Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c<br /> <br /> Fix potential dereferencing of ERR_PTR() in find_format_by_pix()<br /> and uvc_v4l2_enum_format().<br /> <br /> Fix the following smatch errors:<br /> <br /> drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()<br /> error: &amp;#39;fmtdesc&amp;#39; dereferencing possible ERR_PTR()<br /> <br /> drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()<br /> error: &amp;#39;fmtdesc&amp;#39; dereferencing possible ERR_PTR()<br /> <br /> Also, fix similar issue in uvc_v4l2_try_format() for potential<br /> dereferencing of ERR_PTR().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: tipd: Free IRQ only if it was requested before<br /> <br /> In polling mode, if no IRQ was requested there is no need to free it.<br /> Call devm_free_irq() only if client-&gt;irq is set. This fixes the warning<br /> caused by the tps6598x module removal:<br /> <br /> WARNING: CPU: 2 PID: 333 at kernel/irq/devres.c:144 devm_free_irq+0x80/0x8c<br /> ...<br /> ...<br /> Call trace:<br /> devm_free_irq+0x80/0x8c<br /> tps6598x_remove+0x28/0x88 [tps6598x]<br /> i2c_device_remove+0x2c/0x9c<br /> device_remove+0x4c/0x80<br /> device_release_driver_internal+0x1cc/0x228<br /> driver_detach+0x50/0x98<br /> bus_remove_driver+0x6c/0xbc<br /> driver_unregister+0x30/0x60<br /> i2c_del_driver+0x54/0x64<br /> tps6598x_i2c_driver_exit+0x18/0xc3c [tps6598x]<br /> __arm64_sys_delete_module+0x184/0x264<br /> invoke_syscall+0x48/0x110<br /> el0_svc_common.constprop.0+0xc8/0xe8<br /> do_el0_svc+0x20/0x2c<br /> el0_svc+0x28/0x98<br /> el0t_64_sync_handler+0x13c/0x158<br /> el0t_64_sync+0x190/0x194

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> serial: protect uart_port_dtr_rts() in uart_shutdown() too<br /> <br /> Commit af224ca2df29 (serial: core: Prevent unsafe uart port access, part<br /> 3) added few uport == NULL checks. It added one to uart_shutdown(), so<br /> the commit assumes, uport can be NULL in there. But right after that<br /> protection, there is an unprotected "uart_port_dtr_rts(uport, false);"<br /> call. That is invoked only if HUPCL is set, so I assume that is the<br /> reason why we do not see lots of these reports.<br /> <br /> Or it cannot be NULL at this point at all for some reason :P.<br /> <br /> Until the above is investigated, stay on the safe side and move this<br /> dereference to the if too.<br /> <br /> I got this inconsistency from Coverity under CID 1585130. Thanks.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: core: Free tzp copy along with the thermal zone<br /> <br /> The object pointed to by tz-&gt;tzp may still be accessed after being<br /> freed in thermal_zone_device_unregister(), so move the freeing of it<br /> to the point after the removal completion has been completed at which<br /> it cannot be accessed any more.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: core: Reference count the zone in thermal_zone_get_by_id()<br /> <br /> There are places in the thermal netlink code where nothing prevents<br /> the thermal zone object from going away while being accessed after it<br /> has been returned by thermal_zone_get_by_id().<br /> <br /> To address this, make thermal_zone_get_by_id() get a reference on the<br /> thermal zone device object to be returned with the help of get_device(),<br /> under thermal_list_lock, and adjust all of its callers to this change<br /> with the help of the cleanup.h infrastructure.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync<br /> <br /> This checks if the ACL connection remains valid as it could be destroyed<br /> while hci_enhanced_setup_sync is pending on cmd_sync leading to the<br /> following trace:<br /> <br /> BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60<br /> Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37<br /> <br /> CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014<br /> Workqueue: hci0 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5d/0x80<br /> ? hci_enhanced_setup_sync+0x91b/0xa60<br /> print_report+0x152/0x4c0<br /> ? hci_enhanced_setup_sync+0x91b/0xa60<br /> ? __virt_addr_valid+0x1fa/0x420<br /> ? hci_enhanced_setup_sync+0x91b/0xa60<br /> kasan_report+0xda/0x1b0<br /> ? hci_enhanced_setup_sync+0x91b/0xa60<br /> hci_enhanced_setup_sync+0x91b/0xa60<br /> ? __pfx_hci_enhanced_setup_sync+0x10/0x10<br /> ? __pfx___mutex_lock+0x10/0x10<br /> hci_cmd_sync_work+0x1c2/0x330<br /> process_one_work+0x7d9/0x1360<br /> ? __pfx_lock_acquire+0x10/0x10<br /> ? __pfx_process_one_work+0x10/0x10<br /> ? assign_work+0x167/0x240<br /> worker_thread+0x5b7/0xf60<br /> ? __kthread_parkme+0xac/0x1c0<br /> ? __pfx_worker_thread+0x10/0x10<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x293/0x360<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x2f/0x70<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Allocated by task 34:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0x8f/0xa0<br /> __hci_conn_add+0x187/0x17d0<br /> hci_connect_sco+0x2e1/0xb90<br /> sco_sock_connect+0x2a2/0xb80<br /> __sys_connect+0x227/0x2a0<br /> __x64_sys_connect+0x6d/0xb0<br /> do_syscall_64+0x71/0x140<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Freed by task 37:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3b/0x60<br /> __kasan_slab_free+0x101/0x160<br /> kfree+0xd0/0x250<br /> device_release+0x9a/0x210<br /> kobject_put+0x151/0x280<br /> hci_conn_del+0x448/0xbf0<br /> hci_abort_conn_sync+0x46f/0x980<br /> hci_cmd_sync_work+0x1c2/0x330<br /> process_one_work+0x7d9/0x1360<br /> worker_thread+0x5b7/0xf60<br /> kthread+0x293/0x360<br /> ret_from_fork+0x2f/0x70<br /> ret_from_fork_asm+0x1a/0x30

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/ct: prevent UAF in send_recv()<br /> <br /> Ensure we serialize with completion side to prevent UAF with fence going<br /> out of scope on the stack, since we have no clue if it will fire after<br /> the timeout before we can erase from the xa. Also we have some dependent<br /> loads and stores for which we need the correct ordering, and we lack the<br /> needed barriers. Fix this by grabbing the ct-&gt;lock after the wait, which<br /> is also held by the completion side.<br /> <br /> v2 (Badal):<br /> - Also print done after acquiring the lock and seeing timeout.<br /> <br /> (cherry picked from commit 52789ce35c55ccd30c4b67b9cc5b2af55e0122ea)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/v3d: Stop the active perfmon before being destroyed<br /> <br /> When running `kmscube` with one or more performance monitors enabled<br /> via `GALLIUM_HUD`, the following kernel panic can occur:<br /> <br /> [ 55.008324] Unable to handle kernel paging request at virtual address 00000000052004a4<br /> [ 55.008368] Mem abort info:<br /> [ 55.008377] ESR = 0x0000000096000005<br /> [ 55.008387] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 55.008402] SET = 0, FnV = 0<br /> [ 55.008412] EA = 0, S1PTW = 0<br /> [ 55.008421] FSC = 0x05: level 1 translation fault<br /> [ 55.008434] Data abort info:<br /> [ 55.008442] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000<br /> [ 55.008455] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 55.008467] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 55.008481] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001046c6000<br /> [ 55.008497] [00000000052004a4] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000<br /> [ 55.008525] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP<br /> [ 55.008542] Modules linked in: rfcomm [...] vc4 v3d snd_soc_hdmi_codec drm_display_helper<br /> gpu_sched drm_shmem_helper cec drm_dma_helper drm_kms_helper i2c_brcmstb<br /> drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight<br /> [ 55.008799] CPU: 2 PID: 166 Comm: v3d_bin Tainted: G C 6.6.47+rpt-rpi-v8 #1 Debian 1:6.6.47-1+rpt1<br /> [ 55.008824] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)<br /> [ 55.008838] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 55.008855] pc : __mutex_lock.constprop.0+0x90/0x608<br /> [ 55.008879] lr : __mutex_lock.constprop.0+0x58/0x608<br /> [ 55.008895] sp : ffffffc080673cf0<br /> [ 55.008904] x29: ffffffc080673cf0 x28: 0000000000000000 x27: ffffff8106188a28<br /> [ 55.008926] x26: ffffff8101e78040 x25: ffffff8101baa6c0 x24: ffffffd9d989f148<br /> [ 55.008947] x23: ffffffda1c2a4008 x22: 0000000000000002 x21: ffffffc080673d38<br /> [ 55.008968] x20: ffffff8101238000 x19: ffffff8104f83188 x18: 0000000000000000<br /> [ 55.008988] x17: 0000000000000000 x16: ffffffda1bd04d18 x15: 00000055bb08bc90<br /> [ 55.009715] x14: 0000000000000000 x13: 0000000000000000 x12: ffffffda1bd4cbb0<br /> [ 55.010433] x11: 00000000fa83b2da x10: 0000000000001a40 x9 : ffffffda1bd04d04<br /> [ 55.011162] x8 : ffffff8102097b80 x7 : 0000000000000000 x6 : 00000000030a5857<br /> [ 55.011880] x5 : 00ffffffffffffff x4 : 0300000005200470 x3 : 0300000005200470<br /> [ 55.012598] x2 : ffffff8101238000 x1 : 0000000000000021 x0 : 0300000005200470<br /> [ 55.013292] Call trace:<br /> [ 55.013959] __mutex_lock.constprop.0+0x90/0x608<br /> [ 55.014646] __mutex_lock_slowpath+0x1c/0x30<br /> [ 55.015317] mutex_lock+0x50/0x68<br /> [ 55.015961] v3d_perfmon_stop+0x40/0xe0 [v3d]<br /> [ 55.016627] v3d_bin_job_run+0x10c/0x2d8 [v3d]<br /> [ 55.017282] drm_sched_main+0x178/0x3f8 [gpu_sched]<br /> [ 55.017921] kthread+0x11c/0x128<br /> [ 55.018554] ret_from_fork+0x10/0x20<br /> [ 55.019168] Code: f9400260 f1001c1f 54001ea9 927df000 (b9403401)<br /> [ 55.019776] ---[ end trace 0000000000000000 ]---<br /> [ 55.020411] note: v3d_bin[166] exited with preempt_count 1<br /> <br /> This issue arises because, upon closing the file descriptor (which happens<br /> when we interrupt `kmscube`), the active performance monitor is not<br /> stopped. Although all perfmons are destroyed in `v3d_perfmon_close_file()`,<br /> the active performance monitor&amp;#39;s pointer (`v3d-&gt;active_perfmon`) is still<br /> retained.<br /> <br /> If `kmscube` is run again, the driver will attempt to stop the active<br /> performance monitor using the stale pointer in `v3d-&gt;active_perfmon`.<br /> However, this pointer is no longer valid because the previous process has<br /> already terminated, and all performance monitors associated with it have<br /> been destroyed and freed.<br /> <br /> To fix this, when the active performance monitor belongs to a given<br /> process, explicitly stop it before destroying and freeing it.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> slip: make slhc_remember() more robust against malicious packets<br /> <br /> syzbot found that slhc_remember() was missing checks against<br /> malicious packets [1].<br /> <br /> slhc_remember() only checked the size of the packet was at least 20,<br /> which is not good enough.<br /> <br /> We need to make sure the packet includes the IPv4 and TCP header<br /> that are supposed to be carried.<br /> <br /> Add iph and th pointers to make the code more readable.<br /> <br /> [1]<br /> <br /> BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666<br /> slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666<br /> ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455<br /> ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]<br /> ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212<br /> ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327<br /> pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379<br /> sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113<br /> __release_sock+0x1da/0x330 net/core/sock.c:3072<br /> release_sock+0x6b/0x250 net/core/sock.c:3626<br /> pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903<br /> sock_sendmsg_nosec net/socket.c:729 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:744<br /> ____sys_sendmsg+0x903/0xb60 net/socket.c:2602<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656<br /> __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742<br /> __do_sys_sendmmsg net/socket.c:2771 [inline]<br /> __se_sys_sendmmsg net/socket.c:2768 [inline]<br /> __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768<br /> x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:4091 [inline]<br /> slab_alloc_node mm/slub.c:4134 [inline]<br /> kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587<br /> __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678<br /> alloc_skb include/linux/skbuff.h:1322 [inline]<br /> sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732<br /> pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867<br /> sock_sendmsg_nosec net/socket.c:729 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:744<br /> ____sys_sendmsg+0x903/0xb60 net/socket.c:2602<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656<br /> __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742<br /> __do_sys_sendmmsg net/socket.c:2771 [inline]<br /> __se_sys_sendmmsg net/socket.c:2768 [inline]<br /> __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768<br /> x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC<br /> <br /> Eric report a panic on IPPROTO_SMC, and give the facts<br /> that when INET_PROTOSW_ICSK was set, icsk-&gt;icsk_sync_mss must be set too.<br /> <br /> Bug: Unable to handle kernel NULL pointer dereference at virtual address<br /> 0000000000000000<br /> Mem abort info:<br /> ESR = 0x0000000086000005<br /> EC = 0x21: IABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x05: level 1 translation fault<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000<br /> [0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,<br /> pud=0000000000000000<br /> Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP<br /> Modules linked in:<br /> CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted<br /> 6.11.0-rc7-syzkaller-g5f5673607153 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine,<br /> BIOS Google 08/06/2024<br /> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : 0x0<br /> lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910<br /> sp : ffff80009b887a90<br /> x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000<br /> x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00<br /> x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000<br /> x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee<br /> x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001<br /> x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003<br /> x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f<br /> x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000<br /> x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000<br /> Call trace:<br /> 0x0<br /> netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000<br /> smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593<br /> smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973<br /> security_socket_post_create+0x94/0xd4 security/security.c:4425<br /> __sock_create+0x4c8/0x884 net/socket.c:1587<br /> sock_create net/socket.c:1622 [inline]<br /> __sys_socket_create net/socket.c:1659 [inline]<br /> __sys_socket+0x134/0x340 net/socket.c:1706<br /> __do_sys_socket net/socket.c:1720 [inline]<br /> __se_sys_socket net/socket.c:1718 [inline]<br /> __arm64_sys_socket+0x7c/0x94 net/socket.c:1718<br /> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br /> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49<br /> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132<br /> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151<br /> el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712<br /> el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730<br /> el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598<br /> Code: ???????? ???????? ???????? ???????? (????????)<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> This patch add a toy implementation that performs a simple return to<br /> prevent such panic. This is because MSS can be set in sock_create_kern<br /> or smc_setsockopt, similar to how it&amp;#39;s done in AF_SMC. However, for<br /> AF_SMC, there is currently no way to synchronize MSS within<br /> __sys_connect_file. This toy implementation lays the groundwork for us<br /> to support such feature for IPPROTO_SMC in the future.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ppp: fix ppp_async_encode() illegal access<br /> <br /> syzbot reported an issue in ppp_async_encode() [1]<br /> <br /> In this case, pppoe_sendmsg() is called with a zero size.<br /> Then ppp_async_encode() is called with an empty skb.<br /> <br /> BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]<br /> BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675<br /> ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]<br /> ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675<br /> ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634<br /> ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]<br /> ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304<br /> pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379<br /> sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113<br /> __release_sock+0x1da/0x330 net/core/sock.c:3072<br /> release_sock+0x6b/0x250 net/core/sock.c:3626<br /> pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903<br /> sock_sendmsg_nosec net/socket.c:729 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:744<br /> ____sys_sendmsg+0x903/0xb60 net/socket.c:2602<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656<br /> __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742<br /> __do_sys_sendmmsg net/socket.c:2771 [inline]<br /> __se_sys_sendmmsg net/socket.c:2768 [inline]<br /> __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768<br /> x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:4092 [inline]<br /> slab_alloc_node mm/slub.c:4135 [inline]<br /> kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587<br /> __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678<br /> alloc_skb include/linux/skbuff.h:1322 [inline]<br /> sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732<br /> pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867<br /> sock_sendmsg_nosec net/socket.c:729 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:744<br /> ____sys_sendmsg+0x903/0xb60 net/socket.c:2602<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656<br /> __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742<br /> __do_sys_sendmmsg net/socket.c:2771 [inline]<br /> __se_sys_sendmmsg net/socket.c:2768 [inline]<br /> __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768<br /> x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024