Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: goto right label &amp;#39;out_mmap_sem&amp;#39; in ext4_setattr()<br /> <br /> Otherwise, if ext4_inode_attach_jinode() fails, a hung task will<br /> happen because filemap_invalidate_unlock() isn&amp;#39;t called to unlock<br /> mapping-&gt;invalidate_lock. Like this:<br /> <br /> EXT4-fs error (device sda) in ext4_setattr:5557: Out of memory<br /> INFO: task fsstress:374 blocked for more than 122 seconds.<br /> Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726<br /> "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> task:fsstress state:D stack:0 pid:374 tgid:374 ppid:373<br /> task_flags:0x440140 flags:0x00000000<br /> Call Trace:<br /> <br /> __schedule+0x2c9/0x7f0<br /> schedule+0x27/0xa0<br /> schedule_preempt_disabled+0x15/0x30<br /> rwsem_down_read_slowpath+0x278/0x4c0<br /> down_read+0x59/0xb0<br /> page_cache_ra_unbounded+0x65/0x1b0<br /> filemap_get_pages+0x124/0x3e0<br /> filemap_read+0x114/0x3d0<br /> vfs_read+0x297/0x360<br /> ksys_read+0x6c/0xe0<br /> do_syscall_64+0x4b/0x110<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: cfg80211: init wiphy_work before allocating rfkill fails<br /> <br /> syzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1]<br /> <br /> After rfkill allocation fails, the wiphy release process will be performed,<br /> which will cause cfg80211_dev_free to access the uninitialized wiphy_work<br /> related data.<br /> <br /> Move the initialization of wiphy_work to before rfkill initialization to<br /> avoid this issue.<br /> <br /> [1]<br /> INFO: trying to register non-static key.<br /> The code is fine but needs lockdep annotation, or maybe<br /> you didn&amp;#39;t initialize this object before use?<br /> turning off the locking correctness validator.<br /> CPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br /> assign_lock_key kernel/locking/lockdep.c:983 [inline]<br /> register_lock_class+0xc39/0x1240 kernel/locking/lockdep.c:1297<br /> __lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103<br /> lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851<br /> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]<br /> _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162<br /> cfg80211_dev_free+0x30/0x3d0 net/wireless/core.c:1196<br /> device_release+0xa1/0x240 drivers/base/core.c:2568<br /> kobject_cleanup lib/kobject.c:689 [inline]<br /> kobject_release lib/kobject.c:720 [inline]<br /> kref_put include/linux/kref.h:65 [inline]<br /> kobject_put+0x1e4/0x5a0 lib/kobject.c:737<br /> put_device+0x1f/0x30 drivers/base/core.c:3774<br /> wiphy_free net/wireless/core.c:1224 [inline]<br /> wiphy_new_nm+0x1c1f/0x2160 net/wireless/core.c:562<br /> ieee80211_alloc_hw_nm+0x1b7a/0x2260 net/mac80211/main.c:835<br /> mac80211_hwsim_new_radio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5185<br /> hwsim_new_radio_nl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211_hwsim.c:6242<br /> genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115<br /> genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]<br /> genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210<br /> netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2533<br /> genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]<br /> netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1338<br /> netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1882<br /> sock_sendmsg_nosec net/socket.c:718 [inline]<br /> __sock_sendmsg net/socket.c:733 [inline]<br /> ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2573<br /> ___sys_sendmsg+0x135/0x1e0 net/socket.c:2627<br /> __sys_sendmsg+0x16e/0x220 net/socket.c:2659<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> <br /> Close: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.<br /> <br /> SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to<br /> br_ioctl_call(), which causes unnecessary RTNL dance and the splat<br /> below [0] under RTNL pressure.<br /> <br /> Let&amp;#39;s say Thread A is trying to detach a device from a bridge and<br /> Thread B is trying to remove the bridge.<br /> <br /> In dev_ioctl(), Thread A bumps the bridge device&amp;#39;s refcnt by<br /> netdev_hold() and releases RTNL because the following br_ioctl_call()<br /> also re-acquires RTNL.<br /> <br /> In the race window, Thread B could acquire RTNL and try to remove<br /> the bridge device. Then, rtnl_unlock() by Thread B will release RTNL<br /> and wait for netdev_put() by Thread A.<br /> <br /> Thread A, however, must hold RTNL after the unlock in dev_ifsioc(),<br /> which may take long under RTNL pressure, resulting in the splat by<br /> Thread B.<br /> <br /> Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)<br /> ---------------------- ----------------------<br /> sock_ioctl sock_ioctl<br /> `- sock_do_ioctl `- br_ioctl_call<br /> `- dev_ioctl `- br_ioctl_stub<br /> |- rtnl_lock |<br /> |- dev_ifsioc &amp;#39;<br /> &amp;#39; |- dev = __dev_get_by_name(...)<br /> |- netdev_hold(dev, ...) .<br /> / |- rtnl_unlock ------. |<br /> | |- br_ioctl_call `---&gt; |- rtnl_lock<br /> Race | | `- br_ioctl_stub |- br_del_bridge<br /> Window | | | |- dev = __dev_get_by_name(...)<br /> | | | May take long | `- br_dev_delete(dev, ...)<br /> | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)<br /> | | | | `- rtnl_unlock<br /> \ | |- rtnl_lock

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix block group refcount race in btrfs_create_pending_block_groups()<br /> <br /> Block group creation is done in two phases, which results in a slightly<br /> unintuitive property: a block group can be allocated/deallocated from<br /> after btrfs_make_block_group() adds it to the space_info with<br /> btrfs_add_bg_to_space_info(), but before creation is completely completed<br /> in btrfs_create_pending_block_groups(). As a result, it is possible for a<br /> block group to go unused and have &amp;#39;btrfs_mark_bg_unused&amp;#39; called on it<br /> concurrently with &amp;#39;btrfs_create_pending_block_groups&amp;#39;. This causes a<br /> number of issues, which were fixed with the block group flag<br /> &amp;#39;BLOCK_GROUP_FLAG_NEW&amp;#39;.<br /> <br /> However, this fix is not quite complete. Since it does not use the<br /> unused_bg_lock, it is possible for the following race to occur:<br /> <br /> btrfs_create_pending_block_groups btrfs_mark_bg_unused<br /> if list_empty // false<br /> list_del_init<br /> clear_bit<br /> else if (test_bit) // true<br /> list_move_tail<br /> <br /> And we get into the exact same broken ref count and invalid new_bgs<br /> state for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to<br /> prevent.<br /> <br /> The broken refcount aspect will result in a warning like:<br /> <br /> [1272.943527] refcount_t: underflow; use-after-free.<br /> [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110<br /> [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs]<br /> [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108<br /> [1272.946368] Tainted: [W]=WARN<br /> [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014<br /> [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs]<br /> [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110<br /> [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282<br /> [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000<br /> [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff<br /> [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268<br /> [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0<br /> [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0<br /> [1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000<br /> [1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0<br /> [1272.954474] Call Trace:<br /> [1272.954655] <br /> [1272.954812] ? refcount_warn_saturate+0xba/0x110<br /> [1272.955173] ? __warn.cold+0x93/0xd7<br /> [1272.955487] ? refcount_warn_saturate+0xba/0x110<br /> [1272.955816] ? report_bug+0xe7/0x120<br /> [1272.956103] ? handle_bug+0x53/0x90<br /> [1272.956424] ? exc_invalid_op+0x13/0x60<br /> [1272.956700] ? asm_exc_invalid_op+0x16/0x20<br /> [1272.957011] ? refcount_warn_saturate+0xba/0x110<br /> [1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs]<br /> [1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs]<br /> [1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs]<br /> [1272.958729] process_one_work+0x130/0x290<br /> [1272.959026] worker_thread+0x2ea/0x420<br /> [1272.959335] ? __pfx_worker_thread+0x10/0x10<br /> [1272.959644] kthread+0xd7/0x1c0<br /> [1272.959872] ? __pfx_kthread+0x10/0x10<br /> [1272.960172] ret_from_fork+0x30/0x50<br /> [1272.960474] ? __pfx_kthread+0x10/0x10<br /> [1272.960745] ret_from_fork_asm+0x1a/0x30<br /> [1272.961035] <br /> [1272.961238] ---[ end trace 0000000000000000 ]---<br /> <br /> Though we have seen them in the async discard workfn as well. It is<br /> most likely to happen after a relocation finishes which cancels discard,<br /> tears down the block group, etc.<br /> <br /> Fix this fully by taking the lock arou<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: don&amp;#39;t clobber ret in btrfs_validate_super()<br /> <br /> Commit 2a9bb78cfd36 ("btrfs: validate system chunk array at<br /> btrfs_validate_super()") introduces a call to validate_sys_chunk_array()<br /> in btrfs_validate_super(), which clobbers the value of ret set earlier.<br /> This has the effect of negating the validity checks done earlier, making<br /> it so btrfs could potentially try to mount invalid filesystems.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eth: bnxt: fix out-of-range access of vnic_info array<br /> <br /> The bnxt_queue_{start | stop}() access vnic_info as much as allocated,<br /> which indicates bp-&gt;nr_vnics.<br /> So, it should not reach bp-&gt;vnic_info[bp-&gt;nr_vnics].

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: avoid journaling sb update on error if journal is destroying<br /> <br /> Presently we always BUG_ON if trying to start a transaction on a journal marked<br /> with JBD2_UNMOUNT, since this should never happen. However, while ltp running<br /> stress tests, it was observed that in case of some error handling paths, it is<br /> possible for update_super_work to start a transaction after the journal is<br /> destroyed eg:<br /> <br /> (umount)<br /> ext4_kill_sb<br /> kill_block_super<br /> generic_shutdown_super<br /> sync_filesystem /* commits all txns */<br /> evict_inodes<br /> /* might start a new txn */<br /> ext4_put_super<br /> flush_work(&amp;sbi-&gt;s_sb_upd_work) /* flush the workqueue */<br /> jbd2_journal_destroy<br /> journal_kill_thread<br /> journal-&gt;j_flags |= JBD2_UNMOUNT;<br /> jbd2_journal_commit_transaction<br /> jbd2_journal_get_descriptor_buffer<br /> jbd2_journal_bmap<br /> ext4_journal_bmap<br /> ext4_map_blocks<br /> ...<br /> ext4_inode_error<br /> ext4_handle_error<br /> schedule_work(&amp;sbi-&gt;s_sb_upd_work)<br /> <br /> /* work queue kicks in */<br /> update_super_work<br /> jbd2_journal_start<br /> start_this_handle<br /> BUG_ON(journal-&gt;j_flags &amp;<br /> JBD2_UNMOUNT)<br /> <br /> Hence, introduce a new mount flag to indicate journal is destroying and only do<br /> a journaled (and deferred) update of sb if this flag is not set. Otherwise, just<br /> fallback to an un-journaled commit.<br /> <br /> Further, in the journal destroy path, we have the following sequence:<br /> <br /> 1. Set mount flag indicating journal is destroying<br /> 2. force a commit and wait for it<br /> 3. flush pending sb updates<br /> <br /> This sequence is important as it ensures that, after this point, there is no sb<br /> update that might be journaled so it is safe to update the sb outside the<br /> journal. (To avoid race discussed in 2d01ddc86606)<br /> <br /> Also, we don&amp;#39;t need a similar check in ext4_grp_locked_error since it is only<br /> called from mballoc and AFAICT it would be always valid to schedule work here.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nfnetlink_queue: Initialize ctx to avoid memory allocation error<br /> <br /> It is possible that ctx in nfqnl_build_packet_message() could be used<br /> before it is properly initialize, which is only initialized<br /> by nfqnl_get_sk_secctx().<br /> <br /> This patch corrects this problem by initializing the lsmctx to a safe<br /> value when it is declared.<br /> <br /> This is similar to the commit 35fcac7a7c25<br /> ("audit: Initialize lsmctx to avoid memory allocation error").

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ax25: Remove broken autobind<br /> <br /> Binding AX25 socket by using the autobind feature leads to memory leaks<br /> in ax25_connect() and also refcount leaks in ax25_release(). Memory<br /> leak was detected with kmemleak:<br /> <br /> ================================================================<br /> unreferenced object 0xffff8880253cd680 (size 96):<br /> backtrace:<br /> __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43)<br /> kmemdup_noprof (mm/util.c:136)<br /> ax25_rt_autobind (net/ax25/ax25_route.c:428)<br /> ax25_connect (net/ax25/af_ax25.c:1282)<br /> __sys_connect_file (net/socket.c:2045)<br /> __sys_connect (net/socket.c:2064)<br /> __x64_sys_connect (net/socket.c:2067)<br /> do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> ================================================================<br /> <br /> When socket is bound, refcounts must be incremented the way it is done<br /> in ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of<br /> autobind, the refcounts are not incremented.<br /> <br /> This bug leads to the following issue reported by Syzkaller:<br /> <br /> ================================================================<br /> ax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de<br /> ------------[ cut here ]------------<br /> refcount_t: decrement hit 0; leaking memory.<br /> WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31<br /> ...<br /> Call Trace:<br /> <br /> __refcount_dec include/linux/refcount.h:336 [inline]<br /> refcount_dec include/linux/refcount.h:351 [inline]<br /> ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236<br /> netdev_tracker_free include/linux/netdevice.h:4302 [inline]<br /> netdev_put include/linux/netdevice.h:4319 [inline]<br /> ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080<br /> __sock_release net/socket.c:647 [inline]<br /> sock_close+0xbc/0x240 net/socket.c:1398<br /> __fput+0x3e9/0x9f0 fs/file_table.c:464<br /> __do_sys_close fs/open.c:1580 [inline]<br /> __se_sys_close fs/open.c:1565 [inline]<br /> __x64_sys_close+0x7f/0x110 fs/open.c:1565<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> ================================================================<br /> <br /> Considering the issues above and the comments left in the code that say:<br /> "check if we can remove this feature. It is broken."; "autobinding in this<br /> may or may not work"; - it is better to completely remove this feature than<br /> to fix it because it is broken and leads to various kinds of memory bugs.<br /> <br /> Now calling connect() without first binding socket will result in an<br /> error (-EINVAL). Userspace software that relies on the autobind feature<br /> might get broken. However, this feature does not seem widely used with<br /> this specific driver as it was not reliable at any point of time, and it<br /> is already broken anyway. E.g. ax25-tools and ax25-apps packages for<br /> popular distributions do not use the autobind feature for AF_AX25.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Mask the bd_cnt field in the TX BD properly<br /> <br /> The bd_cnt field in the TX BD specifies the total number of BDs for<br /> the TX packet. The bd_cnt field has 5 bits and the maximum number<br /> supported is 32 with the value 0.<br /> <br /> CONFIG_MAX_SKB_FRAGS can be modified and the total number of SKB<br /> fragments can approach or exceed the maximum supported by the chip.<br /> Add a macro to properly mask the bd_cnt field so that the value 32<br /> will be properly masked and set to 0 in the bd_cnd field.<br /> <br /> Without this patch, the out-of-range bd_cnt value will corrupt the<br /> TX BD and may cause TX timeout.<br /> <br /> The next patch will check for values exceeding 32.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: check error for register_netdev() on init<br /> <br /> Current init logic ignores the error code from register_netdev(),<br /> which will cause WARN_ON() on attempt to unregister it, if there was one,<br /> and there is no info for the user that the creation of the netdev failed.<br /> <br /> WARNING: CPU: 89 PID: 6902 at net/core/dev.c:11512 unregister_netdevice_many_notify+0x211/0x1a10<br /> ...<br /> [ 3707.563641] unregister_netdev+0x1c/0x30<br /> [ 3707.563656] idpf_vport_dealloc+0x5cf/0xce0 [idpf]<br /> [ 3707.563684] idpf_deinit_task+0xef/0x160 [idpf]<br /> [ 3707.563712] idpf_vc_core_deinit+0x84/0x320 [idpf]<br /> [ 3707.563739] idpf_remove+0xbf/0x780 [idpf]<br /> [ 3707.563769] pci_device_remove+0xab/0x1e0<br /> [ 3707.563786] device_release_driver_internal+0x371/0x530<br /> [ 3707.563803] driver_detach+0xbf/0x180<br /> [ 3707.563816] bus_remove_driver+0x11b/0x2a0<br /> [ 3707.563829] pci_unregister_driver+0x2a/0x250<br /> <br /> Introduce an error check and log the vport number and error code.<br /> On removal make sure to check VPORT_REG_NETDEV flag prior to calling<br /> unregister and free on the netdev.<br /> <br /> Add local variables for idx, vport_config and netdev for readability.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()<br /> <br /> Fix using the untrusted value of proto-&gt;raw.pkt_len in function<br /> ice_vc_fdir_parse_raw() by verifying if it does not exceed the<br /> VIRTCHNL_MAX_SIZE_RAW_PACKET value.