Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: lapb: increase LAPB_HEADER_LEN<br /> <br /> It is unclear if net/lapb code is supposed to be ready for 8021q.<br /> <br /> We can at least avoid crashes like the following :<br /> <br /> skbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824a400 data:ffff88802824a3fe tail:0x16 end:0x140 dev:nr0.2<br /> ------------[ cut here ]------------<br /> kernel BUG at net/core/skbuff.c:206 !<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 1 UID: 0 PID: 5508 Comm: dhcpcd Not tainted 6.12.0-rc7-syzkaller-00144-g66418447d27b #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024<br /> RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]<br /> RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216<br /> Code: 0d 8d 48 c7 c6 2e 9e 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 1a 6f 37 02 48 83 c4 20 90 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3<br /> RSP: 0018:ffffc90002ddf638 EFLAGS: 00010282<br /> RAX: 0000000000000086 RBX: dffffc0000000000 RCX: 7a24750e538ff600<br /> RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000<br /> RBP: ffff888034a86650 R08: ffffffff8174b13c R09: 1ffff920005bbe60<br /> R10: dffffc0000000000 R11: fffff520005bbe61 R12: 0000000000000140<br /> R13: ffff88802824a400 R14: ffff88802824a3fe R15: 0000000000000016<br /> FS: 00007f2a5990d740(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000110c2631fd CR3: 0000000029504000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> skb_push+0xe5/0x100 net/core/skbuff.c:2636<br /> nr_header+0x36/0x320 net/netrom/nr_dev.c:69<br /> dev_hard_header include/linux/netdevice.h:3148 [inline]<br /> vlan_dev_hard_header+0x359/0x480 net/8021q/vlan_dev.c:83<br /> dev_hard_header include/linux/netdevice.h:3148 [inline]<br /> lapbeth_data_transmit+0x1f6/0x2a0 drivers/net/wan/lapbether.c:257<br /> lapb_data_transmit+0x91/0xb0 net/lapb/lapb_iface.c:447<br /> lapb_transmit_buffer+0x168/0x1f0 net/lapb/lapb_out.c:149<br /> lapb_establish_data_link+0x84/0xd0<br /> lapb_device_event+0x4e0/0x670<br /> notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93<br /> __dev_notify_flags+0x207/0x400<br /> dev_change_flags+0xf0/0x1a0 net/core/dev.c:8922<br /> devinet_ioctl+0xa4e/0x1aa0 net/ipv4/devinet.c:1188<br /> inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1003<br /> sock_do_ioctl+0x158/0x460 net/socket.c:1227<br /> sock_ioctl+0x626/0x8e0 net/socket.c:1346<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: DR, prevent potential error pointer dereference<br /> <br /> The dr_domain_add_vport_cap() function generally returns NULL on error<br /> but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can<br /> retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM<br /> and if it&amp;#39;s and -ENOMEM then the error pointer is propogated back and<br /> eventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: fix NULL deref in cleanup_bearer()<br /> <br /> syzbot found [1] that after blamed commit, ub-&gt;ubsock-&gt;sk<br /> was NULL when attempting the atomic_dec() :<br /> <br /> atomic_dec(&amp;tipc_net(sock_net(ub-&gt;ubsock-&gt;sk))-&gt;wq_count);<br /> <br /> Fix this by caching the tipc_net pointer.<br /> <br /> [1]<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI<br /> KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Workqueue: events cleanup_bearer<br /> RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline]<br /> RIP: 0010:sock_net include/net/sock.h:655 [inline]<br /> RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820<br /> Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b<br /> RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206<br /> RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00<br /> RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900<br /> RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20<br /> R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980<br /> R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918<br /> FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Fix icmp host relookup triggering ip_rt_bug<br /> <br /> arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is:<br /> <br /> WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),<br /> BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:ip_rt_bug+0x14/0x20<br /> Call Trace:<br /> <br /> ip_send_skb+0x14/0x40<br /> __icmp_send+0x42d/0x6a0<br /> ipv4_link_failure+0xe2/0x1d0<br /> arp_error_report+0x3c/0x50<br /> neigh_invalidate+0x8d/0x100<br /> neigh_timer_handler+0x2e1/0x330<br /> call_timer_fn+0x21/0x120<br /> __run_timer_base.part.0+0x1c9/0x270<br /> run_timer_softirq+0x4c/0x80<br /> handle_softirqs+0xac/0x280<br /> irq_exit_rcu+0x62/0x80<br /> sysvec_apic_timer_interrupt+0x77/0x90<br /> <br /> The script below reproduces this scenario:<br /> ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \<br /> dir out priority 0 ptype main flag localok icmp<br /> ip l a veth1 type veth<br /> ip a a 192.168.141.111/24 dev veth0<br /> ip l s veth0 up<br /> ping 192.168.141.155 -c 1<br /> <br /> icmp_route_lookup() create input routes for locally generated packets<br /> while xfrm relookup ICMP traffic.Then it will set input route<br /> (dst-&gt;out = ip_rt_bug) to skb for DESTUNREACH.<br /> <br /> For ICMP err triggered by locally generated packets, dst-&gt;dev of output<br /> route is loopback. Generally, xfrm relookup verification is not required<br /> on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1).<br /> <br /> Skip icmp relookup for locally generated packets to fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: enetc: Do not configure preemptible TCs if SIs do not support<br /> <br /> Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure<br /> MQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs()<br /> to configure preemptible TCs. However, only PF is able to configure<br /> preemptible TCs. Because only PF has related registers, while VF does not<br /> have these registers. So for VF, its hw-&gt;port pointer is NULL. Therefore,<br /> VF will access an invalid pointer when accessing a non-existent register,<br /> which will cause a crash issue. The simplified log is as follows.<br /> <br /> root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \<br /> mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1<br /> [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00<br /> [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400<br /> [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400<br /> [ 187.511140] Call trace:<br /> [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400<br /> [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214<br /> [ 187.523374] enetc_vf_setup_tc+0x1c/0x30<br /> [ 187.527306] mqprio_enable_offload+0x144/0x178<br /> [ 187.531766] mqprio_init+0x3ec/0x668<br /> [ 187.535351] qdisc_create+0x15c/0x488<br /> [ 187.539023] tc_modify_qdisc+0x398/0x73c<br /> [ 187.542958] rtnetlink_rcv_msg+0x128/0x378<br /> [ 187.547064] netlink_rcv_skb+0x60/0x130<br /> [ 187.550910] rtnetlink_rcv+0x18/0x24<br /> [ 187.554492] netlink_unicast+0x300/0x36c<br /> [ 187.558425] netlink_sendmsg+0x1a8/0x420<br /> [ 187.606759] ---[ end trace 0000000000000000 ]---<br /> <br /> In addition, some PFs also do not support configuring preemptible TCs,<br /> such as eno1 and eno3 on LS1028A. It won&amp;#39;t crash like it does for VFs,<br /> but we should prevent these PFs from accessing these unimplemented<br /> registers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dccp: Fix memory leak in dccp_feat_change_recv<br /> <br /> If dccp_feat_push_confirm() fails after new value for SP feature was accepted<br /> without reconciliation (&amp;#39;entry == NULL&amp;#39; branch), memory allocated for that value<br /> with dccp_feat_clone_sp_val() is never freed.<br /> <br /> Here is the kmemleak stack for this:<br /> <br /> unreferenced object 0xffff88801d4ab488 (size 8):<br /> comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s)<br /> hex dump (first 8 bytes):<br /> 01 b4 4a 1d 80 88 ff ff ..J.....<br /> backtrace:<br /> [] kmemdup+0x23/0x50 mm/util.c:128<br /> [] kmemdup include/linux/string.h:465 [inline]<br /> [] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]<br /> [] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]<br /> [] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]<br /> [] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416<br /> [] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125<br /> [] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650<br /> [] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688<br /> [] sk_backlog_rcv include/net/sock.h:1041 [inline]<br /> [] __release_sock+0x139/0x3b0 net/core/sock.c:2570<br /> [] release_sock+0x54/0x1b0 net/core/sock.c:3111<br /> [] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]<br /> [] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696<br /> [] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735<br /> [] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865<br /> [] __sys_connect+0x165/0x1a0 net/socket.c:1882<br /> [] __do_sys_connect net/socket.c:1892 [inline]<br /> [] __se_sys_connect net/socket.c:1889 [inline]<br /> [] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889<br /> [] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46<br /> [] entry_SYSCALL_64_after_hwframe+0x67/0xd1<br /> <br /> Clean up the allocated memory in case of dccp_feat_push_confirm() failure<br /> and bail out with an error reset code.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: j1939: j1939_session_new(): fix skb reference counting<br /> <br /> Since j1939_session_skb_queue() does an extra skb_get() for each new<br /> skb, do the same for the initial one in j1939_session_new() to avoid<br /> refcount underflow.<br /> <br /> [mkl: clean up commit message]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hsr: avoid potential out-of-bound access in fill_frame_info()<br /> <br /> syzbot is able to feed a packet with 14 bytes, pretending<br /> it is a vlan one.<br /> <br /> Since fill_frame_info() is relying on skb-&gt;mac_len already,<br /> extend the check to cover this case.<br /> <br /> BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline]<br /> BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724<br /> fill_frame_info net/hsr/hsr_forward.c:709 [inline]<br /> hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724<br /> hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235<br /> __netdev_start_xmit include/linux/netdevice.h:5002 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:5011 [inline]<br /> xmit_one net/core/dev.c:3590 [inline]<br /> dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606<br /> __dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434<br /> dev_queue_xmit include/linux/netdevice.h:3168 [inline]<br /> packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276<br /> packet_snd net/packet/af_packet.c:3146 [inline]<br /> packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:726<br /> __sys_sendto+0x594/0x750 net/socket.c:2197<br /> __do_sys_sendto net/socket.c:2204 [inline]<br /> __se_sys_sendto net/socket.c:2200 [inline]<br /> __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200<br /> x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:4091 [inline]<br /> slab_alloc_node mm/slub.c:4134 [inline]<br /> kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587<br /> __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678<br /> alloc_skb include/linux/skbuff.h:1323 [inline]<br /> alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612<br /> sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881<br /> packet_alloc_skb net/packet/af_packet.c:2995 [inline]<br /> packet_snd net/packet/af_packet.c:3089 [inline]<br /> packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:726<br /> __sys_sendto+0x594/0x750 net/socket.c:2197<br /> __do_sys_sendto net/socket.c:2204 [inline]<br /> __se_sys_sendto net/socket.c:2200 [inline]<br /> __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200<br /> x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: x_tables: fix LED ID check in led_tg_check()<br /> <br /> Syzbot has reported the following BUG detected by KASAN:<br /> <br /> BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70<br /> Read of size 1 at addr ffff8881022da0c8 by task repro/5879<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x241/0x360<br /> ? __pfx_dump_stack_lvl+0x10/0x10<br /> ? __pfx__printk+0x10/0x10<br /> ? _printk+0xd5/0x120<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x183/0x530<br /> print_report+0x169/0x550<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x45f/0x530<br /> ? __phys_addr+0xba/0x170<br /> ? strlen+0x58/0x70<br /> kasan_report+0x143/0x180<br /> ? strlen+0x58/0x70<br /> strlen+0x58/0x70<br /> kstrdup+0x20/0x80<br /> led_tg_check+0x18b/0x3c0<br /> xt_check_target+0x3bb/0xa40<br /> ? __pfx_xt_check_target+0x10/0x10<br /> ? stack_depot_save_flags+0x6e4/0x830<br /> ? nft_target_init+0x174/0xc30<br /> nft_target_init+0x82d/0xc30<br /> ? __pfx_nft_target_init+0x10/0x10<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? rcu_is_watching+0x15/0xb0<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? __kmalloc_noprof+0x21a/0x400<br /> nf_tables_newrule+0x1860/0x2980<br /> ? __pfx_nf_tables_newrule+0x10/0x10<br /> ? __nla_parse+0x40/0x60<br /> nfnetlink_rcv+0x14e5/0x2ab0<br /> ? __pfx_validate_chain+0x10/0x10<br /> ? __pfx_nfnetlink_rcv+0x10/0x10<br /> ? __lock_acquire+0x1384/0x2050<br /> ? netlink_deliver_tap+0x2e/0x1b0<br /> ? __pfx_lock_release+0x10/0x10<br /> ? netlink_deliver_tap+0x2e/0x1b0<br /> netlink_unicast+0x7f8/0x990<br /> ? __pfx_netlink_unicast+0x10/0x10<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __check_object_size+0x48e/0x900<br /> netlink_sendmsg+0x8e4/0xcb0<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> ? aa_sock_msg_perm+0x91/0x160<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> __sock_sendmsg+0x223/0x270<br /> ____sys_sendmsg+0x52a/0x7e0<br /> ? __pfx_____sys_sendmsg+0x10/0x10<br /> __sys_sendmsg+0x292/0x380<br /> ? __pfx___sys_sendmsg+0x10/0x10<br /> ? lockdep_hardirqs_on_prepare+0x43d/0x780<br /> ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10<br /> ? exc_page_fault+0x590/0x8c0<br /> ? do_syscall_64+0xb6/0x230<br /> do_syscall_64+0xf3/0x230<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> <br /> Since an invalid (without &amp;#39;\0&amp;#39; byte at all) byte sequence may be passed<br /> from userspace, add an extra check to ensure that such a sequence is<br /> rejected as possible ID and so never passed to &amp;#39;kstrdup()&amp;#39; and further.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: hi311x: hi3110_can_ist(): fix potential use-after-free<br /> <br /> The commit a22bd630cfff ("can: hi311x: do not report txerr and rxerr<br /> during bus-off") removed the reporting of rxerr and txerr even in case<br /> of correct operation (i. e. not bus-off).<br /> <br /> The error count information added to the CAN frame after netif_rx() is<br /> a potential use after free, since there is no guarantee that the skb<br /> is in the same state. It might be freed or reused.<br /> <br /> Fix the issue by postponing the netif_rx() call in case of txerr and<br /> rxerr reporting.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: avoid possible NULL deref in modify_prefix_route()<br /> <br /> syzbot found a NULL deref [1] in modify_prefix_route(), caused by one<br /> fib6_info without a fib6_table pointer set.<br /> <br /> This can happen for net-&gt;ipv6.fib6_null_entry<br /> <br /> [1]<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> CPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089<br /> Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84<br /> RSP: 0018:ffffc900035d7268 EFLAGS: 00010006<br /> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001<br /> R10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030<br /> R13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849<br /> __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]<br /> _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178<br /> spin_lock_bh include/linux/spinlock.h:356 [inline]<br /> modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831<br /> inet6_addr_modify net/ipv6/addrconf.c:4923 [inline]<br /> inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055<br /> rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920<br /> netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]<br /> netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347<br /> netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg net/socket.c:726 [inline]<br /> ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583<br /> ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637<br /> __sys_sendmsg+0x16e/0x220 net/socket.c:2669<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fd1dcef8b79<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79<br /> RDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004<br /> RBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006<br /> R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c<br /> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/ipv6: release expired exception dst cached in socket<br /> <br /> Dst objects get leaked in ip6_negative_advice() when this function is<br /> executed for an expired IPv6 route located in the exception table. There<br /> are several conditions that must be fulfilled for the leak to occur:<br /> * an ICMPv6 packet indicating a change of the MTU for the path is received,<br /> resulting in an exception dst being created<br /> * a TCP connection that uses the exception dst for routing packets must<br /> start timing out so that TCP begins retransmissions<br /> * after the exception dst expires, the FIB6 garbage collector must not run<br /> before TCP executes ip6_negative_advice() for the expired exception dst<br /> <br /> When TCP executes ip6_negative_advice() for an exception dst that has<br /> expired and if no other socket holds a reference to the exception dst, the<br /> refcount of the exception dst is 2, which corresponds to the increment<br /> made by dst_init() and the increment made by the TCP socket for which the<br /> connection is timing out. The refcount made by the socket is never<br /> released. The refcount of the dst is decremented in sk_dst_reset() but<br /> that decrement is counteracted by a dst_hold() intentionally placed just<br /> before the sk_dst_reset() in ip6_negative_advice(). After<br /> ip6_negative_advice() has finished, there is no other object tied to the<br /> dst. The socket lost its reference stored in sk_dst_cache and the dst is<br /> no longer in the exception table. The exception dst becomes a leaked<br /> object.<br /> <br /> As a result of this dst leak, an unbalanced refcount is reported for the<br /> loopback device of a net namespace being destroyed under kernels that do<br /> not contain e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"):<br /> unregister_netdevice: waiting for lo to become free. Usage count = 2<br /> <br /> Fix the dst leak by removing the dst_hold() in ip6_negative_advice(). The<br /> patch that introduced the dst_hold() in ip6_negative_advice() was<br /> 92f1655aa2b22 ("net: fix __dst_negative_advice() race"). But 92f1655aa2b22<br /> merely refactored the code with regards to the dst refcount so the issue<br /> was present even before 92f1655aa2b22. The bug was introduced in<br /> 54c1a859efd9f ("ipv6: Don&amp;#39;t drop cache route entry unless timer actually<br /> expired.") where the expired cached route is deleted and the sk_dst_cache<br /> member of the socket is set to NULL by calling dst_negative_advice() but<br /> the refcount belonging to the socket is left unbalanced.<br /> <br /> The IPv4 version - ipv4_negative_advice() - is not affected by this bug.<br /> When the TCP connection times out ipv4_negative_advice() merely resets the<br /> sk_dst_cache of the socket while decrementing the refcount of the<br /> exception dst.