Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: define and enforce CEPH_MAX_KEY_LEN<br /> <br /> When decoding the key, verify that the key material would fit into<br /> a fixed-size buffer in process_auth_done() and generally has a sane<br /> length.<br /> <br /> The new CEPH_MAX_KEY_LEN check replaces the existing check for a key<br /> with no key material which is a) not universal since CEPH_CRYPTO_NONE<br /> has to be excluded and b) doesn&amp;#39;t provide much value since a smaller<br /> than needed key is just as invalid as no key -- this has to be handled<br /> elsewhere anyway.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/page_alloc: clear page-&gt;private in free_pages_prepare()<br /> <br /> Several subsystems (slub, shmem, ttm, etc.) use page-&gt;private but don&amp;#39;t<br /> clear it before freeing pages. When these pages are later allocated as<br /> high-order pages and split via split_page(), tail pages retain stale<br /> page-&gt;private values.<br /> <br /> This causes a use-after-free in the swap subsystem. The swap code uses<br /> page-&gt;private to track swap count continuations, assuming freshly<br /> allocated pages have page-&gt;private == 0. When stale values are present,<br /> swap_count_continued() incorrectly assumes the continuation list is valid<br /> and iterates over uninitialized page-&gt;lru containing LIST_POISON values,<br /> causing a crash:<br /> <br /> KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]<br /> RIP: 0010:__do_sys_swapoff+0x1151/0x1860<br /> <br /> Fix this by clearing page-&gt;private in free_pages_prepare(), ensuring all<br /> freed pages have clean state regardless of previous use.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/v3d: Set DMA segment size to avoid debug warnings<br /> <br /> When using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the<br /> kernel occasionally reports a segment size mismatch. This is because<br /> &amp;#39;max_seg_size&amp;#39; is not set. The kernel defaults to 64K. setting<br /> &amp;#39;max_seg_size&amp;#39; to the maximum will prevent &amp;#39;debug_dma_map_sg()&amp;#39;<br /> from complaining about the over-mapping of the V3D segment length.<br /> <br /> DMA-API: v3d 1002000000.v3d: mapping sg segment longer than device<br /> claims to support [len=8290304] [max=65536]<br /> WARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179 debug_dma_map_sg+0x330/0x388<br /> CPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1<br /> Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : debug_dma_map_sg+0x330/0x388<br /> lr : debug_dma_map_sg+0x330/0x388<br /> sp : ffff8000829a3ac0<br /> x29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000<br /> x26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000<br /> x23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002<br /> x20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffff<br /> x17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573<br /> x14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000<br /> x11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7c<br /> x8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001<br /> x5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280<br /> Call trace:<br /> debug_dma_map_sg+0x330/0x388<br /> __dma_map_sg_attrs+0xc0/0x278<br /> dma_map_sgtable+0x30/0x58<br /> drm_gem_shmem_get_pages_sgt+0xb4/0x140<br /> v3d_bo_create_finish+0x28/0x130 [v3d]<br /> v3d_create_bo_ioctl+0x54/0x180 [v3d]<br /> drm_ioctl_kernel+0xc8/0x140<br /> drm_ioctl+0x2d4/0x4d8

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: chips-media: wave5: Fix PM runtime usage count underflow<br /> <br /> Replace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in<br /> the remove path to properly pair with pm_runtime_use_autosuspend() from<br /> probe. This allows pm_runtime_disable() to handle reference count cleanup<br /> correctly regardless of current suspend state.<br /> <br /> The driver calls pm_runtime_put_sync() unconditionally in remove, but the<br /> device may already be suspended due to autosuspend configured in probe.<br /> When autosuspend has already suspended the device, the usage count is 0,<br /> and pm_runtime_put_sync() decrements it to -1.<br /> <br /> This causes the following warning on module unload:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430<br /> kthread_destroy_worker+0x84/0x98<br /> ...<br /> vdec 30210000.video-codec: Runtime PM usage count underflow!

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()<br /> <br /> In jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it<br /> may be NULL:<br /> <br /> if (!jdi)<br /> mipi_dsi_detach(dsi);<br /> <br /> However, when jdi is NULL, the function does not return and continues by<br /> calling jdi_panel_disable():<br /> <br /> err = jdi_panel_disable(&amp;jdi-&gt;base);<br /> <br /> Inside jdi_panel_disable(), jdi is dereferenced unconditionally, which can<br /> lead to a NULL-pointer dereference:<br /> <br /> struct jdi_panel *jdi = to_panel_jdi(panel);<br /> backlight_disable(jdi-&gt;backlight);<br /> <br /> To prevent such a potential NULL-pointer dereference, return early from<br /> jdi_panel_dsi_remove() when jdi is NULL.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure()<br /> <br /> [BUG]<br /> There is a bug report that when btrfs hits ENOSPC error in a critical<br /> path, btrfs flips RO (this part is expected, although the ENOSPC bug<br /> still needs to be addressed).<br /> <br /> The problem is after the RO flip, if there is a read repair pending, we<br /> can hit the ASSERT() inside btrfs_repair_io_failure() like the following:<br /> <br /> BTRFS info (device vdc): relocating block group 30408704 flags metadata|raid1<br /> ------------[ cut here ]------------<br /> BTRFS: Transaction aborted (error -28)<br /> WARNING: fs/btrfs/extent-tree.c:3235 at __btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844<br /> Modules linked in: kvm_intel kvm irqbypass<br /> [...]<br /> ---[ end trace 0000000000000000 ]---<br /> BTRFS info (device vdc state EA): 2 enospc errors during balance<br /> BTRFS info (device vdc state EA): balance: ended with status: -30<br /> BTRFS error (device vdc state EA): parent transid verify failed on logical 30556160 mirror 2 wanted 8 found 6<br /> BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0, flush 0, corrupt 10, gen 0<br /> [...]<br /> assertion failed: !(fs_info-&gt;sb-&gt;s_flags &amp; SB_RDONLY) :: 0, in fs/btrfs/bio.c:938<br /> ------------[ cut here ]------------<br /> assertion failed: !(fs_info-&gt;sb-&gt;s_flags &amp; SB_RDONLY) :: 0, in fs/btrfs/bio.c:938<br /> kernel BUG at fs/btrfs/bio.c:938!<br /> Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N 6.19.0-rc6+ #4788 PREEMPT(full)<br /> Tainted: [W]=WARN, [N]=TEST<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014<br /> Workqueue: btrfs-endio simple_end_io_work<br /> RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120<br /> RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246<br /> RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff<br /> RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988<br /> R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310<br /> R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000<br /> FS: 0000000000000000(0000) GS:ffff8885e752c000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> ------------[ cut here ]------------<br /> <br /> [CAUSE]<br /> The cause of -ENOSPC error during the test case btrfs/124 is still<br /> unknown, although it&amp;#39;s known that we still have cases where metadata can<br /> be over-committed but can not be fulfilled correctly, thus if we hit<br /> such ENOSPC error inside a critical path, we have no choice but abort<br /> the current transaction.<br /> <br /> This will mark the fs read-only.<br /> <br /> The problem is inside the btrfs_repair_io_failure() path that we require<br /> the fs not to be mount read-only. This is normally fine, but if we are<br /> doing a read-repair meanwhile the fs flips RO due to a critical error,<br /> we can enter btrfs_repair_io_failure() with super block set to<br /> read-only, thus triggering the above crash.<br /> <br /> [FIX]<br /> Just replace the ASSERT() with a proper return if the fs is already<br /> read-only.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: nfc: nci: Fix parameter validation for packet data<br /> <br /> Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for<br /> packet data") communication with nci nfc chips is not working any more.<br /> <br /> The mentioned commit tries to fix access of uninitialized data, but<br /> failed to understand that in some cases the data packet is of variable<br /> length and can therefore not be compared to the maximum packet length<br /> given by the sizeof(struct).

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: uvcvideo: Return queued buffers on start_streaming() failure<br /> <br /> Return buffers if streaming fails to start due to uvc_pm_get() error.<br /> <br /> This bug may be responsible for a warning I got running<br /> <br /> while :; do yavta -c3 /dev/video0; done<br /> <br /> on an xHCI controller which failed under this workload.<br /> I had no luck reproducing this warning again to confirm.<br /> <br /> xhci_hcd 0000:09:00.0: HC died; cleaning up<br /> usb 13-2: USB disconnect, device number 2<br /> WARNING: CPU: 2 PID: 29386 at drivers/media/common/videobuf2/videobuf2-core.c:1803 vb2_start_streaming+0xac/0x120

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()<br /> <br /> When idtab allocation fails, net is not registered with rio_add_net() yet,<br /> so kfree(net) is sufficient to release the memory. Set mport-&gt;net to NULL<br /> to avoid dangling pointer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm: renesas: rz-du: mipi_dsi: fix kernel panic when rebooting for some panels<br /> <br /> Since commit 56de5e305d4b ("clk: renesas: r9a07g044: Add MSTOP for RZ/G2L")<br /> we may get the following kernel panic, for some panels, when rebooting:<br /> <br /> systemd-shutdown[1]: Rebooting.<br /> Call trace:<br /> ...<br /> do_serror+0x28/0x68<br /> el1h_64_error_handler+0x34/0x50<br /> el1h_64_error+0x6c/0x70<br /> rzg2l_mipi_dsi_host_transfer+0x114/0x458 (P)<br /> mipi_dsi_device_transfer+0x44/0x58<br /> mipi_dsi_dcs_set_display_off_multi+0x9c/0xc4<br /> ili9881c_unprepare+0x38/0x88<br /> drm_panel_unprepare+0xbc/0x108<br /> <br /> This happens for panels that need to send MIPI-DSI commands in their<br /> unprepare() callback. Since the MIPI-DSI interface is stopped at that<br /> point, rzg2l_mipi_dsi_host_transfer() triggers the kernel panic.<br /> <br /> Fix by moving rzg2l_mipi_dsi_stop() to new callback function<br /> rzg2l_mipi_dsi_atomic_post_disable().<br /> <br /> With this change we now have the correct power-down/stop sequence:<br /> <br /> systemd-shutdown[1]: Rebooting.<br /> rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_disable(): entry<br /> ili9881c-dsi 10850000.dsi.0: ili9881c_unprepare(): entry<br /> rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_post_disable(): entry<br /> reboot: Restarting system

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: chips-media: wave5: Fix kthread worker destruction in polling mode<br /> <br /> Fix the cleanup order in polling mode (irq work_list)) and<br /> WARN_ON(!list_empty(&amp;worker-&gt;delayed_work_list)).<br /> <br /> The original code called kthread_destroy_worker() before hrtimer_cancel(),<br /> creating a race condition where the timer could fire during worker<br /> destruction and queue new work, triggering the WARN_ON.<br /> <br /> This causes the following warning on every module unload in polling mode:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430<br /> kthread_destroy_worker+0x84/0x98<br /> Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ...<br /> Call trace:<br /> kthread_destroy_worker+0x84/0x98<br /> wave5_vpu_remove+0xc8/0xe0 [wave5]<br /> platform_remove+0x30/0x58<br /> ...<br /> ---[ end trace 0000000000000000 ]---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node<br /> <br /> When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during<br /> vmalloc cleanup triggers expensive stack unwinding that acquires RCU read<br /> locks. Processing a large purge_list without rescheduling can cause the<br /> task to hold CPU for extended periods (10+ seconds), leading to RCU stalls<br /> and potential OOM conditions.<br /> <br /> The issue manifests in purge_vmap_node() -&gt; kasan_release_vmalloc_node()<br /> where iterating through hundreds or thousands of vmap_area entries and<br /> freeing their associated shadow pages causes:<br /> <br /> rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:<br /> rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l<br /> ...<br /> task:kworker/0:17 state:R running task stack:28840 pid:6229<br /> ...<br /> kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299<br /> purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299<br /> <br /> Each call to kasan_release_vmalloc() can free many pages, and with<br /> page_owner tracking, each free triggers save_stack() which performs stack<br /> unwinding under RCU read lock. Without yielding, this creates an<br /> unbounded RCU critical section.<br /> <br /> Add periodic cond_resched() calls within the loop to allow:<br /> - RCU grace periods to complete<br /> - Other tasks to run<br /> - Scheduler to preempt when needed<br /> <br /> The fix uses need_resched() for immediate response under load, with a<br /> batch count of 32 as a guaranteed upper bound to prevent worst-case stalls<br /> even under light load.