Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sch_htb: fix refcount leak in htb_parent_to_leaf_offload<br /> <br /> The commit ae81feb7338c ("sch_htb: fix null pointer dereference<br /> on a null new_q") fixes a NULL pointer dereference bug, but it<br /> is not correct.<br /> <br /> Because htb_graft_helper properly handles the case when new_q<br /> is NULL, and after the previous patch by skipping this call<br /> which creates an inconsistency : dev_queue-&gt;qdisc will still<br /> point to the old qdisc, but cl-&gt;parent-&gt;leaf.q will point to<br /> the new one (which will be noop_qdisc, because new_q was NULL).<br /> The code is based on an assumption that these two pointers are<br /> the same, so it can lead to refcount leaks.<br /> <br /> The correct fix is to add a NULL pointer check to protect<br /> qdisc_refcount_inc inside htb_parent_to_leaf_offload.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions<br /> <br /> Reported by syzbot:<br /> HEAD commit: 90c911ad Merge tag &amp;#39;fixes&amp;#39; of git://git.kernel.org/pub/scm..<br /> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master<br /> dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7<br /> compiler: Debian clang version 11.0.1-2<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]<br /> BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732<br /> Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760<br /> <br /> CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:79 [inline]<br /> dump_stack+0x202/0x31e lib/dump_stack.c:120<br /> print_address_description+0x5f/0x3b0 mm/kasan/report.c:232<br /> __kasan_report mm/kasan/report.c:399 [inline]<br /> kasan_report+0x15c/0x200 mm/kasan/report.c:416<br /> fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]<br /> fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732<br /> fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536<br /> fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174<br /> rcu_do_batch kernel/rcu/tree.c:2559 [inline]<br /> rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794<br /> __do_softirq+0x372/0x7a6 kernel/softirq.c:345<br /> invoke_softirq kernel/softirq.c:221 [inline]<br /> __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422<br /> irq_exit_rcu+0x5/0x20 kernel/softirq.c:434<br /> sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100<br /> <br /> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632<br /> RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515<br /> Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d<br /> RSP: 0018:ffffc90009e06560 EFLAGS: 00000206<br /> RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1<br /> R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000<br /> R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4<br /> rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267<br /> rcu_read_lock include/linux/rcupdate.h:656 [inline]<br /> ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231<br /> ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212<br /> ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379<br /> ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982<br /> ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238<br /> ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638<br /> ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848<br /> ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900<br /> ext4_append+0x1a4/0x360 fs/ext4/namei.c:67<br /> ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768<br /> ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814<br /> vfs_mkdir+0x45b/0x640 fs/namei.c:3819<br /> ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline]<br /> ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146<br /> ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193<br /> ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788<br /> ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355<br /> ovl_get_workdir fs/overlayfs/super.c:1492 [inline]<br /> ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035<br /> mount_nodev+0x52/0xe0 fs/super.c:1413<br /> legacy_get_tree+0xea/0x180 fs/fs_context.c:592<br /> vfs_get_tree+0x86/0x270 fs/super.c:1497<br /> do_new_mount fs/namespace.c:2903 [inline]<br /> path_mount+0x196f/0x2be0 fs/namespace.c:3233<br /> do_mount fs/namespace.c:3246 [inline]<br /> __do_sys_mount fs/namespace.c:3454 [inline]<br /> __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431<br /> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x4665f9<br /> Code: ff ff c3 66 2e 0f 1f 84 <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: track AF_XDP ZC enabled queues in bitmap<br /> <br /> Commit c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure")<br /> silently introduced a regression and broke the Tx side of AF_XDP in copy<br /> mode. xsk_pool on ice_ring is set only based on the existence of the XDP<br /> prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed.<br /> That is not something that should happen for copy mode as it should use<br /> the regular data path ice_clean_tx_irq.<br /> <br /> This results in a following splat when xdpsock is run in txonly or l2fwd<br /> scenarios in copy mode:<br /> <br /> <br /> [ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030<br /> [ 106.057269] #PF: supervisor read access in kernel mode<br /> [ 106.062493] #PF: error_code(0x0000) - not-present page<br /> [ 106.067709] PGD 0 P4D 0<br /> [ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45<br /> [ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019<br /> [ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50<br /> [ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00<br /> [ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206<br /> [ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800<br /> [ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800<br /> [ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800<br /> [ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff<br /> [ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018<br /> [ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000<br /> [ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0<br /> [ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 106.192898] PKRU: 55555554<br /> [ 106.195653] Call Trace:<br /> [ 106.198143] <br /> [ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice]<br /> [ 106.205087] ice_napi_poll+0x3e/0x590 [ice]<br /> [ 106.209356] __napi_poll+0x2a/0x160<br /> [ 106.212911] net_rx_action+0xd6/0x200<br /> [ 106.216634] __do_softirq+0xbf/0x29b<br /> [ 106.220274] irq_exit_rcu+0x88/0xc0<br /> [ 106.223819] common_interrupt+0x7b/0xa0<br /> [ 106.227719] <br /> [ 106.229857] asm_common_interrupt+0x1e/0x40<br /> <br /> <br /> Fix this by introducing the bitmap of queues that are zero-copy enabled,<br /> where each bit, corresponding to a queue id that xsk pool is being<br /> configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and<br /> checked within ice_xsk_pool(). The latter is a function used for<br /> deciding which napi poll routine is executed.<br /> Idea is being taken from our other drivers such as i40e and ixgbe.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks<br /> <br /> Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown")<br /> added an implementation of the locked_down LSM hook to SELinux, with the aim<br /> to restrict which domains are allowed to perform operations that would breach<br /> lockdown. This is indirectly also getting audit subsystem involved to report<br /> events. The latter is problematic, as reported by Ondrej and Serhei, since it<br /> can bring down the whole system via audit:<br /> <br /> 1) The audit events that are triggered due to calls to security_locked_down()<br /> can OOM kill a machine, see below details [0].<br /> <br /> 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit()<br /> when trying to wake up kauditd, for example, when using trace_sched_switch()<br /> tracepoint, see details in [1]. Triggering this was not via some hypothetical<br /> corner case, but with existing tools like runqlat &amp; runqslower from bcc, for<br /> example, which make use of this tracepoint. Rough call sequence goes like:<br /> <br /> rq_lock(rq) -&gt; -------------------------+<br /> trace_sched_switch() -&gt; |<br /> bpf_prog_xyz() -&gt; +-&gt; deadlock<br /> selinux_lockdown() -&gt; |<br /> audit_log_end() -&gt; |<br /> wake_up_interruptible() -&gt; |<br /> try_to_wake_up() -&gt; |<br /> rq_lock(rq) --------------+<br /> <br /> What&amp;#39;s worse is that the intention of 59438b46471a to further restrict lockdown<br /> settings for specific applications in respect to the global lockdown policy is<br /> completely broken for BPF. The SELinux policy rule for the current lockdown check<br /> looks something like this:<br /> <br /> allow : lockdown { };<br /> <br /> However, this doesn&amp;#39;t match with the &amp;#39;current&amp;#39; task where the security_locked_down()<br /> is executed, example: httpd does a syscall. There is a tracing program attached<br /> to the syscall which triggers a BPF program to run, which ends up doing a<br /> bpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does<br /> the permission check against &amp;#39;current&amp;#39;, that is, httpd in this example. httpd<br /> has literally zero relation to this tracing program, and it would be nonsensical<br /> having to write an SELinux policy rule against httpd to let the tracing helper<br /> pass. The policy in this case needs to be against the entity that is installing<br /> the BPF program. For example, if bpftrace would generate a histogram of syscall<br /> counts by user space application:<br /> <br /> bpftrace -e &amp;#39;tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }&amp;#39;<br /> <br /> bpftrace would then go and generate a BPF program from this internally. One way<br /> of doing it [for the sake of the example] could be to call bpf_get_current_task()<br /> helper and then access current-&gt;comm via one of bpf_probe_read_kernel{,_str}()<br /> helpers. So the program itself has nothing to do with httpd or any other random<br /> app doing a syscall here. The BPF program _explicitly initiated_ the lockdown<br /> check. The allow/deny policy belongs in the context of bpftrace: meaning, you<br /> want to grant bpftrace access to use these helpers, but other tracers on the<br /> system like my_random_tracer _not_.<br /> <br /> Therefore fix all three issues at the same time by taking a completely different<br /> approach for the security_locked_down() hook, that is, move the check into the<br /> program verification phase where we actually retrieve the BPF func proto. This<br /> also reliably gets the task (current) that is trying to install the BPF tracing<br /> program, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since<br /> we&amp;#39;re moving this out of the BPF helper&amp;#39;s fast-path which can be called several<br /> millions of times per second.<br /> <br /> The check is then also in line with other security_locked_down() hooks in the<br /> system where the enforcement is performed at open/load time, for example,<br /> open_kcore() for /proc/kcore access or module_sig_check() for module signatures<br /> just to pick f<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_ct: skip expectations for confirmed conntrack<br /> <br /> nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed<br /> conntrack entry. However, nf_ct_ext_add() can only be called for<br /> !nf_ct_is_confirmed().<br /> <br /> [ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]<br /> [ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]<br /> [ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00<br /> [ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202<br /> [ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887<br /> [ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440<br /> [ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447<br /> [ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440<br /> [ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20<br /> [ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000<br /> [ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0<br /> [ 1825.352508] Call Trace:<br /> [ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]<br /> [ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]<br /> [ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables]<br /> <br /> Add the ct helper extension only for unconfirmed conntrack. Skip rule<br /> evaluation if the ct helper extension does not exist. Thus, you can<br /> only create expectations from the first packet.<br /> <br /> It should be possible to remove this limitation by adding a new action<br /> to attach a generic ct helper to the first packet. Then, use this ct<br /> helper extension from follow up packets to create the ct expectation.<br /> <br /> While at it, add a missing check to skip the template conntrack too<br /> and remove check for IPCT_UNTRACK which is implicit to !ct.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmet: fix freeing unallocated p2pmem<br /> <br /> In case p2p device was found but the p2p pool is empty, the nvme target<br /> is still trying to free the sgl from the p2p pool instead of the<br /> regular sgl pool and causing a crash (BUG() is called). Instead, assign<br /> the p2p_dev for the request only if it was allocated from p2p pool.<br /> <br /> This is the crash that was caused:<br /> <br /> [Sun May 30 19:13:53 2021] ------------[ cut here ]------------<br /> [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!<br /> [Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI<br /> ...<br /> [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!<br /> ...<br /> [Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0<br /> ...<br /> [Sun May 30 19:13:53 2021] Call Trace:<br /> [Sun May 30 19:13:53 2021] ------------[ cut here ]------------<br /> [Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70<br /> [Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80<br /> [Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet]<br /> [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!<br /> [Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma]<br /> [Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/tls: Fix use-after-free after the TLS device goes down and up<br /> <br /> When a netdev with active TLS offload goes down, tls_device_down is<br /> called to stop the offload and tear down the TLS context. However, the<br /> socket stays alive, and it still points to the TLS context, which is now<br /> deallocated. If a netdev goes up, while the connection is still active,<br /> and the data flow resumes after a number of TCP retransmissions, it will<br /> lead to a use-after-free of the TLS context.<br /> <br /> This commit addresses this bug by keeping the context alive until its<br /> normal destruction, and implements the necessary fallbacks, so that the<br /> connection can resume in software (non-offloaded) kTLS mode.<br /> <br /> On the TX side tls_sw_fallback is used to encrypt all packets. The RX<br /> side already has all the necessary fallbacks, because receiving<br /> non-decrypted packets is supported. The thing needed on the RX side is<br /> to block resync requests, which are normally produced after receiving<br /> non-decrypted packets.<br /> <br /> The necessary synchronization is implemented for a graceful teardown:<br /> first the fallbacks are deployed, then the driver resources are released<br /> (it used to be possible to have a tls_dev_resync after tls_dev_del).<br /> <br /> A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback<br /> mode. It&amp;#39;s used to skip the RX resync logic completely, as it becomes<br /> useless, and some objects may be released (for example, resync_async,<br /> which is allocated and freed by the driver).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix sk_forward_memory corruption on retransmission<br /> <br /> MPTCP sk_forward_memory handling is a bit special, as such field<br /> is protected by the msk socket spin_lock, instead of the plain<br /> socket lock.<br /> <br /> Currently we have a code path updating such field without handling<br /> the relevant lock:<br /> <br /> __mptcp_retrans() -&gt; __mptcp_clean_una_wakeup()<br /> <br /> Several helpers in __mptcp_clean_una_wakeup() will update<br /> sk_forward_alloc, possibly causing such field corruption, as reported<br /> by Matthieu.<br /> <br /> Address the issue providing and using a new variant of blamed function<br /> which explicitly acquires the msk spin lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: amd_sfh: Fix memory leak in amd_sfh_work<br /> <br /> Kmemleak tool detected a memory leak in the amd_sfh driver.<br /> <br /> ====================<br /> unreferenced object 0xffff88810228ada0 (size 32):<br /> comm "insmod", pid 3968, jiffies 4295056001 (age 775.792s)<br /> hex dump (first 32 bytes):<br /> 00 20 73 1f 81 88 ff ff 00 01 00 00 00 00 ad de . s.............<br /> 22 01 00 00 00 00 ad de 01 00 02 00 00 00 00 00 "...............<br /> backtrace:<br /> [] kmem_cache_alloc_trace+0x163/0x4f0<br /> [] amd_sfh_get_report+0xa4/0x1d0 [amd_sfh]<br /> [] amdtp_hid_request+0x62/0x80 [amd_sfh]<br /> [] sensor_hub_get_feature+0x145/0x270 [hid_sensor_hub]<br /> [] hid_sensor_parse_common_attributes+0x215/0x460 [hid_sensor_iio_common]<br /> [] hid_accel_3d_probe+0xff/0x4a0 [hid_sensor_accel_3d]<br /> [] platform_probe+0x6a/0xd0<br /> [] really_probe+0x192/0x620<br /> [] driver_probe_device+0x14a/0x1d0<br /> [] __device_attach_driver+0xbd/0x110<br /> [] bus_for_each_drv+0xfd/0x160<br /> [] __device_attach+0x18b/0x220<br /> [] device_initial_probe+0x13/0x20<br /> [] bus_probe_device+0xfe/0x120<br /> [] device_add+0x6a6/0xe00<br /> [] platform_device_add+0x180/0x380<br /> ====================<br /> <br /> The fix is to freeing request_list entry once the processed entry is<br /> removed from the request_list.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> efi/fdt: fix panic when no valid fdt found<br /> <br /> setup_arch() would invoke efi_init()-&gt;efi_get_fdt_params(). If no<br /> valid fdt found then initial_boot_params will be null. So we<br /> should stop further fdt processing here. I encountered this<br /> issue on risc-v.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report<br /> <br /> Fix possible array out of bound access in mt7921_mcu_tx_rate_report.<br /> Remove unnecessary varibable in mt7921_mcu_tx_rate_report

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> neighbour: allow NUD_NOARP entries to be forced GCed<br /> <br /> IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It&amp;#39;s possible to<br /> fill up the neighbour table with enough entries that it will overflow for<br /> valid connections after that.<br /> <br /> This behaviour is more prevalent after commit 58956317c8de ("neighbor:<br /> Improve garbage collection") is applied, as it prevents removal from<br /> entries that are not NUD_FAILED, unless they are more than 5s old.