Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: inet6: do not leave a dangling sk pointer in inet6_create()<br /> <br /> sock_init_data() attaches the allocated sk pointer to the provided sock<br /> object. If inet6_create() fails later, the sk object is released, but the<br /> sock object retains the dangling sk pointer, which may cause use-after-free<br /> later.<br /> <br /> Clear the sock sk pointer on error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: inet: do not leave a dangling sk pointer in inet_create()<br /> <br /> sock_init_data() attaches the allocated sk object to the provided sock<br /> object. If inet_create() fails later, the sk object is freed, but the<br /> sock object retains the dangling pointer, which may create use-after-free<br /> later.<br /> <br /> Clear the sk pointer in the sock object on error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()<br /> <br /> sock_init_data() attaches the allocated sk object to the provided sock<br /> object. If ieee802154_create() fails later, the allocated sk object is<br /> freed, but the dangling pointer remains in the provided sock object, which<br /> may allow use-after-free.<br /> <br /> Clear the sk pointer in the sock object on error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: af_can: do not leave a dangling sk pointer in can_create()<br /> <br /> On error can_create() frees the allocated sk object, but sock_init_data()<br /> has already attached it to the provided sock object. This will leave a<br /> dangling sk pointer in the sock object and may cause use-after-free later.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()<br /> <br /> bt_sock_alloc() attaches allocated sk object to the provided sock object.<br /> If rfcomm_dlc_alloc() fails, we release the sk object, but leave the<br /> dangling pointer in the sock object, which may cause use-after-free.<br /> <br /> Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()<br /> <br /> bt_sock_alloc() allocates the sk object and attaches it to the provided<br /> sock object. On error l2cap_sock_alloc() frees the sk object, but the<br /> dangling pointer is still attached to the sock object, which may create<br /> use-after-free in other code.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: hisi_sas: Create all dump files during debugfs initialization<br /> <br /> For the current debugfs of hisi_sas, after user triggers dump, the<br /> driver allocate memory space to save the register information and create<br /> debugfs files to display the saved information. In this process, the<br /> debugfs files created after each dump.<br /> <br /> Therefore, when the dump is triggered while the driver is unbind, the<br /> following hang occurs:<br /> <br /> [67840.853907] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0<br /> [67840.862947] Mem abort info:<br /> [67840.865855] ESR = 0x0000000096000004<br /> [67840.869713] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [67840.875125] SET = 0, FnV = 0<br /> [67840.878291] EA = 0, S1PTW = 0<br /> [67840.881545] FSC = 0x04: level 0 translation fault<br /> [67840.886528] Data abort info:<br /> [67840.889524] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> [67840.895117] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [67840.900284] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [67840.905709] user pgtable: 4k pages, 48-bit VAs, pgdp=0000002803a1f000<br /> [67840.912263] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000<br /> [67840.919177] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> [67840.996435] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [67841.003628] pc : down_write+0x30/0x98<br /> [67841.007546] lr : start_creating.part.0+0x60/0x198<br /> [67841.012495] sp : ffff8000b979ba20<br /> [67841.016046] x29: ffff8000b979ba20 x28: 0000000000000010 x27: 0000000000024b40<br /> [67841.023412] x26: 0000000000000012 x25: ffff20202b355ae8 x24: ffff20202b35a8c8<br /> [67841.030779] x23: ffffa36877928208 x22: ffffa368b4972240 x21: ffff8000b979bb18<br /> [67841.038147] x20: ffff00281dc1e3c0 x19: fffffffffffffffe x18: 0000000000000020<br /> [67841.045515] x17: 0000000000000000 x16: ffffa368b128a530 x15: ffffffffffffffff<br /> [67841.052888] x14: ffff8000b979bc18 x13: ffffffffffffffff x12: ffff8000b979bb18<br /> [67841.060263] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa368b1289b18<br /> [67841.067640] x8 : 0000000000000012 x7 : 0000000000000000 x6 : 00000000000003a9<br /> [67841.075014] x5 : 0000000000000000 x4 : ffff002818c5cb00 x3 : 0000000000000001<br /> [67841.082388] x2 : 0000000000000000 x1 : ffff002818c5cb00 x0 : 00000000000000a0<br /> [67841.089759] Call trace:<br /> [67841.092456] down_write+0x30/0x98<br /> [67841.096017] start_creating.part.0+0x60/0x198<br /> [67841.100613] debugfs_create_dir+0x48/0x1f8<br /> [67841.104950] debugfs_create_files_v3_hw+0x88/0x348 [hisi_sas_v3_hw]<br /> [67841.111447] debugfs_snapshot_regs_v3_hw+0x708/0x798 [hisi_sas_v3_hw]<br /> [67841.118111] debugfs_trigger_dump_v3_hw_write+0x9c/0x120 [hisi_sas_v3_hw]<br /> [67841.125115] full_proxy_write+0x68/0xc8<br /> [67841.129175] vfs_write+0xd8/0x3f0<br /> [67841.132708] ksys_write+0x70/0x108<br /> [67841.136317] __arm64_sys_write+0x24/0x38<br /> [67841.140440] invoke_syscall+0x50/0x128<br /> [67841.144385] el0_svc_common.constprop.0+0xc8/0xf0<br /> [67841.149273] do_el0_svc+0x24/0x38<br /> [67841.152773] el0_svc+0x38/0xd8<br /> [67841.156009] el0t_64_sync_handler+0xc0/0xc8<br /> [67841.160361] el0t_64_sync+0x1a4/0x1a8<br /> [67841.164189] Code: b9000882 d2800002 d2800023 f9800011 (c85ffc05)<br /> [67841.170443] ---[ end trace 0000000000000000 ]---<br /> <br /> To fix this issue, create all directories and files during debugfs<br /> initialization. In this way, the driver only needs to allocate memory<br /> space to save information each time the user triggers dumping.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_conn: Use disable_delayed_work_sync<br /> <br /> This makes use of disable_delayed_work_sync instead<br /> cancel_delayed_work_sync as it not only cancel the ongoing work but also<br /> disables new submit which is disarable since the object holding the work<br /> is about to be freed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Call free_htab_elem() after htab_unlock_bucket()<br /> <br /> For htab of maps, when the map is removed from the htab, it may hold the<br /> last reference of the map. bpf_map_fd_put_ptr() will invoke<br /> bpf_map_free_id() to free the id of the removed map element. However,<br /> bpf_map_fd_put_ptr() is invoked while holding a bucket lock<br /> (raw_spin_lock_t), and bpf_map_free_id() attempts to acquire map_idr_lock<br /> (spinlock_t), triggering the following lockdep warning:<br /> <br /> =============================<br /> [ BUG: Invalid wait context ]<br /> 6.11.0-rc4+ #49 Not tainted<br /> -----------------------------<br /> test_maps/4881 is trying to lock:<br /> ffffffff84884578 (map_idr_lock){+...}-{3:3}, at: bpf_map_free_id.part.0+0x21/0x70<br /> other info that might help us debug this:<br /> context-{5:5}<br /> 2 locks held by test_maps/4881:<br /> #0: ffffffff846caf60 (rcu_read_lock){....}-{1:3}, at: bpf_fd_htab_map_update_elem+0xf9/0x270<br /> #1: ffff888149ced148 (&amp;htab-&gt;lockdep_key#2){....}-{2:2}, at: htab_map_update_elem+0x178/0xa80<br /> stack backtrace:<br /> CPU: 0 UID: 0 PID: 4881 Comm: test_maps Not tainted 6.11.0-rc4+ #49<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x6e/0xb0<br /> dump_stack+0x10/0x20<br /> __lock_acquire+0x73e/0x36c0<br /> lock_acquire+0x182/0x450<br /> _raw_spin_lock_irqsave+0x43/0x70<br /> bpf_map_free_id.part.0+0x21/0x70<br /> bpf_map_put+0xcf/0x110<br /> bpf_map_fd_put_ptr+0x9a/0xb0<br /> free_htab_elem+0x69/0xe0<br /> htab_map_update_elem+0x50f/0xa80<br /> bpf_fd_htab_map_update_elem+0x131/0x270<br /> htab_map_update_elem+0x50f/0xa80<br /> bpf_fd_htab_map_update_elem+0x131/0x270<br /> bpf_map_update_value+0x266/0x380<br /> __sys_bpf+0x21bb/0x36b0<br /> __x64_sys_bpf+0x45/0x60<br /> x64_sys_call+0x1b2a/0x20d0<br /> do_syscall_64+0x5d/0x100<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> One way to fix the lockdep warning is using raw_spinlock_t for<br /> map_idr_lock as well. However, bpf_map_alloc_id() invokes<br /> idr_alloc_cyclic() after acquiring map_idr_lock, it will trigger a<br /> similar lockdep warning because the slab&amp;#39;s lock (s-&gt;cpu_slab-&gt;lock) is<br /> still a spinlock.<br /> <br /> Instead of changing map_idr_lock&amp;#39;s type, fix the issue by invoking<br /> htab_put_fd_value() after htab_unlock_bucket(). However, only deferring<br /> the invocation of htab_put_fd_value() is not enough, because the old map<br /> pointers in htab of maps can not be saved during batched deletion.<br /> Therefore, also defer the invocation of free_htab_elem(), so these<br /> to-be-freed elements could be linked together similar to lru map.<br /> <br /> There are four callers for -&gt;map_fd_put_ptr:<br /> <br /> (1) alloc_htab_elem() (through htab_put_fd_value())<br /> It invokes -&gt;map_fd_put_ptr() under a raw_spinlock_t. The invocation of<br /> htab_put_fd_value() can not simply move after htab_unlock_bucket(),<br /> because the old element has already been stashed in htab-&gt;extra_elems.<br /> It may be reused immediately after htab_unlock_bucket() and the<br /> invocation of htab_put_fd_value() after htab_unlock_bucket() may release<br /> the newly-added element incorrectly. Therefore, saving the map pointer<br /> of the old element for htab of maps before unlocking the bucket and<br /> releasing the map_ptr after unlock. Beside the map pointer in the old<br /> element, should do the same thing for the special fields in the old<br /> element as well.<br /> <br /> (2) free_htab_elem() (through htab_put_fd_value())<br /> Its caller includes __htab_map_lookup_and_delete_elem(),<br /> htab_map_delete_elem() and __htab_map_lookup_and_delete_batch().<br /> <br /> For htab_map_delete_elem(), simply invoke free_htab_elem() after<br /> htab_unlock_bucket(). For __htab_map_lookup_and_delete_batch(), just<br /> like lru map, linking the to-be-freed element into node_to_free list<br /> and invoking free_htab_elem() for these element after unlock. It is safe<br /> to reuse batch_flink as the link for node_to_free, because these<br /> elements have been removed from the hash llist.<br /> <br /> Because htab of maps doesn&amp;#39;t support lookup_and_delete operation,<br /> __htab_map_lookup_and_delete_elem() doesn&amp;#39;t have the problem, so kept<br /> it as<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: hisi_sas: Add cond_resched() for no forced preemption model<br /> <br /> For no forced preemption model kernel, in the scenario where the<br /> expander is connected to 12 high performance SAS SSDs, the following<br /> call trace may occur:<br /> <br /> [ 214.409199][ C240] watchdog: BUG: soft lockup - CPU#240 stuck for 22s! [irq/149-hisi_sa:3211]<br /> [ 214.568533][ C240] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)<br /> [ 214.575224][ C240] pc : fput_many+0x8c/0xdc<br /> [ 214.579480][ C240] lr : fput+0x1c/0xf0<br /> [ 214.583302][ C240] sp : ffff80002de2b900<br /> [ 214.587298][ C240] x29: ffff80002de2b900 x28: ffff1082aa412000<br /> [ 214.593291][ C240] x27: ffff3062a0348c08 x26: ffff80003a9f6000<br /> [ 214.599284][ C240] x25: ffff1062bbac5c40 x24: 0000000000001000<br /> [ 214.605277][ C240] x23: 000000000000000a x22: 0000000000000001<br /> [ 214.611270][ C240] x21: 0000000000001000 x20: 0000000000000000<br /> [ 214.617262][ C240] x19: ffff3062a41ae580 x18: 0000000000010000<br /> [ 214.623255][ C240] x17: 0000000000000001 x16: ffffdb3a6efe5fc0<br /> [ 214.629248][ C240] x15: ffffffffffffffff x14: 0000000003ffffff<br /> [ 214.635241][ C240] x13: 000000000000ffff x12: 000000000000029c<br /> [ 214.641234][ C240] x11: 0000000000000006 x10: ffff80003a9f7fd0<br /> [ 214.647226][ C240] x9 : ffffdb3a6f0482fc x8 : 0000000000000001<br /> [ 214.653219][ C240] x7 : 0000000000000002 x6 : 0000000000000080<br /> [ 214.659212][ C240] x5 : ffff55480ee9b000 x4 : fffffde7f94c6554<br /> [ 214.665205][ C240] x3 : 0000000000000002 x2 : 0000000000000020<br /> [ 214.671198][ C240] x1 : 0000000000000021 x0 : ffff3062a41ae5b8<br /> [ 214.677191][ C240] Call trace:<br /> [ 214.680320][ C240] fput_many+0x8c/0xdc<br /> [ 214.684230][ C240] fput+0x1c/0xf0<br /> [ 214.687707][ C240] aio_complete_rw+0xd8/0x1fc<br /> [ 214.692225][ C240] blkdev_bio_end_io+0x98/0x140<br /> [ 214.696917][ C240] bio_endio+0x160/0x1bc<br /> [ 214.701001][ C240] blk_update_request+0x1c8/0x3bc<br /> [ 214.705867][ C240] scsi_end_request+0x3c/0x1f0<br /> [ 214.710471][ C240] scsi_io_completion+0x7c/0x1a0<br /> [ 214.715249][ C240] scsi_finish_command+0x104/0x140<br /> [ 214.720200][ C240] scsi_softirq_done+0x90/0x180<br /> [ 214.724892][ C240] blk_mq_complete_request+0x5c/0x70<br /> [ 214.730016][ C240] scsi_mq_done+0x48/0xac<br /> [ 214.734194][ C240] sas_scsi_task_done+0xbc/0x16c [libsas]<br /> [ 214.739758][ C240] slot_complete_v3_hw+0x260/0x760 [hisi_sas_v3_hw]<br /> [ 214.746185][ C240] cq_thread_v3_hw+0xbc/0x190 [hisi_sas_v3_hw]<br /> [ 214.752179][ C240] irq_thread_fn+0x34/0xa4<br /> [ 214.756435][ C240] irq_thread+0xc4/0x130<br /> [ 214.760520][ C240] kthread+0x108/0x13c<br /> [ 214.764430][ C240] ret_from_fork+0x10/0x18<br /> <br /> This is because in the hisi_sas driver, both the hardware interrupt<br /> handler and the interrupt thread are executed on the same CPU. In the<br /> performance test scenario, function irq_wait_for_interrupt() will always<br /> return 0 if lots of interrupts occurs and the CPU will be continuously<br /> consumed. As a result, the CPU cannot run the watchdog thread. When the<br /> watchdog time exceeds the specified time, call trace occurs.<br /> <br /> To fix it, add cond_resched() to execute the watchdog thread.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet<br /> <br /> This fixes not checking if skb really contains an ACL header otherwise<br /> the code may attempt to access some uninitilized/invalid memory past the<br /> valid skb-&gt;data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()<br /> <br /> This patch fixes a NULL pointer dereference bug in brcmfmac that occurs<br /> when a high &amp;#39;sd_sgentry_align&amp;#39; value applies (e.g. 512) and a lot of queued SKBs<br /> are sent from the pkt queue.<br /> <br /> The problem is the number of entries in the pre-allocated sgtable, it is<br /> nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) &gt;&gt; 4 + 1.<br /> Given the default [rt]xglom_size=32 it&amp;#39;s actually 35 which is too small.<br /> Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB<br /> is added for each original SKB if tailroom isn&amp;#39;t enough to hold tail_pad.<br /> At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop"<br /> in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return<br /> NULL and this causes the oops.<br /> <br /> The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle<br /> the worst-case.<br /> Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464<br /> additional bytes of memory.