Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Bridge, fix the crash caused by LAG state check<br /> <br /> When removing LAG device from bridge, NETDEV_CHANGEUPPER event is<br /> triggered. Driver finds the lower devices (PFs) to flush all the<br /> offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns<br /> false if one of PF is unloaded. In such case,<br /> mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of<br /> the alive PF, and the flush is skipped.<br /> <br /> Besides, the bridge fdb entry&amp;#39;s lastuse is updated in mlx5 bridge<br /> event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be<br /> ignored in this case because the upper interface for bond is deleted,<br /> and the entry will never be aged because lastuse is never updated.<br /> <br /> To make things worse, as the entry is alive, mlx5 bridge workqueue<br /> keeps sending that event, which is then handled by kernel bridge<br /> notifier. It causes the following crash when accessing the passed bond<br /> netdev which is already destroyed.<br /> <br /> To fix this issue, remove such checks. LAG state is already checked in<br /> commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding<br /> bond to bridge"), driver still need to skip offload if LAG becomes<br /> invalid state after initialization.<br /> <br /> Oops: stack segment: 0000 [#1] SMP<br /> CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core]<br /> RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge]<br /> Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7<br /> RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297<br /> RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff<br /> RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0<br /> RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8<br /> R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60<br /> R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body+0x1a/0x60<br /> ? die+0x38/0x60<br /> ? do_trap+0x10b/0x120<br /> ? do_error_trap+0x64/0xa0<br /> ? exc_stack_segment+0x33/0x50<br /> ? asm_exc_stack_segment+0x22/0x30<br /> ? br_switchdev_event+0x2c/0x110 [bridge]<br /> ? sched_balance_newidle.isra.149+0x248/0x390<br /> notifier_call_chain+0x4b/0xa0<br /> atomic_notifier_call_chain+0x16/0x20<br /> mlx5_esw_bridge_update+0xec/0x170 [mlx5_core]<br /> mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core]<br /> process_scheduled_works+0x81/0x390<br /> worker_thread+0x106/0x250<br /> ? bh_worker+0x110/0x110<br /> kthread+0xb7/0xe0<br /> ? kthread_park+0x80/0x80<br /> ret_from_fork+0x2d/0x50<br /> ? kthread_park+0x80/0x80<br /> ret_from_fork_asm+0x11/0x20<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net_sched: Prevent creation of classes with TC_H_ROOT<br /> <br /> The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination<br /> condition when traversing up the qdisc tree to update parent backlog<br /> counters. However, if a class is created with classid TC_H_ROOT, the<br /> traversal terminates prematurely at this class instead of reaching the<br /> actual root qdisc, causing parent statistics to be incorrectly maintained.<br /> In case of DRR, this could lead to a crash as reported by Mingi Cho.<br /> <br /> Prevent the creation of any Qdisc class with classid TC_H_ROOT<br /> (0xFFFFFFFF) across all qdisc types, as suggested by Jamal.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: handle errors in mlx5_chains_create_table()<br /> <br /> In mlx5_chains_create_table(), the return value of mlx5_get_fdb_sub_ns()<br /> and mlx5_get_flow_namespace() must be checked to prevent NULL pointer<br /> dereferences. If either function fails, the function should log error<br /> message with mlx5_core_warn() and return error pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched_ext: Validate prev_cpu in scx_bpf_select_cpu_dfl()<br /> <br /> If a BPF scheduler provides an invalid CPU (outside the nr_cpu_ids<br /> range) as prev_cpu to scx_bpf_select_cpu_dfl() it can cause a kernel<br /> crash.<br /> <br /> To prevent this, validate prev_cpu in scx_bpf_select_cpu_dfl() and<br /> trigger an scx error if an invalid CPU is specified.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "openvswitch: switch to per-action label counting in conntrack"<br /> <br /> Currently, ovs_ct_set_labels() is only called for confirmed conntrack<br /> entries (ct) within ovs_ct_commit(). However, if the conntrack entry<br /> does not have the labels_ext extension, attempting to allocate it in<br /> ovs_ct_get_conn_labels() for a confirmed entry triggers a warning in<br /> nf_ct_ext_add():<br /> <br /> WARN_ON(nf_ct_is_confirmed(ct));<br /> <br /> This happens when the conntrack entry is created externally before OVS<br /> increments net-&gt;ct.labels_used. The issue has become more likely since<br /> commit fcb1aa5163b1 ("openvswitch: switch to per-action label counting<br /> in conntrack"), which changed to use per-action label counting and<br /> increment net-&gt;ct.labels_used when a flow with ct action is added.<br /> <br /> Since there’s no straightforward way to fully resolve this issue at the<br /> moment, this reverts the commit to avoid breaking existing use cases.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eth: bnxt: fix truesize for mb-xdp-pass case<br /> <br /> When mb-xdp is set and return is XDP_PASS, packet is converted from<br /> xdp_buff to sk_buff with xdp_update_skb_shared_info() in<br /> bnxt_xdp_build_skb().<br /> bnxt_xdp_build_skb() passes incorrect truesize argument to<br /> xdp_update_skb_shared_info().<br /> The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo-&gt;nr_frags but<br /> the skb_shared_info was wiped by napi_build_skb() before.<br /> So it stores sinfo-&gt;nr_frags before bnxt_xdp_build_skb() and use it<br /> instead of getting skb_shared_info from xdp_get_shared_info_from_buff().<br /> <br /> Splat looks like:<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590<br /> Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms<br /> CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3<br /> RIP: 0010:skb_try_coalesce+0x504/0x590<br /> Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff 0b e99<br /> RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287<br /> RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0<br /> RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003<br /> RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900<br /> R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740<br /> R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002<br /> FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __warn+0x84/0x130<br /> ? skb_try_coalesce+0x504/0x590<br /> ? report_bug+0x18a/0x1a0<br /> ? handle_bug+0x53/0x90<br /> ? exc_invalid_op+0x14/0x70<br /> ? asm_exc_invalid_op+0x16/0x20<br /> ? skb_try_coalesce+0x504/0x590<br /> inet_frag_reasm_finish+0x11f/0x2e0<br /> ip_defrag+0x37a/0x900<br /> ip_local_deliver+0x51/0x120<br /> ip_sublist_rcv_finish+0x64/0x70<br /> ip_sublist_rcv+0x179/0x210<br /> ip_list_rcv+0xf9/0x130<br /> <br /> How to reproduce:<br /> <br /> ip link set $interface1 xdp obj xdp_pass.o<br /> ip link set $interface1 mtu 9000 up<br /> ip a a 10.0.0.1/24 dev $interface1<br /> <br /> ip link set $interfac2 mtu 9000 up<br /> ip a a 10.0.0.2/24 dev $interface2<br /> ping 10.0.0.1 -s 65000<br /> <br /> Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be<br /> able to reproduce this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature<br /> <br /> Fix memory corruption due to incorrect parameter being passed to bio_init

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix use-after-free in ksmbd_free_work_struct<br /> <br /> -&gt;interim_entry of ksmbd_work could be deleted after oplock is freed.<br /> We don&amp;#39;t need to manage it with linked list. The interim request could be<br /> immediately sent whenever a oplock break wait is needed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()<br /> <br /> Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage<br /> collection confirm race"), `cpu` and `jiffies32` were introduced to<br /> the struct nf_conncount_tuple.<br /> <br /> The commit made nf_conncount_add() initialize `conn-&gt;cpu` and<br /> `conn-&gt;jiffies32` when allocating the struct.<br /> In contrast, count_tree() was not changed to initialize them.<br /> <br /> By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and<br /> traversal"), count_tree() was split and the relevant allocation<br /> code now resides in insert_tree().<br /> Initialize `conn-&gt;cpu` and `conn-&gt;jiffies32` in insert_tree().<br /> <br /> BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]<br /> BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143<br /> find_or_evict net/netfilter/nf_conncount.c:117 [inline]<br /> __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143<br /> count_tree net/netfilter/nf_conncount.c:438 [inline]<br /> nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521<br /> connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72<br /> __nft_match_eval net/netfilter/nft_compat.c:403 [inline]<br /> nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433<br /> expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]<br /> nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288<br /> nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23<br /> nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]<br /> nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626<br /> nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663<br /> NF_HOOK_LIST include/linux/netfilter.h:350 [inline]<br /> ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633<br /> ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669<br /> __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]<br /> __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983<br /> __netif_receive_skb_list net/core/dev.c:6035 [inline]<br /> netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126<br /> netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178<br /> xdp_recv_frames net/bpf/test_run.c:280 [inline]<br /> xdp_test_run_batch net/bpf/test_run.c:361 [inline]<br /> bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390<br /> bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316<br /> bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407<br /> __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813<br /> __do_sys_bpf kernel/bpf/syscall.c:5902 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5900 [inline]<br /> __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900<br /> ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358<br /> do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]<br /> __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387<br /> do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412<br /> do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450<br /> entry_SYSENTER_compat_after_hwframe+0x84/0x8e<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:4121 [inline]<br /> slab_alloc_node mm/slub.c:4164 [inline]<br /> kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171<br /> insert_tree net/netfilter/nf_conncount.c:372 [inline]<br /> count_tree net/netfilter/nf_conncount.c:450 [inline]<br /> nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521<br /> connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72<br /> __nft_match_eval net/netfilter/nft_compat.c:403 [inline]<br /> nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433<br /> expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]<br /> nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288<br /> nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23<br /> nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]<br /> nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626<br /> nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663<br /> NF_HOOK_LIST include/linux/netfilter.h:350 [inline]<br /> ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633<br /> ip_list_rcv+0x9ef/0xa40 net/ip<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eth: bnxt: do not update checksum in bnxt_xdp_build_skb()<br /> <br /> The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload<br /> is enabled.<br /> When the XDP-MB program is attached and it returns XDP_PASS, the<br /> bnxt_xdp_build_skb() is called to update skb_shared_info.<br /> The main purpose of bnxt_xdp_build_skb() is to update skb_shared_info,<br /> but it updates ip_summed value too if checksum offload is enabled.<br /> This is actually duplicate work.<br /> <br /> When the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed<br /> is CHECKSUM_NONE or not.<br /> It means that ip_summed should be CHECKSUM_NONE at this moment.<br /> But ip_summed may already be updated to CHECKSUM_UNNECESSARY in the<br /> XDP-MB-PASS path.<br /> So the by skb_checksum_none_assert() WARNS about it.<br /> <br /> This is duplicate work and updating ip_summed in the<br /> bnxt_xdp_build_skb() is not needed.<br /> <br /> Splat looks like:<br /> WARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]<br /> Modules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_]<br /> CPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27<br /> Tainted: [W]=WARN<br /> Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021<br /> RIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]<br /> Code: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff 0b f<br /> RSP: 0018:ffff88881ba09928 EFLAGS: 00010202<br /> RAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000<br /> RDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8<br /> RBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070<br /> R10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080<br /> R13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000<br /> FS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __warn+0xcd/0x2f0<br /> ? bnxt_rx_pkt+0x479b/0x7610<br /> ? report_bug+0x326/0x3c0<br /> ? handle_bug+0x53/0xa0<br /> ? exc_invalid_op+0x14/0x50<br /> ? asm_exc_invalid_op+0x16/0x20<br /> ? bnxt_rx_pkt+0x479b/0x7610<br /> ? bnxt_rx_pkt+0x3e41/0x7610<br /> ? __pfx_bnxt_rx_pkt+0x10/0x10<br /> ? napi_complete_done+0x2cf/0x7d0<br /> __bnxt_poll_work+0x4e8/0x1220<br /> ? __pfx___bnxt_poll_work+0x10/0x10<br /> ? __pfx_mark_lock.part.0+0x10/0x10<br /> bnxt_poll_p5+0x36a/0xfa0<br /> ? __pfx_bnxt_poll_p5+0x10/0x10<br /> __napi_poll.constprop.0+0xa0/0x440<br /> net_rx_action+0x899/0xd00<br /> ...<br /> <br /> Following ping.py patch adds xdp-mb-pass case. so ping.py is going<br /> to be able to reproduce this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix integer overflow while processing closetimeo mount option<br /> <br /> User-provided mount parameter closetimeo of type u32 is intended to have<br /> an upper limit, but before it is validated, the value is converted from<br /> seconds to jiffies which can lead to an integer overflow.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix integer overflow while processing acdirmax mount option<br /> <br /> User-provided mount parameter acdirmax of type u32 is intended to have<br /> an upper limit, but before it is validated, the value is converted from<br /> seconds to jiffies which can lead to an integer overflow.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.