Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sysctl: always initialize i_uid/i_gid<br /> <br /> Always initialize i_uid/i_gid inside the sysfs core so set_ownership()<br /> can safely skip setting them.<br /> <br /> Commit 5ec27ec735ba ("fs/proc/proc_sysctl.c: fix the default values of<br /> i_uid/i_gid on /proc/sys inodes.") added defaults for i_uid/i_gid when<br /> set_ownership() was not implemented. It also missed adjusting<br /> net_ctl_set_ownership() to use the same default values in case the<br /> computation of a better value failed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: venus: fix use after free in vdec_close<br /> <br /> There appears to be a possible use after free with vdec_close().<br /> The firmware will add buffer release work to the work queue through<br /> HFI callbacks as a normal part of decoding. Randomly closing the<br /> decoder device from userspace during normal decoding can incur<br /> a read after free for inst.<br /> <br /> Fix it by cancelling the work in vdec_close.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix extent map use-after-free when adding pages to compressed bio<br /> <br /> At add_ra_bio_pages() we are accessing the extent map to calculate<br /> &amp;#39;add_size&amp;#39; after we dropped our reference on the extent map, resulting<br /> in a use-after-free. Fix this by computing &amp;#39;add_size&amp;#39; before dropping our<br /> extent map reference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> exfat: fix potential deadlock on __exfat_get_dentry_set<br /> <br /> When accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array<br /> is allocated in __exfat_get_entry_set. The problem is that the bh-array is<br /> allocated with GFP_KERNEL. It does not make sense. In the following cases,<br /> a deadlock for sbi-&gt;s_lock between the two processes may occur.<br /> <br /> CPU0 CPU1<br /> ---- ----<br /> kswapd<br /> balance_pgdat<br /> lock(fs_reclaim)<br /> exfat_iterate<br /> lock(&amp;sbi-&gt;s_lock)<br /> exfat_readdir<br /> exfat_get_uniname_from_ext_entry<br /> exfat_get_dentry_set<br /> __exfat_get_dentry_set<br /> kmalloc_array<br /> ...<br /> lock(fs_reclaim)<br /> ...<br /> evict<br /> exfat_evict_inode<br /> lock(&amp;sbi-&gt;s_lock)<br /> <br /> To fix this, let&amp;#39;s allocate bh-array with GFP_NOFS.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/mglru: fix div-by-zero in vmpressure_calc_level()<br /> <br /> evict_folios() uses a second pass to reclaim folios that have gone through<br /> page writeback and become clean before it finishes the first pass, since<br /> folio_rotate_reclaimable() cannot handle those folios due to the<br /> isolation.<br /> <br /> The second pass tries to avoid potential double counting by deducting<br /> scan_control-&gt;nr_scanned. However, this can result in underflow of<br /> nr_scanned, under a condition where shrink_folio_list() does not increment<br /> nr_scanned, i.e., when folio_trylock() fails.<br /> <br /> The underflow can cause the divisor, i.e., scale=scanned+reclaimed in<br /> vmpressure_calc_level(), to become zero, resulting in the following crash:<br /> <br /> [exception RIP: vmpressure_work_fn+101]<br /> process_one_work at ffffffffa3313f2b<br /> <br /> Since scan_control-&gt;nr_scanned has no established semantics, the potential<br /> double counting has minimal risks. Therefore, fix the problem by not<br /> deducting scan_control-&gt;nr_scanned in evict_folios().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/huge_memory: avoid PMD-size page cache if needed<br /> <br /> xarray can&amp;#39;t support arbitrary page cache size. the largest and supported<br /> page cache size is defined as MAX_PAGECACHE_ORDER by commit 099d90642a71<br /> ("mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray"). However,<br /> it&amp;#39;s possible to have 512MB page cache in the huge memory&amp;#39;s collapsing<br /> path on ARM64 system whose base page size is 64KB. 512MB page cache is<br /> breaking the limitation and a warning is raised when the xarray entry is<br /> split as shown in the following example.<br /> <br /> [root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps | grep KernelPageSize<br /> KernelPageSize: 64 kB<br /> [root@dhcp-10-26-1-207 ~]# cat /tmp/test.c<br /> :<br /> int main(int argc, char **argv)<br /> {<br /> const char *filename = TEST_XFS_FILENAME;<br /> int fd = 0;<br /> void *buf = (void *)-1, *p;<br /> int pgsize = getpagesize();<br /> int ret = 0;<br /> <br /> if (pgsize != 0x10000) {<br /> fprintf(stdout, "System with 64KB base page size is required!\n");<br /> return -EPERM;<br /> }<br /> <br /> system("echo 0 &gt; /sys/devices/virtual/bdi/253:0/read_ahead_kb");<br /> system("echo 1 &gt; /proc/sys/vm/drop_caches");<br /> <br /> /* Open the xfs file */<br /> fd = open(filename, O_RDONLY);<br /> assert(fd &gt; 0);<br /> <br /> /* Create VMA */<br /> buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0);<br /> assert(buf != (void *)-1);<br /> fprintf(stdout, "mapped buffer at 0x%p\n", buf);<br /> <br /> /* Populate VMA */<br /> ret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE);<br /> assert(ret == 0);<br /> ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ);<br /> assert(ret == 0);<br /> <br /> /* Collapse VMA */<br /> ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);<br /> assert(ret == 0);<br /> ret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE);<br /> if (ret) {<br /> fprintf(stdout, "Error %d to madvise(MADV_COLLAPSE)\n", errno);<br /> goto out;<br /> }<br /> <br /> /* Split xarray entry. Write permission is needed */<br /> munmap(buf, TEST_MEM_SIZE);<br /> buf = (void *)-1;<br /> close(fd);<br /> fd = open(filename, O_RDWR);<br /> assert(fd &gt; 0);<br /> fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,<br /> TEST_MEM_SIZE - pgsize, pgsize);<br /> out:<br /> if (buf != (void *)-1)<br /> munmap(buf, TEST_MEM_SIZE);<br /> if (fd &gt; 0)<br /> close(fd);<br /> <br /> return ret;<br /> }<br /> <br /> [root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test<br /> [root@dhcp-10-26-1-207 ~]# /tmp/test<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 25 PID: 7560 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128<br /> Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \<br /> nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \<br /> nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \<br /> ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse \<br /> xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net \<br /> sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio<br /> CPU: 25 PID: 7560 Comm: test Kdump: loaded Not tainted 6.10.0-rc7-gavin+ #9<br /> Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024<br /> pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)<br /> pc : xas_split_alloc+0xf8/0x128<br /> lr : split_huge_page_to_list_to_order+0x1c4/0x780<br /> sp : ffff8000ac32f660<br /> x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: ffff8000ac32f6c0<br /> x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d<br /> x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21: 0000000000000000<br /> x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000<br /> x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 0000000000000000<br /> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> x11: ffffffffffffffc0 x10: 0000000000000040 x9 : ffffd5f3708e692c<br /> x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff0000e0969eb8<br /> x5 : ffffd5f37289e378 x4 : 0000000000000000 x3 : 0000000000000c40<br /> x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000<br /> Call trace:<br /> xas_split_alloc+0xf8/0x128<br /> split_huge_page_to_list_to_order+0x1c4/0x780<br /> truncate_inode_partial_folio+0xdc/0x160<br /> truncate_inode_pages_range+0x1b4/0x4a8<br /> truncate_pagecache_range+0x84/0xa<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> landlock: Don&amp;#39;t lose track of restrictions on cred_transfer<br /> <br /> When a process&amp;#39; cred struct is replaced, this _almost_ always invokes<br /> the cred_prepare LSM hook; but in one special case (when<br /> KEYCTL_SESSION_TO_PARENT updates the parent&amp;#39;s credentials), the<br /> cred_transfer LSM hook is used instead. Landlock only implements the<br /> cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes<br /> all information on Landlock restrictions to be lost.<br /> <br /> This basically means that a process with the ability to use the fork()<br /> and keyctl() syscalls can get rid of all Landlock restrictions on<br /> itself.<br /> <br /> Fix it by adding a cred_transfer hook that does the same thing as the<br /> existing cred_prepare hook. (Implemented by having hook_cred_prepare()<br /> call hook_cred_transfer() so that the two functions are less likely to<br /> accidentally diverge in the future.)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()<br /> <br /> When mtk-cmdq unbinds, a WARN_ON message with condition<br /> pm_runtime_get_sync()

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/dasd: fix error checks in dasd_copy_pair_store()<br /> <br /> dasd_add_busid() can return an error via ERR_PTR() if an allocation<br /> fails. However, two callsites in dasd_copy_pair_store() do not check<br /> the result, potentially resulting in a NULL pointer dereference. Fix<br /> this by checking the result with IS_ERR() and returning the error up<br /> the stack.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE<br /> <br /> The following splat is easy to reproduce upstream as well as in -stable<br /> kernels. Florian Westphal provided the following commit:<br /> <br /> d1dab4f71d37 ("net: add and use __skb_get_hash_symmetric_net")<br /> <br /> but this complementary fix has been also suggested by Willem de Bruijn<br /> and it can be easily backported to -stable kernel which consists in<br /> using DEBUG_NET_WARN_ON_ONCE instead to silence the following splat<br /> given __skb_get_hash() is used by the nftables tracing infrastructure to<br /> to identify packets in traces.<br /> <br /> [69133.561393] ------------[ cut here ]------------<br /> [69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/<br /> [...]<br /> [69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379<br /> [69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0<br /> [69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff<br /> ff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8<br /> [69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246<br /> [69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19<br /> [69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418<br /> [69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000<br /> [69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400<br /> [69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28<br /> [69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000<br /> [69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0<br /> [69133.562040] Call Trace:<br /> [69133.562044] <br /> [69133.562049] ? __warn+0x9f/0x1a0<br /> [ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860<br /> [...]<br /> [ 1211.841496] ? bpf_flow_dissect+0x160/0x160<br /> [ 1211.841753] __skb_get_hash+0x97/0x280<br /> [ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230<br /> [ 1211.841776] ? mod_find+0xbf/0xe0<br /> [ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0<br /> [ 1211.841798] ? bpf_ksym_find+0x56/0xe0<br /> [ 1211.841807] ? __rcu_read_unlock+0x2a/0x70<br /> [ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables]<br /> [ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables]<br /> [ 1211.841964] ? get_stack_info+0x2b/0x80<br /> [ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables]<br /> [ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipvs: properly dereference pe in ip_vs_add_service<br /> <br /> Use pe directly to resolve sparse warning:<br /> <br /> net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: handle inconsistent state in nilfs_btnode_create_block()<br /> <br /> Syzbot reported that a buffer state inconsistency was detected in<br /> nilfs_btnode_create_block(), triggering a kernel bug.<br /> <br /> It is not appropriate to treat this inconsistency as a bug; it can occur<br /> if the argument block address (the buffer index of the newly created<br /> block) is a virtual block number and has been reallocated due to<br /> corruption of the bitmap used to manage its allocation state.<br /> <br /> So, modify nilfs_btnode_create_block() and its callers to treat it as a<br /> possible filesystem error, rather than triggering a kernel bug.