Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/l2tp: fix warning in l2tp_exit_net found by syzbot<br /> <br /> In l2tp&amp;#39;s net exit handler, we check that an IDR is empty before<br /> destroying it:<br /> <br /> WARN_ON_ONCE(!idr_is_empty(&amp;pn-&gt;l2tp_tunnel_idr));<br /> idr_destroy(&amp;pn-&gt;l2tp_tunnel_idr);<br /> <br /> By forcing memory allocation failures in idr_alloc_32, syzbot is able<br /> to provoke a condition where idr_is_empty returns false despite there<br /> being no items in the IDR. This turns out to be because the radix tree<br /> of the IDR contains only internal radix-tree nodes and it is this that<br /> causes idr_is_empty to return false. The internal nodes are cleaned by<br /> idr_destroy.<br /> <br /> Use idr_for_each to check that the IDR is empty instead of<br /> idr_is_empty to avoid the problem.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netlink: fix false positive warning in extack during dumps<br /> <br /> Commit under fixes extended extack reporting to dumps.<br /> It works under normal conditions, because extack errors are<br /> usually reported during -&gt;start() or the first -&gt;dump(),<br /> it&amp;#39;s quite rare that the dump starts okay but fails later.<br /> If the dump does fail later, however, the input skb will<br /> already have the initiating message pulled, so checking<br /> if bad attr falls within skb-&gt;data will fail.<br /> <br /> Switch the check to using nlh, which is always valid.<br /> <br /> syzbot found a way to hit that scenario by filling up<br /> the receive queue. In this case we initiate a dump<br /> but don&amp;#39;t call -&gt;dump() until there is read space for<br /> an skb.<br /> <br /> WARNING: CPU: 1 PID: 5845 at net/netlink/af_netlink.c:2210 netlink_ack_tlv_fill+0x1a8/0x560 net/netlink/af_netlink.c:2209<br /> RIP: 0010:netlink_ack_tlv_fill+0x1a8/0x560 net/netlink/af_netlink.c:2209<br /> Call Trace:<br /> <br /> netlink_dump_done+0x513/0x970 net/netlink/af_netlink.c:2250<br /> netlink_dump+0x91f/0xe10 net/netlink/af_netlink.c:2351<br /> netlink_recvmsg+0x6bb/0x11d0 net/netlink/af_netlink.c:1983<br /> sock_recvmsg_nosec net/socket.c:1051 [inline]<br /> sock_recvmsg+0x22f/0x280 net/socket.c:1073<br /> __sys_recvfrom+0x246/0x3d0 net/socket.c:2267<br /> __do_sys_recvfrom net/socket.c:2285 [inline]<br /> __se_sys_recvfrom net/socket.c:2281 [inline]<br /> __x64_sys_recvfrom+0xde/0x100 net/socket.c:2281<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7ff37dd17a79

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: release svc_expkey/svc_export with rcu_work<br /> <br /> The last reference for `cache_head` can be reduced to zero in `c_show`<br /> and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,<br /> `svc_export_put` and `expkey_put` will be invoked, leading to two<br /> issues:<br /> <br /> 1. The `svc_export_put` will directly free ex_uuid. However,<br /> `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can<br /> trigger a use-after-free issue, shown below.<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]<br /> Read of size 1 at addr ff11000010fdc120 by task cat/870<br /> <br /> CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> 1.16.1-2.fc37 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x53/0x70<br /> print_address_description.constprop.0+0x2c/0x3a0<br /> print_report+0xb9/0x280<br /> kasan_report+0xae/0xe0<br /> svc_export_show+0x362/0x430 [nfsd]<br /> c_show+0x161/0x390 [sunrpc]<br /> seq_read_iter+0x589/0x770<br /> seq_read+0x1e5/0x270<br /> proc_reg_read+0xe1/0x140<br /> vfs_read+0x125/0x530<br /> ksys_read+0xc1/0x160<br /> do_syscall_64+0x5f/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Allocated by task 830:<br /> kasan_save_stack+0x20/0x40<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0x8f/0xa0<br /> __kmalloc_node_track_caller_noprof+0x1bc/0x400<br /> kmemdup_noprof+0x22/0x50<br /> svc_export_parse+0x8a9/0xb80 [nfsd]<br /> cache_do_downcall+0x71/0xa0 [sunrpc]<br /> cache_write_procfs+0x8e/0xd0 [sunrpc]<br /> proc_reg_write+0xe1/0x140<br /> vfs_write+0x1a5/0x6d0<br /> ksys_write+0xc1/0x160<br /> do_syscall_64+0x5f/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Freed by task 868:<br /> kasan_save_stack+0x20/0x40<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3b/0x60<br /> __kasan_slab_free+0x37/0x50<br /> kfree+0xf3/0x3e0<br /> svc_export_put+0x87/0xb0 [nfsd]<br /> cache_purge+0x17f/0x1f0 [sunrpc]<br /> nfsd_destroy_serv+0x226/0x2d0 [nfsd]<br /> nfsd_svc+0x125/0x1e0 [nfsd]<br /> write_threads+0x16a/0x2a0 [nfsd]<br /> nfsctl_transaction_write+0x74/0xa0 [nfsd]<br /> vfs_write+0x1a5/0x6d0<br /> ksys_write+0xc1/0x160<br /> do_syscall_64+0x5f/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> 2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.<br /> However, `svc_export_put`/`expkey_put` will call path_put, which<br /> subsequently triggers a sleeping operation due to the following<br /> `dput`.<br /> <br /> =============================<br /> WARNING: suspicious RCU usage<br /> 5.10.0-dirty #141 Not tainted<br /> -----------------------------<br /> ...<br /> Call Trace:<br /> dump_stack+0x9a/0xd0<br /> ___might_sleep+0x231/0x240<br /> dput+0x39/0x600<br /> path_put+0x1b/0x30<br /> svc_export_put+0x17/0x80<br /> e_show+0x1c9/0x200<br /> seq_read_iter+0x63f/0x7c0<br /> seq_read+0x226/0x2d0<br /> vfs_read+0x113/0x2c0<br /> ksys_read+0xc9/0x170<br /> do_syscall_64+0x33/0x40<br /> entry_SYSCALL_64_after_hwframe+0x67/0xd1<br /> <br /> Fix these issues by using `rcu_work` to help release<br /> `svc_expkey`/`svc_export`. This approach allows for an asynchronous<br /> context to invoke `path_put` and also facilitates the freeing of<br /> `uuid/exp/key` after an RCU grace period.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix race in concurrent f2fs_stop_gc_thread<br /> <br /> In my test case, concurrent calls to f2fs shutdown report the following<br /> stack trace:<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xc6cfff63bb5513fc: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 0 UID: 0 PID: 678 Comm: f2fs_rep_shutdo Not tainted 6.12.0-rc5-next-20241029-g6fb2fa9805c5-dirty #85<br /> Call Trace:<br /> <br /> ? show_regs+0x8b/0xa0<br /> ? __die_body+0x26/0xa0<br /> ? die_addr+0x54/0x90<br /> ? exc_general_protection+0x24b/0x5c0<br /> ? asm_exc_general_protection+0x26/0x30<br /> ? kthread_stop+0x46/0x390<br /> f2fs_stop_gc_thread+0x6c/0x110<br /> f2fs_do_shutdown+0x309/0x3a0<br /> f2fs_ioc_shutdown+0x150/0x1c0<br /> __f2fs_ioctl+0xffd/0x2ac0<br /> f2fs_ioctl+0x76/0xe0<br /> vfs_ioctl+0x23/0x60<br /> __x64_sys_ioctl+0xce/0xf0<br /> x64_sys_call+0x2b1b/0x4540<br /> do_syscall_64+0xa7/0x240<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The root cause is a race condition in f2fs_stop_gc_thread() called from<br /> different f2fs shutdown paths:<br /> <br /> [CPU0] [CPU1]<br /> ---------------------- -----------------------<br /> f2fs_stop_gc_thread f2fs_stop_gc_thread<br /> gc_th = sbi-&gt;gc_thread<br /> gc_th = sbi-&gt;gc_thread<br /> kfree(gc_th)<br /> sbi-&gt;gc_thread = NULL<br /> <br /> kthread_stop(gc_th-&gt;f2fs_gc_task) //UAF<br /> <br /> The commit c7f114d864ac ("f2fs: fix to avoid use-after-free in<br /> f2fs_stop_gc_thread()") attempted to fix this issue by using a read<br /> semaphore to prevent races between shutdown and remount threads, but<br /> it fails to prevent all race conditions.<br /> <br /> Fix it by converting to write lock of s_umount in f2fs_do_shutdown().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtiofs: use pages instead of pointer for kernel direct IO<br /> <br /> When trying to insert a 10MB kernel module kept in a virtio-fs with cache<br /> disabled, the following warning was reported:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 404 at mm/page_alloc.c:4551 ......<br /> Modules linked in:<br /> CPU: 1 PID: 404 Comm: insmod Not tainted 6.9.0-rc5+ #123<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......<br /> RIP: 0010:__alloc_pages+0x2bf/0x380<br /> ......<br /> Call Trace:<br /> <br /> ? __warn+0x8e/0x150<br /> ? __alloc_pages+0x2bf/0x380<br /> __kmalloc_large_node+0x86/0x160<br /> __kmalloc+0x33c/0x480<br /> virtio_fs_enqueue_req+0x240/0x6d0<br /> virtio_fs_wake_pending_and_unlock+0x7f/0x190<br /> queue_request_and_unlock+0x55/0x60<br /> fuse_simple_request+0x152/0x2b0<br /> fuse_direct_io+0x5d2/0x8c0<br /> fuse_file_read_iter+0x121/0x160<br /> __kernel_read+0x151/0x2d0<br /> kernel_read+0x45/0x50<br /> kernel_read_file+0x1a9/0x2a0<br /> init_module_from_file+0x6a/0xe0<br /> idempotent_init_module+0x175/0x230<br /> __x64_sys_finit_module+0x5d/0xb0<br /> x64_sys_call+0x1c3/0x9e0<br /> do_syscall_64+0x3d/0xc0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> ......<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The warning is triggered as follows:<br /> <br /> 1) syscall finit_module() handles the module insertion and it invokes<br /> kernel_read_file() to read the content of the module first.<br /> <br /> 2) kernel_read_file() allocates a 10MB buffer by using vmalloc() and<br /> passes it to kernel_read(). kernel_read() constructs a kvec iter by<br /> using iov_iter_kvec() and passes it to fuse_file_read_iter().<br /> <br /> 3) virtio-fs disables the cache, so fuse_file_read_iter() invokes<br /> fuse_direct_io(). As for now, the maximal read size for kvec iter is<br /> only limited by fc-&gt;max_read. For virtio-fs, max_read is UINT_MAX, so<br /> fuse_direct_io() doesn&amp;#39;t split the 10MB buffer. It saves the address and<br /> the size of the 10MB-sized buffer in out_args[0] of a fuse request and<br /> passes the fuse request to virtio_fs_wake_pending_and_unlock().<br /> <br /> 4) virtio_fs_wake_pending_and_unlock() uses virtio_fs_enqueue_req() to<br /> queue the request. Because virtiofs need DMA-able address, so<br /> virtio_fs_enqueue_req() uses kmalloc() to allocate a bounce buffer for<br /> all fuse args, copies these args into the bounce buffer and passed the<br /> physical address of the bounce buffer to virtiofsd. The total length of<br /> these fuse args for the passed fuse request is about 10MB, so<br /> copy_args_to_argbuf() invokes kmalloc() with a 10MB size parameter and<br /> it triggers the warning in __alloc_pages():<br /> <br /> if (WARN_ON_ONCE_GFP(order &gt; MAX_PAGE_ORDER, gfp))<br /> return NULL;<br /> <br /> 5) virtio_fs_enqueue_req() will retry the memory allocation in a<br /> kworker, but it won&amp;#39;t help, because kmalloc() will always return NULL<br /> due to the abnormal size and finit_module() will hang forever.<br /> <br /> A feasible solution is to limit the value of max_read for virtio-fs, so<br /> the length passed to kmalloc() will be limited. However it will affect<br /> the maximal read size for normal read. And for virtio-fs write initiated<br /> from kernel, it has the similar problem but now there is no way to limit<br /> fc-&gt;max_write in kernel.<br /> <br /> So instead of limiting both the values of max_read and max_write in<br /> kernel, introducing use_pages_for_kvec_io in fuse_conn and setting it as<br /> true in virtiofs. When use_pages_for_kvec_io is enabled, fuse will use<br /> pages instead of pointer to pass the KVEC_IO data.<br /> <br /> After switching to pages for KVEC_IO data, these pages will be used for<br /> DMA through virtio-fs. If these pages are backed by vmalloc(),<br /> {flush|invalidate}_kernel_vmap_range() are necessary to flush or<br /> invalidate the cache before the DMA operation. So add two new fields in<br /> fuse_args_pages to record the base address of vmalloc area and the<br /> condition indicating whether invalidation is needed. Perform the flush<br /> in fuse_get_user_pages() for write operations and the invalidation in<br /> fuse_release_user_pages() for read operations.<br /> <br /> It may seem necessary to introduce another fie<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: lan78xx: Fix double free issue with interrupt buffer allocation<br /> <br /> In lan78xx_probe(), the buffer `buf` was being freed twice: once<br /> implicitly through `usb_free_urb(dev-&gt;urb_intr)` with the<br /> `URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused<br /> a double free issue.<br /> <br /> To resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to<br /> simplify the initialization sequence and removed the redundant<br /> `kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring<br /> it is correctly managed by `usb_fill_int_urb()` and freed by<br /> `usb_free_urb()` as intended.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/pci: Properly hide first-in-list PCIe extended capability<br /> <br /> There are cases where a PCIe extended capability should be hidden from<br /> the user. For example, an unknown capability (i.e., capability with ID<br /> greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally<br /> chosen to be hidden from the user.<br /> <br /> Hiding a capability is done by virtualizing and modifying the &amp;#39;Next<br /> Capability Offset&amp;#39; field of the previous capability so it points to the<br /> capability after the one that should be hidden.<br /> <br /> The special case where the first capability in the list should be hidden<br /> is handled differently because there is no previous capability that can<br /> be modified. In this case, the capability ID and version are zeroed<br /> while leaving the next pointer intact. This hides the capability and<br /> leaves an anchor for the rest of the capability list.<br /> <br /> However, today, hiding the first capability in the list is not done<br /> properly if the capability is unknown, as struct<br /> vfio_pci_core_device-&gt;pci_config_map is set to the capability ID during<br /> initialization but the capability ID is not properly checked later when<br /> used in vfio_config_do_rw(). This leads to the following warning [1] and<br /> to an out-of-bounds access to ecap_perms array.<br /> <br /> Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater<br /> than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct<br /> read only access instead of the ecap_perms array.<br /> <br /> Note that this is safe since the above is the only case where cap_id can<br /> exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which<br /> are already checked before).<br /> <br /> [1]<br /> <br /> WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]<br /> CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1<br /> (snip)<br /> Call Trace:<br /> <br /> ? show_regs+0x69/0x80<br /> ? __warn+0x8d/0x140<br /> ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]<br /> ? report_bug+0x18f/0x1a0<br /> ? handle_bug+0x63/0xa0<br /> ? exc_invalid_op+0x19/0x70<br /> ? asm_exc_invalid_op+0x1b/0x20<br /> ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]<br /> ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]<br /> vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]<br /> vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]<br /> vfio_device_fops_read+0x27/0x40 [vfio]<br /> vfs_read+0xbd/0x340<br /> ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]<br /> ? __rseq_handle_notify_resume+0xa4/0x4b0<br /> __x64_sys_pread64+0x96/0xc0<br /> x64_sys_call+0x1c3d/0x20d0<br /> do_syscall_64+0x4d/0x120<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init()<br /> <br /> There&amp;#39;s issue as follows:<br /> RPC: Registered rdma transport module.<br /> RPC: Registered rdma backchannel transport module.<br /> RPC: Unregistered rdma transport module.<br /> RPC: Unregistered rdma backchannel transport module.<br /> BUG: unable to handle page fault for address: fffffbfff80c609a<br /> PGD 123fee067 P4D 123fee067 PUD 123fea067 PMD 10c624067 PTE 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> RIP: 0010:percpu_counter_destroy_many+0xf7/0x2a0<br /> Call Trace:<br /> <br /> __die+0x1f/0x70<br /> page_fault_oops+0x2cd/0x860<br /> spurious_kernel_fault+0x36/0x450<br /> do_kern_addr_fault+0xca/0x100<br /> exc_page_fault+0x128/0x150<br /> asm_exc_page_fault+0x26/0x30<br /> percpu_counter_destroy_many+0xf7/0x2a0<br /> mmdrop+0x209/0x350<br /> finish_task_switch.isra.0+0x481/0x840<br /> schedule_tail+0xe/0xd0<br /> ret_from_fork+0x23/0x80<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> If register_sysctl() return NULL, then svc_rdma_proc_cleanup() will not<br /> destroy the percpu counters which init in svc_rdma_proc_init().<br /> If CONFIG_HOTPLUG_CPU is enabled, residual nodes may be in the<br /> &amp;#39;percpu_counters&amp;#39; list. The above issue may occur once the module is<br /> removed. If the CONFIG_HOTPLUG_CPU configuration is not enabled, memory<br /> leakage occurs.<br /> To solve above issue just destroy all percpu counters when<br /> register_sysctl() return NULL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Prevent NULL dereference in nfsd4_process_cb_update()<br /> <br /> @ses is initialized to NULL. If __nfsd4_find_backchannel() finds no<br /> available backchannel session, setup_callback_client() will try to<br /> dereference @ses and segfault.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> phy: realtek: usb: fix NULL deref in rtk_usb3phy_probe<br /> <br /> In rtk_usb3phy_probe() devm_kzalloc() may return NULL<br /> but this returned value is not checked.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> phy: realtek: usb: fix NULL deref in rtk_usb2phy_probe<br /> <br /> In rtk_usb2phy_probe() devm_kzalloc() may return NULL<br /> but this returned value is not checked.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix use-after-free of nreq in reqsk_timer_handler().<br /> <br /> The cited commit replaced inet_csk_reqsk_queue_drop_and_put() with<br /> __inet_csk_reqsk_queue_drop() and reqsk_put() in reqsk_timer_handler().<br /> <br /> Then, oreq should be passed to reqsk_put() instead of req; otherwise<br /> use-after-free of nreq could happen when reqsk is migrated but the<br /> retry attempt failed (e.g. due to timeout).<br /> <br /> Let&amp;#39;s pass oreq to reqsk_put().