Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: Increase ARCH_DMA_MINALIGN up to 16<br /> <br /> ARCH_DMA_MINALIGN is 1 by default, but some LoongArch-specific devices<br /> (such as APBDMA) require 16 bytes alignment. When the data buffer length<br /> is too small, the hardware may make an error writing cacheline. Thus, it<br /> is dangerous to allocate a small memory buffer for DMA. It&amp;#39;s always safe<br /> to define ARCH_DMA_MINALIGN as L1_CACHE_BYTES but unnecessary (kmalloc()<br /> need small memory objects). Therefore, just increase it to 16.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usbnet:fix NPE during rx_complete<br /> <br /> Missing usbnet_going_away Check in Critical Path.<br /> The usb_submit_urb function lacks a usbnet_going_away<br /> validation, whereas __usbnet_queue_skb includes this check.<br /> <br /> This inconsistency creates a race condition where:<br /> A URB request may succeed, but the corresponding SKB data<br /> fails to be queued.<br /> <br /> Subsequent processes:<br /> (e.g., rx_complete → defer_bh → __skb_unlink(skb, list))<br /> attempt to access skb-&gt;next, triggering a NULL pointer<br /> dereference (Kernel Panic).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arcnet: Add NULL check in com20020pci_probe()<br /> <br /> devm_kasprintf() returns NULL when memory allocation fails. Currently,<br /> com20020pci_probe() does not check for this case, which results in a<br /> NULL pointer dereference.<br /> <br /> Add NULL check after devm_kasprintf() to prevent this issue and ensure<br /> no resources are left allocated.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix geneve_opt length integer overflow<br /> <br /> struct geneve_opt uses 5 bit length for each single option, which<br /> means every vary size option should be smaller than 128 bytes.<br /> <br /> However, all current related Netlink policies cannot promise this<br /> length condition and the attacker can exploit a exact 128-byte size<br /> option to *fake* a zero length option and confuse the parsing logic,<br /> further achieve heap out-of-bounds read.<br /> <br /> One example crash log is like below:<br /> <br /> [ 3.905425] ==================================================================<br /> [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0<br /> [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177<br /> [ 3.906646]<br /> [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1<br /> [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> [ 3.907784] Call Trace:<br /> [ 3.907925] <br /> [ 3.908048] dump_stack_lvl+0x44/0x5c<br /> [ 3.908258] print_report+0x184/0x4be<br /> [ 3.909151] kasan_report+0xc5/0x100<br /> [ 3.909539] kasan_check_range+0xf3/0x1a0<br /> [ 3.909794] memcpy+0x1f/0x60<br /> [ 3.909968] nla_put+0xa9/0xe0<br /> [ 3.910147] tunnel_key_dump+0x945/0xba0<br /> [ 3.911536] tcf_action_dump_1+0x1c1/0x340<br /> [ 3.912436] tcf_action_dump+0x101/0x180<br /> [ 3.912689] tcf_exts_dump+0x164/0x1e0<br /> [ 3.912905] fw_dump+0x18b/0x2d0<br /> [ 3.913483] tcf_fill_node+0x2ee/0x460<br /> [ 3.914778] tfilter_notify+0xf4/0x180<br /> [ 3.915208] tc_new_tfilter+0xd51/0x10d0<br /> [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560<br /> [ 3.919118] netlink_rcv_skb+0xcd/0x200<br /> [ 3.919787] netlink_unicast+0x395/0x530<br /> [ 3.921032] netlink_sendmsg+0x3d0/0x6d0<br /> [ 3.921987] __sock_sendmsg+0x99/0xa0<br /> [ 3.922220] __sys_sendto+0x1b7/0x240<br /> [ 3.922682] __x64_sys_sendto+0x72/0x90<br /> [ 3.922906] do_syscall_64+0x5e/0x90<br /> [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> [ 3.924122] RIP: 0033:0x7e83eab84407<br /> [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf<br /> [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c<br /> [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407<br /> [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003<br /> [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c<br /> [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0<br /> [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8<br /> <br /> Fix these issues by enforing correct length condition in related<br /> policies.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: add bounds check for durable handle context<br /> <br /> Add missing bounds check for durable handle context.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: add bounds check for create lease context<br /> <br /> Add missing bounds check for create lease context.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> acpi: nfit: fix narrowing conversion in acpi_nfit_ctl<br /> <br /> Syzkaller has reported a warning in to_nfit_bus_uuid(): "only secondary<br /> bus families can be translated". This warning is emited if the argument<br /> is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first<br /> verifies that a user-provided value call_pkg-&gt;nd_family of type u64 is<br /> not equal to 0. Then the value is converted to int, and only after that<br /> is compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid<br /> argument to acpi_nfit_ctl(), if call_pkg-&gt;nd_family is non-zero, while<br /> the lower 32 bits are zero.<br /> <br /> Furthermore, it is best to return EINVAL immediately upon seeing the<br /> invalid user input. The WARNING is insufficient to prevent further<br /> undefined behavior based on other invalid user input.<br /> <br /> All checks of the input value should be applied to the original variable<br /> call_pkg-&gt;nd_family.<br /> <br /> [iweiny: update commit message]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs<br /> <br /> On the following path, flush_tlb_range() can be used for zapping normal<br /> PMD entries (PMD entries that point to page tables) together with the PTE<br /> entries in the pointed-to page table:<br /> <br /> collapse_pte_mapped_thp<br /> pmdp_collapse_flush<br /> flush_tlb_range<br /> <br /> The arm64 version of flush_tlb_range() has a comment describing that it can<br /> be used for page table removal, and does not use any last-level<br /> invalidation optimizations. Fix the X86 version by making it behave the<br /> same way.<br /> <br /> Currently, X86 only uses this information for the following two purposes,<br /> which I think means the issue doesn&amp;#39;t have much impact:<br /> <br /> - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be<br /> IPI&amp;#39;d to avoid issues with speculative page table walks.<br /> - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.<br /> <br /> The patch "x86/mm: only invalidate final translations with INVLPGB" which<br /> is currently under review (see<br /> )<br /> would probably be making the impact of this a lot worse.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs<br /> <br /> Patch series "mm: fixes for device-exclusive entries (hmm)", v2.<br /> <br /> Discussing the PageTail() call in make_device_exclusive_range() with<br /> Willy, I recently discovered [1] that device-exclusive handling does not<br /> properly work with THP, making the hmm-tests selftests fail if THPs are<br /> enabled on the system.<br /> <br /> Looking into more details, I found that hugetlb is not properly fenced,<br /> and I realized that something that was bugging me for longer -- how<br /> device-exclusive entries interact with mapcounts -- completely breaks<br /> migration/swapout/split/hwpoison handling of these folios while they have<br /> device-exclusive PTEs.<br /> <br /> The program below can be used to allocate 1 GiB worth of pages and making<br /> them device-exclusive on a kernel with CONFIG_TEST_HMM.<br /> <br /> Once they are device-exclusive, these folios cannot get swapped out<br /> (proc$pid/smaps_rollup will always indicate 1 GiB RSS no matter how much<br /> one forces memory reclaim), and when having a memory block onlined to<br /> ZONE_MOVABLE, trying to offline it will loop forever and complain about<br /> failed migration of a page that should be movable.<br /> <br /> # echo offline &gt; /sys/devices/system/memory/memory136/state<br /> # echo online_movable &gt; /sys/devices/system/memory/memory136/state<br /> # ./hmm-swap &amp;<br /> ... wait until everything is device-exclusive<br /> # echo offline &gt; /sys/devices/system/memory/memory136/state<br /> [ 285.193431][T14882] page: refcount:2 mapcount:0 mapping:0000000000000000<br /> index:0x7f20671f7 pfn:0x442b6a<br /> [ 285.196618][T14882] memcg:ffff888179298000<br /> [ 285.198085][T14882] anon flags: 0x5fff0000002091c(referenced|uptodate|<br /> dirty|active|owner_2|swapbacked|node=1|zone=3|lastcpupid=0x7ff)<br /> [ 285.201734][T14882] raw: ...<br /> [ 285.204464][T14882] raw: ...<br /> [ 285.207196][T14882] page dumped because: migration failure<br /> [ 285.209072][T14882] page_owner tracks the page as allocated<br /> [ 285.210915][T14882] page last allocated via order 0, migratetype<br /> Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO),<br /> id 14926, tgid 14926 (hmm-swap), ts 254506295376, free_ts 227402023774<br /> [ 285.216765][T14882] post_alloc_hook+0x197/0x1b0<br /> [ 285.218874][T14882] get_page_from_freelist+0x76e/0x3280<br /> [ 285.220864][T14882] __alloc_frozen_pages_noprof+0x38e/0x2740<br /> [ 285.223302][T14882] alloc_pages_mpol+0x1fc/0x540<br /> [ 285.225130][T14882] folio_alloc_mpol_noprof+0x36/0x340<br /> [ 285.227222][T14882] vma_alloc_folio_noprof+0xee/0x1a0<br /> [ 285.229074][T14882] __handle_mm_fault+0x2b38/0x56a0<br /> [ 285.230822][T14882] handle_mm_fault+0x368/0x9f0<br /> ...<br /> <br /> This series fixes all issues I found so far. There is no easy way to fix<br /> without a bigger rework/cleanup. I have a bunch of cleanups on top (some<br /> previous sent, some the result of the discussion in v1) that I will send<br /> out separately once this landed and I get to it.<br /> <br /> I wish we could just use some special present PROT_NONE PTEs instead of<br /> these (non-present, non-none) fake-swap entries; but that just results in<br /> the same problem we keep having (lack of spare PTE bits), and staring at<br /> other similar fake-swap entries, that ship has sailed.<br /> <br /> With this series, make_device_exclusive() doesn&amp;#39;t actually belong into<br /> mm/rmap.c anymore, but I&amp;#39;ll leave moving that for another day.<br /> <br /> I only tested this series with the hmm-tests selftests due to lack of HW,<br /> so I&amp;#39;d appreciate some testing, especially if the interaction between two<br /> GPUs wanting a device-exclusive entry works as expected.<br /> <br /> <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> <br /> #define HMM_DMIRROR_EXCLUSIVE _IOWR(&amp;#39;H&amp;#39;, 0x05, struct hmm_dmirror_cmd)<br /> <br /> struct hmm_dmirror_cmd {<br /> __u64 addr;<br /> __u64 ptr;<br /> __u64 npages;<br /> __u64 cpages;<br /> __u64 faults;<br /> };<br /> <br /> const size_t size = 1 * 1024 * 1024 * 1024ul;<br /> const size_t chunk_size = 2 * 1024 * 1024ul;<br /> <br /> int m<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> exfat: fix random stack corruption after get_block<br /> <br /> When get_block is called with a buffer_head allocated on the stack, such<br /> as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in<br /> the following race condition situation.<br /> <br /> <br /> mpage_read_folio<br /> <br /> do_mpage_readpage<br /> exfat_get_block<br /> bh_read<br /> __bh_read<br /> get_bh(bh)<br /> submit_bh<br /> wait_on_buffer<br /> ...<br /> end_buffer_read_sync<br /> __end_buffer_read_notouch<br /> unlock_buffer<br /> <br /> ...<br /> ...<br /> ...<br /> ...<br /> <br /> .<br /> .<br /> another_function<br /> <br /> put_bh(bh)<br /> atomic_dec(bh-&gt;b_count)<br /> * stack corruption here *<br /> <br /> This patch returns -EAGAIN if a folio does not have buffers when bh_read<br /> needs to be called. By doing this, the caller can fallback to functions<br /> like block_read_full_folio(), create a buffer_head in the folio, and then<br /> call get_block again.<br /> <br /> Let&amp;#39;s do not call bh_read() with on-stack buffer_head.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix null pointer dereference in alloc_preauth_hash()<br /> <br /> The Client send malformed smb2 negotiate request. ksmbd return error<br /> response. Subsequently, the client can send smb2 session setup even<br /> thought conn-&gt;preauth_info is not allocated.<br /> This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore<br /> session setup request if smb2 negotiate phase is not complete.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix overflow in dacloffset bounds check<br /> <br /> The dacloffset field was originally typed as int and used in an<br /> unchecked addition, which could overflow and bypass the existing<br /> bounds check in both smb_check_perm_dacl() and smb_inherit_dacl().<br /> <br /> This could result in out-of-bounds memory access and a kernel crash<br /> when dereferencing the DACL pointer.<br /> <br /> This patch converts dacloffset to unsigned int and uses<br /> check_add_overflow() to validate access to the DACL.