 net/ipv4/tcp.c:759<br /> tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359<br /> tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396<br /> inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851<br /> sock_sendmsg_nosec net/socket.c:712 [inline]<br /> __sock_sendmsg net/socket.c:727 [inline]<br /> sock_write_iter+0x4aa/0x5b0 net/socket.c:1131<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x6c7/0x1150 fs/read_write.c:686<br /> ksys_write+0x1f8/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fe7d365d407<br /> Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff<br /> RSP:

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btusb: Fix potential NULL dereference on kmalloc failure<br /> <br /> Avoid potential NULL pointer dereference by checking the return value of<br /> kmalloc and handling allocation failure properly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: fix WARN_ON for monitor mode on some devices<br /> <br /> On devices without WANT_MONITOR_VIF (and probably without<br /> channel context support) we get a WARN_ON for changing the<br /> per-link setting of a monitor interface.<br /> <br /> Since we already skip AP_VLAN interfaces and MONITOR with<br /> WANT_MONITOR_VIF and/or NO_VIRTUAL_MONITOR should update<br /> the settings, catch this in the link change code instead<br /> of the warning.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band<br /> <br /> With a quite rare chance, RX report might be problematic to make SW think<br /> a packet is received on 6 GHz band even if the chip does not support 6 GHz<br /> band actually. Since SW won&amp;#39;t initialize stuffs for unsupported bands, NULL<br /> dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() -&gt;<br /> rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it.<br /> <br /> The following is a crash log for this case.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000032<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4)<br /> Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024<br /> RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core]<br /> Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11<br /> 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 33 45<br /> 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85<br /> RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246<br /> RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011<br /> RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6<br /> RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4<br /> R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body+0x68/0xb0<br /> ? page_fault_oops+0x379/0x3e0<br /> ? exc_page_fault+0x4f/0xa0<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]<br /> ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)]<br /> __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)]<br /> ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]<br /> ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]<br /> ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)]<br /> rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)]<br /> rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()<br /> <br /> Callers of wdev_chandef() must hold the wiphy mutex.<br /> <br /> But the worker cfg80211_propagate_cac_done_wk() never takes the lock.<br /> Which triggers the warning below with the mesh_peer_connected_dfs<br /> test from hostapd and not (yet) released mac80211 code changes:<br /> <br /> WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf<br /> Workqueue: cfg80211 cfg80211_propagate_cac_done_wk<br /> Stack:<br /> 00000000 00000001 ffffff00 6093267c<br /> 00000000 6002ec30 6d577c50 60037608<br /> 00000000 67e8d108 6063717b 00000000<br /> Call Trace:<br /> [] ? _printk+0x0/0x98<br /> [] show_stack+0x10e/0x11a<br /> [] ? _printk+0x0/0x98<br /> [] dump_stack_lvl+0x71/0xb8<br /> [] ? wdev_chandef+0x60/0x165<br /> [] dump_stack+0x1e/0x20<br /> [] __warn+0x101/0x20f<br /> [] warn_slowpath_fmt+0xe3/0x15d<br /> [] ? mark_lock.part.0+0x0/0x4ec<br /> [] ? __this_cpu_preempt_check+0x0/0x16<br /> [] ? mark_held_locks+0x5a/0x6e<br /> [] ? warn_slowpath_fmt+0x0/0x15d<br /> [] ? unblock_signals+0x3a/0xe7<br /> [] ? um_set_signals+0x2d/0x43<br /> [] ? __this_cpu_preempt_check+0x0/0x16<br /> [] ? lock_is_held_type+0x207/0x21f<br /> [] wdev_chandef+0x60/0x165<br /> [] regulatory_propagate_dfs_state+0x247/0x43f<br /> [] ? um_set_signals+0x0/0x43<br /> [] cfg80211_propagate_cac_done_wk+0x3a/0x4a<br /> [] process_scheduled_works+0x3bc/0x60e<br /> [] ? move_linked_works+0x4d/0x81<br /> [] ? assign_work+0x0/0xaa<br /> [] worker_thread+0x220/0x2dc<br /> [] ? set_pf_worker+0x0/0x57<br /> [] ? to_kthread+0x0/0x43<br /> [] kthread+0x2d3/0x2e2<br /> [] ? worker_thread+0x0/0x2dc<br /> [] ? calculate_sigpending+0x0/0x56<br /> [] new_thread_handler+0x4a/0x64<br /> irq event stamp: 614611<br /> hardirqs last enabled at (614621): [] __up_console_sem+0x82/0xaf<br /> hardirqs last disabled at (614630): [] __up_console_sem+0x43/0xaf<br /> softirqs last enabled at (614268): [] __ieee80211_wake_queue+0x933/0x985<br /> softirqs last disabled at (614266): [] __ieee80211_wake_queue+0x643/0x985

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: xt_nfacct: don&amp;#39;t assume acct name is null-terminated<br /> <br /> BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721<br /> Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851<br /> [..]<br /> string+0x231/0x2b0 lib/vsprintf.c:721<br /> vsnprintf+0x739/0xf00 lib/vsprintf.c:2874<br /> [..]<br /> nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41<br /> xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523<br /> <br /> nfnl_acct_find_get() handles non-null input, but the error<br /> printk relied on its presence.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: davinci: Add NULL check in davinci_lpsc_clk_register()<br /> <br /> devm_kasprintf() returns NULL when memory allocation fails. Currently,<br /> davinci_lpsc_clk_register() does not check for this case, which results<br /> in a NULL pointer dereference.<br /> <br /> Add NULL check after devm_kasprintf() to prevent this issue and ensuring<br /> no resources are left allocated.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> power: supply: cpcap-charger: Fix null check for power_supply_get_by_name<br /> <br /> In the cpcap_usb_detect() function, the power_supply_get_by_name()<br /> function may return `NULL` instead of an error pointer.<br /> To prevent potential null pointer dereferences, Added a null check.