Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: teql: Fix double-free in teql_master_xmit<br /> <br /> Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should<br /> be called using the seq_lock to avoid racing with the datapath. Failure<br /> to do so may cause crashes like the following:<br /> <br /> [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)<br /> [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318<br /> [ 238.029749][ T318]<br /> [ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)<br /> [ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011<br /> [ 238.029910][ T318] Call Trace:<br /> [ 238.029913][ T318] <br /> [ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)<br /> [ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)<br /> [ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)<br /> [ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)<br /> ...<br /> [ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)<br /> [ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)<br /> [ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)<br /> [ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)<br /> [ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))<br /> [ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)<br /> ...<br /> [ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)<br /> [ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)<br /> [ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)<br /> ...<br /> [ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)<br /> [ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)<br /> [ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)<br /> [ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)<br /> [ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)<br /> [ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)<br /> [ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)<br /> [ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)<br /> [ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)<br /> ...<br /> [ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:<br /> [ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)<br /> [ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))<br /> [ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)<br /> [ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)<br /> [ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))<br /> [ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)<br /> [ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)<br /> [ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)<br /> [ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)<br /> [ 238.081469][ T318]<br /> [ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:<br /> [ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)<br /> [ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))<br /> [ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))<br /> [ 238.085900][ T318] __kasan_slab_free (mm/<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igc: fix page fault in XDP TX timestamps handling<br /> <br /> If an XDP application that requested TX timestamping is shutting down<br /> while the link of the interface in use is still up the following kernel<br /> splat is reported:<br /> <br /> [ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008<br /> ...<br /> [ 883.803650] [ T1554] Call Trace:<br /> [ 883.803652] [ T1554] <br /> [ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc]<br /> [ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc]<br /> ...<br /> <br /> During shutdown of the TX ring the xsk_meta pointers are left behind, so<br /> that the IRQ handler is trying to touch them.<br /> <br /> This issue is now being fixed by cleaning up the stale xsk meta data on<br /> TX shutdown. TX timestamps on other queues remain unaffected.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check<br /> <br /> The same bounds-check bug fixed for NDP16 in the previous patch also<br /> exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated<br /> against the total skb length without accounting for ndpoffset, allowing<br /> out-of-bounds reads when the NDP32 is placed near the end of the NTB.<br /> <br /> Add ndpoffset to the nframes bounds check and use struct_size_t() to<br /> express the NDP-plus-DPE-array size more clearly.<br /> <br /> Compile-tested only.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: aqc111: Do not perform PM inside suspend callback<br /> <br /> syzbot reports "task hung in rpm_resume"<br /> <br /> This is caused by aqc111_suspend calling<br /> the PM variant of its write_cmd routine.<br /> <br /> The simplified call trace looks like this:<br /> <br /> rpm_suspend()<br /> usb_suspend_both() - here udev-&gt;dev.power.runtime_status == RPM_SUSPENDING<br /> aqc111_suspend() - called for the usb device interface<br /> aqc111_write32_cmd()<br /> usb_autopm_get_interface()<br /> pm_runtime_resume_and_get()<br /> rpm_resume() - here we call rpm_resume() on our parent<br /> rpm_resume() - Here we wait for a status change that will never happen.<br /> <br /> At this point we block another task which holds<br /> rtnl_lock and locks up the whole networking stack.<br /> <br /> Fix this by replacing the write_cmd calls with their _nopm variants

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check<br /> <br /> cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE<br /> entries fit within the skb. The first check correctly accounts for<br /> ndpoffset:<br /> <br /> if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) &gt; skb_in-&gt;len)<br /> <br /> but the second check omits it:<br /> <br /> if ((sizeof(struct usb_cdc_ncm_ndp16) +<br /> ret * (sizeof(struct usb_cdc_ncm_dpe16))) &gt; skb_in-&gt;len)<br /> <br /> This validates the DPE array size against the total skb length as if<br /> the NDP were at offset 0, rather than at ndpoffset. When the NDP is<br /> placed near the end of the NTB (large wNdpIndex), the DPE entries can<br /> extend past the skb data buffer even though the check passes.<br /> cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating<br /> the DPE array.<br /> <br /> Add ndpoffset to the nframes bounds check and use struct_size_t() to<br /> express the NDP-plus-DPE-array size more clearly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: add NULL checks for idev in SRv6 paths<br /> <br /> __in6_dev_get() can return NULL when the device has no IPv6 configuration<br /> (e.g. MTU

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure<br /> <br /> ieee80211_tx_prepare_skb() has three error paths, but only two of them<br /> free the skb. The first error path (ieee80211_tx_prepare() returning<br /> TX_DROP) does not free it, while invoke_tx_handlers() failure and the<br /> fragmentation check both do.<br /> <br /> Add kfree_skb() to the first error path so all three are consistent,<br /> and remove the now-redundant frees in callers (ath9k, mt76,<br /> mac80211_hwsim) to avoid double-free.<br /> <br /> Document the skb ownership guarantee in the function&amp;#39;s kdoc.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: processor: Fix previous acpi_processor_errata_piix4() fix<br /> <br /> After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference<br /> in acpi_processor_errata_piix4()"), device pointers may be dereferenced<br /> after dropping references to the device objects pointed to by them,<br /> which may cause a use-after-free to occur.<br /> <br /> Moreover, debug messages about enabling the errata may be printed<br /> if the errata flags corresponding to them are unset.<br /> <br /> Address all of these issues by moving message printing to the points<br /> in the code where the errata flags are set.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix race condition during IPSec ESN update<br /> <br /> In IPSec full offload mode, the device reports an ESN (Extended<br /> Sequence Number) wrap event to the driver. The driver validates this<br /> event by querying the IPSec ASO and checking that the esn_event_arm<br /> field is 0x0, which indicates an event has occurred. After handling<br /> the event, the driver must re-arm the context by setting esn_event_arm<br /> back to 0x1.<br /> <br /> A race condition exists in this handling path. After validating the<br /> event, the driver calls mlx5_accel_esp_modify_xfrm() to update the<br /> kernel&amp;#39;s xfrm state. This function temporarily releases and<br /> re-acquires the xfrm state lock.<br /> <br /> So, need to acknowledge the event first by setting esn_event_arm to<br /> 0x1. This prevents the driver from reprocessing the same ESN update if<br /> the hardware sends events for other reason. Since the next ESN update<br /> only occurs after nearly 2^31 packets are received, there&amp;#39;s no risk of<br /> missing an update, as it will happen long after this handling has<br /> finished.<br /> <br /> Processing the event twice causes the ESN high-order bits (esn_msb) to<br /> be incremented incorrectly. The driver then programs the hardware with<br /> this invalid ESN state, which leads to anti-replay failures and a<br /> complete halt of IPSec traffic.<br /> <br /> Fix this by re-arming the ESN event immediately after it is validated,<br /> before calling mlx5_accel_esp_modify_xfrm(). This ensures that any<br /> spurious, duplicate events are correctly ignored, closing the race<br /> window.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Prevent concurrent access to IPSec ASO context<br /> <br /> The query or updating IPSec offload object is through Access ASO WQE.<br /> The driver uses a single mlx5e_ipsec_aso struct for each PF, which<br /> contains a shared DMA-mapped context for all ASO operations.<br /> <br /> A race condition exists because the ASO spinlock is released before<br /> the hardware has finished processing WQE. If a second operation is<br /> initiated immediately after, it overwrites the shared context in the<br /> DMA area.<br /> <br /> When the first operation&amp;#39;s completion is processed later, it reads<br /> this corrupted context, leading to unexpected behavior and incorrect<br /> results.<br /> <br /> This commit fixes the race by introducing a private context within<br /> each IPSec offload object. The shared ASO context is now copied to<br /> this private context while the ASO spinlock is held. Subsequent<br /> processing uses this saved, per-object context, ensuring its integrity<br /> is maintained.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: shaper: protect late read accesses to the hierarchy<br /> <br /> We look up a netdev during prep of Netlink ops (pre- callbacks)<br /> and take a ref to it. Then later in the body of the callback<br /> we take its lock or RCU which are the actual protections.<br /> <br /> This is not proper, a conversion from a ref to a locked netdev<br /> must include a liveness check (a check if the netdev hasn&amp;#39;t been<br /> unregistered already). Fix the read cases (those under RCU).<br /> Writes needs a separate change to protect from creating the<br /> hierarchy after flush has already run.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n<br /> <br /> When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0<br /> (success) without actually creating a socket. Callers such as<br /> fou_create() then proceed to dereference the uninitialized socket<br /> pointer, resulting in a NULL pointer dereference.<br /> <br /> The captured NULL deref crash:<br /> BUG: kernel NULL pointer dereference, address: 0000000000000018<br /> RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)<br /> [...]<br /> Call Trace:<br /> <br /> genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)<br /> genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)<br /> [...]<br /> netlink_rcv_skb (net/netlink/af_netlink.c:2550)<br /> genl_rcv (net/netlink/genetlink.c:1219)<br /> netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)<br /> netlink_sendmsg (net/netlink/af_netlink.c:1894)<br /> __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))<br /> __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))<br /> __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))<br /> entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)<br /> <br /> This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so<br /> callers correctly take their error paths. There is only one caller of<br /> the vulnerable function and only privileged users can trigger it.