Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> leds: trigger: netdev: Fix kernel panic on interface rename trig notify<br /> <br /> Commit d5e01266e7f5 ("leds: trigger: netdev: add additional specific link<br /> speed mode") in the various changes, reworked the way to set the LINKUP<br /> mode in commit cee4bd16c319 ("leds: trigger: netdev: Recheck<br /> NETDEV_LED_MODE_LINKUP on dev rename") and moved it to a generic function.<br /> <br /> This changed the logic where, in the previous implementation the dev<br /> from the trigger event was used to check if the carrier was ok, but in<br /> the new implementation with the generic function, the dev in<br /> trigger_data is used instead.<br /> <br /> This is problematic and cause a possible kernel panic due to the fact<br /> that the dev in the trigger_data still reference the old one as the<br /> new one (passed from the trigger event) still has to be hold and saved<br /> in the trigger_data struct (done in the NETDEV_REGISTER case).<br /> <br /> On calling of get_device_state(), an invalid net_dev is used and this<br /> cause a kernel panic.<br /> <br /> To handle this correctly, move the call to get_device_state() after the<br /> new net_dev is correctly set in trigger_data (in the NETDEV_REGISTER<br /> case) and correctly parse the new dev.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: Fix a memory leak in nf_tables_updchain<br /> <br /> If nft_netdev_register_hooks() fails, the memory associated with<br /> nft_stats is not freed, causing a memory leak.<br /> <br /> This patch fixes it by moving nft_stats_alloc() down after<br /> nft_netdev_register_hooks() succeeds.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio: packed: fix unmap leak for indirect desc table<br /> <br /> When use_dma_api and premapped are true, then the do_unmap is false.<br /> <br /> Because the do_unmap is false, vring_unmap_extra_packed is not called by<br /> detach_buf_packed.<br /> <br /> if (unlikely(vq-&gt;do_unmap)) {<br /> curr = id;<br /> for (i = 0; i num; i++) {<br /> vring_unmap_extra_packed(vq,<br /> &amp;vq-&gt;packed.desc_extra[curr]);<br /> curr = vq-&gt;packed.desc_extra[curr].next;<br /> }<br /> }<br /> <br /> So the indirect desc table is not unmapped. This causes the unmap leak.<br /> <br /> So here, we check vq-&gt;use_dma_api instead. Synchronously, dma info is<br /> updated based on use_dma_api judgment<br /> <br /> This bug does not occur, because no driver use the premapped with<br /> indirect.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xen/evtchn: avoid WARN() when unbinding an event channel<br /> <br /> When unbinding a user event channel, the related handler might be<br /> called a last time in case the kernel was built with<br /> CONFIG_DEBUG_SHIRQ. This might cause a WARN() in the handler.<br /> <br /> Avoid that by adding an "unbinding" flag to struct user_event which<br /> will short circuit the handler.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/drivers/mediatek/lvts_thermal: Fix a memory leak in an error handling path<br /> <br /> If devm_krealloc() fails, then &amp;#39;efuse&amp;#39; is leaking.<br /> So free it to avoid a leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ovl: relax WARN_ON in ovl_verify_area()<br /> <br /> syzbot hit an assertion in copy up data loop which looks like it is<br /> the result of a lower file whose size is being changed underneath<br /> overlayfs.<br /> <br /> This type of use case is documented to cause undefined behavior, so<br /> returning EIO error for the copy up makes sense, but it should not be<br /> causing a WARN_ON assertion.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: ensure offloading TID queue exists<br /> <br /> The resume code path assumes that the TX queue for the offloading TID<br /> has been configured. At resume time it then tries to sync the write<br /> pointer as it may have been updated by the firmware.<br /> <br /> In the unusual event that no packets have been send on TID 0, the queue<br /> will not have been allocated and this causes a crash. Fix this by<br /> ensuring the queue exist at suspend time.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: do not compare internal table flags on updates<br /> <br /> Restore skipping transaction if table update does not modify flags.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: spi-mt65xx: Fix NULL pointer access in interrupt handler<br /> <br /> The TX buffer in spi_transfer can be a NULL pointer, so the interrupt<br /> handler may end up writing to the invalid memory and cause crashes.<br /> <br /> Add a check to trans-&gt;tx_buf before using it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix mmhub client id out-of-bounds access<br /> <br /> Properly handle cid 0x140.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-af: Use separate handlers for interrupts<br /> <br /> For PF to AF interrupt vector and VF to AF vector same<br /> interrupt handler is registered which is causing race condition.<br /> When two interrupts are raised to two CPUs at same time<br /> then two cores serve same event corrupting the data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt<br /> <br /> The loop inside nfs_netfs_issue_read() currently does not disable<br /> interrupts while iterating through pages in the xarray to submit<br /> for NFS read. This is not safe though since after taking xa_lock,<br /> another page in the mapping could be processed for writeback inside<br /> an interrupt, and deadlock can occur. The fix is simple and clean<br /> if we use xa_for_each_range(), which handles the iteration with RCU<br /> while reducing code complexity.<br /> <br /> The problem is easily reproduced with the following test:<br /> mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs<br /> dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1<br /> echo 3 &gt; /proc/sys/vm/drop_caches<br /> dd if=/mnt/nfs/file1.bin of=/dev/null<br /> umount /mnt/nfs<br /> <br /> On the console with a lockdep-enabled kernel a message similar to<br /> the following will be seen:<br /> <br /> ================================<br /> WARNING: inconsistent lock state<br /> 6.7.0-lockdbg+ #10 Not tainted<br /> --------------------------------<br /> inconsistent {IN-SOFTIRQ-W} -&gt; {SOFTIRQ-ON-W} usage.<br /> test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> ffff888127baa598 (&amp;xa-&gt;xa_lock#4){+.?.}-{3:3}, at:<br /> nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]<br /> {IN-SOFTIRQ-W} state was registered at:<br /> lock_acquire+0x144/0x380<br /> _raw_spin_lock_irqsave+0x4e/0xa0<br /> __folio_end_writeback+0x17e/0x5c0<br /> folio_end_writeback+0x93/0x1b0<br /> iomap_finish_ioend+0xeb/0x6a0<br /> blk_update_request+0x204/0x7f0<br /> blk_mq_end_request+0x30/0x1c0<br /> blk_complete_reqs+0x7e/0xa0<br /> __do_softirq+0x113/0x544<br /> __irq_exit_rcu+0xfe/0x120<br /> irq_exit_rcu+0xe/0x20<br /> sysvec_call_function_single+0x6f/0x90<br /> asm_sysvec_call_function_single+0x1a/0x20<br /> pv_native_safe_halt+0xf/0x20<br /> default_idle+0x9/0x20<br /> default_idle_call+0x67/0xa0<br /> do_idle+0x2b5/0x300<br /> cpu_startup_entry+0x34/0x40<br /> start_secondary+0x19d/0x1c0<br /> secondary_startup_64_no_verify+0x18f/0x19b<br /> irq event stamp: 176891<br /> hardirqs last enabled at (176891): []<br /> _raw_spin_unlock_irqrestore+0x44/0x60<br /> hardirqs last disabled at (176890): []<br /> _raw_spin_lock_irqsave+0x79/0xa0<br /> softirqs last enabled at (176646): []<br /> __irq_exit_rcu+0xfe/0x120<br /> softirqs last disabled at (176633): []<br /> __irq_exit_rcu+0xfe/0x120<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> <br /> CPU0<br /> ----<br /> lock(&amp;xa-&gt;xa_lock#4);<br /> <br /> lock(&amp;xa-&gt;xa_lock#4);<br /> <br /> *** DEADLOCK ***<br /> <br /> 2 locks held by test5/1708:<br /> #0: ffff888127baa498 (&amp;sb-&gt;s_type-&gt;i_mutex_key#22){++++}-{4:4}, at:<br /> nfs_start_io_read+0x28/0x90 [nfs]<br /> #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:<br /> page_cache_ra_unbounded+0xa4/0x280<br /> <br /> stack backtrace:<br /> CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39<br /> 04/01/2014<br /> Call Trace:<br /> dump_stack_lvl+0x5b/0x90<br /> mark_lock+0xb3f/0xd20<br /> __lock_acquire+0x77b/0x3360<br /> _raw_spin_lock+0x34/0x80<br /> nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]<br /> netfs_begin_read+0x77f/0x980 [netfs]<br /> nfs_netfs_readahead+0x45/0x60 [nfs]<br /> nfs_readahead+0x323/0x5a0 [nfs]<br /> read_pages+0xf3/0x5c0<br /> page_cache_ra_unbounded+0x1c8/0x280<br /> filemap_get_pages+0x38c/0xae0<br /> filemap_read+0x206/0x5e0<br /> nfs_file_read+0xb7/0x140 [nfs]<br /> vfs_read+0x2a9/0x460<br /> ksys_read+0xb7/0x140