Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()<br /> <br /> Fix a silly bug where an array was used outside of its scope.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization<br /> <br /> On Mediatek devices with a system companion processor (SCP) the mtk_scp<br /> structure has to be removed explicitly to avoid a resource leak.<br /> Free the structure in case the allocation of the firmware structure fails<br /> during the firmware initialization.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: stmmac: Fix accessing freed irq affinity_hint<br /> <br /> In stmmac_request_irq_multi_msi(), a pointer to the stack variable<br /> cpu_mask is passed to irq_set_affinity_hint(). This value is stored in<br /> irq_desc-&gt;affinity_hint, but once stmmac_request_irq_multi_msi()<br /> returns, the pointer becomes dangling.<br /> <br /> The affinity_hint is exposed via procfs with S_IRUGO permissions,<br /> allowing any unprivileged process to read it. Accessing this stale<br /> pointer can lead to:<br /> <br /> - a kernel oops or panic if the referenced memory has been released and<br /> unmapped, or<br /> - leakage of kernel data into userspace if the memory is re-used for<br /> other purposes.<br /> <br /> All platforms that use stmmac with PCI MSI (Intel, Loongson, etc) are<br /> affected.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix off-by-one error in do_split<br /> <br /> Syzkaller detected a use-after-free issue in ext4_insert_dentry that was<br /> caused by out-of-bounds access due to incorrect splitting in do_split.<br /> <br /> BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109<br /> Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847<br /> <br /> CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:488<br /> kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> kasan_check_range+0x282/0x290 mm/kasan/generic.c:189<br /> __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106<br /> ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109<br /> add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154<br /> make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351<br /> ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455<br /> ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796<br /> ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431<br /> vfs_symlink+0x137/0x2e0 fs/namei.c:4615<br /> do_symlinkat+0x222/0x3a0 fs/namei.c:4641<br /> __do_sys_symlink fs/namei.c:4662 [inline]<br /> __se_sys_symlink fs/namei.c:4660 [inline]<br /> __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> The following loop is located right above &amp;#39;if&amp;#39; statement.<br /> <br /> for (i = count-1; i &gt;= 0; i--) {<br /> /* is more than half of this entry in 2nd half of the block? */<br /> if (size + map[i].size/2 &gt; blocksize/2)<br /> break;<br /> size += map[i].size;<br /> move++;<br /> }<br /> <br /> &amp;#39;i&amp;#39; in this case could go down to -1, in which case sum of active entries<br /> wouldn&amp;#39;t exceed half the block size, but previous behaviour would also do<br /> split in half if sum would exceed at the very last block, which in case of<br /> having too many long name files in a single block could lead to<br /> out-of-bounds access and following use-after-free.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()<br /> <br /> soc_dev_attr-&gt;revision could be NULL, thus,<br /> a pointer check is added to prevent potential NULL pointer dereference.<br /> This is similar to the fix in commit 3027e7b15b02<br /> ("ice: Fix some null pointer dereference issues in ice_ptp.c").<br /> <br /> This issue is found by our static analysis tool.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i3c: Add NULL pointer check in i3c_master_queue_ibi()<br /> <br /> The I3C master driver may receive an IBI from a target device that has not<br /> been probed yet. In such cases, the master calls `i3c_master_queue_ibi()`<br /> to queue an IBI work task, leading to "Unable to handle kernel read from<br /> unreadable memory" and resulting in a kernel panic.<br /> <br /> Typical IBI handling flow:<br /> 1. The I3C master scans target devices and probes their respective drivers.<br /> 2. The target device driver calls `i3c_device_request_ibi()` to enable IBI<br /> and assigns `dev-&gt;ibi = ibi`.<br /> 3. The I3C master receives an IBI from the target device and calls<br /> `i3c_master_queue_ibi()` to queue the target device driver’s IBI<br /> handler task.<br /> <br /> However, since target device events are asynchronous to the I3C probe<br /> sequence, step 3 may occur before step 2, causing `dev-&gt;ibi` to be `NULL`,<br /> leading to a kernel panic.<br /> <br /> Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing<br /> an uninitialized `dev-&gt;ibi`, ensuring stability.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mfd: ene-kb3930: Fix a potential NULL pointer dereference<br /> <br /> The off_gpios could be NULL. Add missing check in the kb3930_probe().<br /> This is similar to the issue fixed in commit b1ba8bcb2d1f<br /> ("backlight: hx8357: Fix potential NULL pointer dereference").<br /> <br /> This was detected by our static analysis tool.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix NULL pointer in can_accept_new_subflow<br /> <br /> When testing valkey benchmark tool with MPTCP, the kernel panics in<br /> &amp;#39;mptcp_can_accept_new_subflow&amp;#39; because subflow_req-&gt;msk is NULL.<br /> <br /> Call trace:<br /> <br /> mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)<br /> subflow_syn_recv_sock (./net/mptcp/subflow.c:854)<br /> tcp_check_req (./net/ipv4/tcp_minisocks.c:863)<br /> tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)<br /> ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)<br /> ip_local_deliver_finish (./net/ipv4/ip_input.c:234)<br /> ip_local_deliver (./net/ipv4/ip_input.c:254)<br /> ip_rcv_finish (./net/ipv4/ip_input.c:449)<br /> ...<br /> <br /> According to the debug log, the same req received two SYN-ACK in a very<br /> short time, very likely because the client retransmits the syn ack due<br /> to multiple reasons.<br /> <br /> Even if the packets are transmitted with a relevant time interval, they<br /> can be processed by the server on different CPUs concurrently). The<br /> &amp;#39;subflow_req-&gt;msk&amp;#39; ownership is transferred to the subflow the first,<br /> and there will be a risk of a null pointer dereference here.<br /> <br /> This patch fixes this issue by moving the &amp;#39;subflow_req-&gt;msk&amp;#39; under the<br /> `own_req == true` conditional.<br /> <br /> Note that the !msk check in subflow_hmac_valid() can be dropped, because<br /> the same check already exists under the own_req mpj branch where the<br /> code has been moved to.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tpm: do not start chip while suspended<br /> <br /> Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can<br /> lead to a spurious tpm_chip_start() call:<br /> <br /> [35985.503771] i2c i2c-1: Transfer while suspended<br /> [35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810<br /> [35985.503802] Modules linked in:<br /> [35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f<br /> [35985.503814] Tainted: [W]=WARN<br /> [35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023<br /> [35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810<br /> [35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5<br /> [35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246<br /> [35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000<br /> [35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001<br /> [35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000<br /> [35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820<br /> [35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120<br /> [35985.503846] FS: 0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000<br /> [35985.503849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0<br /> [35985.503855] Call Trace:<br /> [35985.503859] <br /> [35985.503863] ? __warn+0xd4/0x260<br /> [35985.503868] ? __i2c_transfer+0xbe/0x810<br /> [35985.503874] ? report_bug+0xf3/0x210<br /> [35985.503882] ? handle_bug+0x63/0xb0<br /> [35985.503887] ? exc_invalid_op+0x16/0x50<br /> [35985.503892] ? asm_exc_invalid_op+0x16/0x20<br /> [35985.503904] ? __i2c_transfer+0xbe/0x810<br /> [35985.503913] tpm_cr50_i2c_transfer_message+0x24/0xf0<br /> [35985.503920] tpm_cr50_i2c_read+0x8e/0x120<br /> [35985.503928] tpm_cr50_request_locality+0x75/0x170<br /> [35985.503935] tpm_chip_start+0x116/0x160<br /> [35985.503942] tpm_try_get_ops+0x57/0x90<br /> [35985.503948] tpm_find_get_ops+0x26/0xd0<br /> [35985.503955] tpm_get_random+0x2d/0x80<br /> <br /> Don&amp;#39;t move forward with tpm_chip_start() inside tpm_try_get_ops(), unless<br /> TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in<br /> such a failure case.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> backlight: led_bl: Hold led_access lock when calling led_sysfs_disable()<br /> <br /> Lockdep detects the following issue on led-backlight removal:<br /> [ 142.315935] ------------[ cut here ]------------<br /> [ 142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 led_sysfs_enable+0x54/0x80<br /> ...<br /> [ 142.500725] Call trace:<br /> [ 142.503176] led_sysfs_enable+0x54/0x80 (P)<br /> [ 142.507370] led_bl_remove+0x80/0xa8 [led_bl]<br /> [ 142.511742] platform_remove+0x30/0x58<br /> [ 142.515501] device_remove+0x54/0x90<br /> ...<br /> <br /> Indeed, led_sysfs_enable() has to be called with the led_access<br /> lock held.<br /> <br /> Hold the lock when calling led_sysfs_disable().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sctp: detect and prevent references to a freed transport in sendmsg<br /> <br /> sctp_sendmsg() re-uses associations and transports when possible by<br /> doing a lookup based on the socket endpoint and the message destination<br /> address, and then sctp_sendmsg_to_asoc() sets the selected transport in<br /> all the message chunks to be sent.<br /> <br /> There&amp;#39;s a possible race condition if another thread triggers the removal<br /> of that selected transport, for instance, by explicitly unbinding an<br /> address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have<br /> been set up and before the message is sent. This can happen if the send<br /> buffer is full, during the period when the sender thread temporarily<br /> releases the socket lock in sctp_wait_for_sndbuf().<br /> <br /> This causes the access to the transport data in<br /> sctp_outq_select_transport(), when the association outqueue is flushed,<br /> to result in a use-after-free read.<br /> <br /> This change avoids this scenario by having sctp_transport_free() signal<br /> the freeing of the transport, tagging it as "dead". In order to do this,<br /> the patch restores the "dead" bit in struct sctp_transport, which was<br /> removed in<br /> commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport").<br /> <br /> Then, in the scenario where the sender thread has released the socket<br /> lock in sctp_wait_for_sndbuf(), the bit is checked again after<br /> re-acquiring the socket lock to detect the deletion. This is done while<br /> holding a reference to the transport to prevent it from being freed in<br /> the process.<br /> <br /> If the transport was deleted while the socket lock was relinquished,<br /> sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the<br /> send.<br /> <br /> The bug was found by a private syzbot instance (see the error report [1]<br /> and the C reproducer that triggers it [2]).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.<br /> <br /> When I ran the repro [0] and waited a few seconds, I observed two<br /> LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]<br /> <br /> Reproduction Steps:<br /> <br /> 1) Mount CIFS<br /> 2) Add an iptables rule to drop incoming FIN packets for CIFS<br /> 3) Unmount CIFS<br /> 4) Unload the CIFS module<br /> 5) Remove the iptables rule<br /> <br /> At step 3), the CIFS module calls sock_release() for the underlying<br /> TCP socket, and it returns quickly. However, the socket remains in<br /> FIN_WAIT_1 because incoming FIN packets are dropped.<br /> <br /> At this point, the module&amp;#39;s refcnt is 0 while the socket is still<br /> alive, so the following rmmod command succeeds.<br /> <br /> # ss -tan<br /> State Recv-Q Send-Q Local Address:Port Peer Address:Port<br /> FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445<br /> <br /> # lsmod | grep cifs<br /> cifs 1159168 0<br /> <br /> This highlights a discrepancy between the lifetime of the CIFS module<br /> and the underlying TCP socket. Even after CIFS calls sock_release()<br /> and it returns, the TCP socket does not die immediately in order to<br /> close the connection gracefully.<br /> <br /> While this is generally fine, it causes an issue with LOCKDEP because<br /> CIFS assigns a different lock class to the TCP socket&amp;#39;s sk-&gt;sk_lock<br /> using sock_lock_init_class_and_name().<br /> <br /> Once an incoming packet is processed for the socket or a timer fires,<br /> sk-&gt;sk_lock is acquired.<br /> <br /> Then, LOCKDEP checks the lock context in check_wait_context(), where<br /> hlock_class() is called to retrieve the lock class. However, since<br /> the module has already been unloaded, hlock_class() logs a warning<br /> and returns NULL, triggering the null-ptr-deref.<br /> <br /> If LOCKDEP is enabled, we must ensure that a module calling<br /> sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded<br /> while such a socket is still alive to prevent this issue.<br /> <br /> Let&amp;#39;s hold the module reference in sock_lock_init_class_and_name()<br /> and release it when the socket is freed in sk_prot_free().<br /> <br /> Note that sock_lock_init() clears sk-&gt;sk_owner for svc_create_socket()<br /> that calls sock_lock_init_class_and_name() for a listening socket,<br /> which clones a socket by sk_clone_lock() without GFP_ZERO.<br /> <br /> [0]:<br /> CIFS_SERVER="10.0.0.137"<br /> CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST"<br /> DEV="enp0s3"<br /> CRED="/root/WindowsCredential.txt"<br /> <br /> MNT=$(mktemp -d /tmp/XXXXXX)<br /> mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1<br /> <br /> iptables -A INPUT -s ${CIFS_SERVER} -j DROP<br /> <br /> for i in $(seq 10);<br /> do<br /> umount ${MNT}<br /> rmmod cifs<br /> sleep 1<br /> done<br /> <br /> rm -r ${MNT}<br /> <br /> iptables -D INPUT -s ${CIFS_SERVER} -j DROP<br /> <br /> [1]:<br /> DEBUG_LOCKS_WARN_ON(1)<br /> WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)<br /> Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]<br /> CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)<br /> ...<br /> Call Trace:<br /> <br /> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)<br /> lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)<br /> _raw_spin_lock_nested (kernel/locking/spinlock.c:379)<br /> tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)<br /> ...<br /> <br /> BUG: kernel NULL pointer dereference, address: 00000000000000c4<br /> PF: supervisor read access in kernel mode<br /> PF: error_code(0x0000) - not-present page<br /> PGD 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36<br /> Tainted: [W]=WARN<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:__lock_acquire (kernel/<br /> ---truncated---