Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Clean up only new IRQ glue on request_irq() failure<br /> <br /> The mlx5_irq_alloc() function can inadvertently free the entire rmap<br /> and end up in a crash[1] when the other threads tries to access this,<br /> when request_irq() fails due to exhausted IRQ vectors. This commit<br /> modifies the cleanup to remove only the specific IRQ mapping that was<br /> just added.<br /> <br /> This prevents removal of other valid mappings and ensures precise<br /> cleanup of the failed IRQ allocation&amp;#39;s associated glue object.<br /> <br /> Note: This error is observed when both fwctl and rds configs are enabled.<br /> <br /> [1]<br /> mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1<br /> mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to<br /> request irq. err = -28<br /> infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while<br /> trying to test write-combining support<br /> mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1<br /> mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1<br /> mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to<br /> request irq. err = -28<br /> infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while<br /> trying to test write-combining support<br /> mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1<br /> mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to<br /> request irq. err = -28<br /> mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to<br /> request irq. err = -28<br /> general protection fault, probably for non-canonical address<br /> 0xe277a58fde16f291: 0000 [#1] SMP NOPTI<br /> <br /> RIP: 0010:free_irq_cpu_rmap+0x23/0x7d<br /> Call Trace:<br /> <br /> ? show_trace_log_lvl+0x1d6/0x2f9<br /> ? show_trace_log_lvl+0x1d6/0x2f9<br /> ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]<br /> ? __die_body.cold+0x8/0xa<br /> ? die_addr+0x39/0x53<br /> ? exc_general_protection+0x1c4/0x3e9<br /> ? dev_vprintk_emit+0x5f/0x90<br /> ? asm_exc_general_protection+0x22/0x27<br /> ? free_irq_cpu_rmap+0x23/0x7d<br /> mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]<br /> irq_pool_request_vector+0x7d/0x90 [mlx5_core]<br /> mlx5_irq_request+0x2e/0xe0 [mlx5_core]<br /> mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]<br /> comp_irq_request_pci+0x64/0xf0 [mlx5_core]<br /> create_comp_eq+0x71/0x385 [mlx5_core]<br /> ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]<br /> mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]<br /> ? xas_load+0x8/0x91<br /> mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]<br /> mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]<br /> mlx5e_open_channels+0xad/0x250 [mlx5_core]<br /> mlx5e_open_locked+0x3e/0x110 [mlx5_core]<br /> mlx5e_open+0x23/0x70 [mlx5_core]<br /> __dev_open+0xf1/0x1a5<br /> __dev_change_flags+0x1e1/0x249<br /> dev_change_flags+0x21/0x5c<br /> do_setlink+0x28b/0xcc4<br /> ? __nla_parse+0x22/0x3d<br /> ? inet6_validate_link_af+0x6b/0x108<br /> ? cpumask_next+0x1f/0x35<br /> ? __snmp6_fill_stats64.constprop.0+0x66/0x107<br /> ? __nla_validate_parse+0x48/0x1e6<br /> __rtnl_newlink+0x5ff/0xa57<br /> ? kmem_cache_alloc_trace+0x164/0x2ce<br /> rtnl_newlink+0x44/0x6e<br /> rtnetlink_rcv_msg+0x2bb/0x362<br /> ? __netlink_sendskb+0x4c/0x6c<br /> ? netlink_unicast+0x28f/0x2ce<br /> ? rtnl_calcit.isra.0+0x150/0x146<br /> netlink_rcv_skb+0x5f/0x112<br /> netlink_unicast+0x213/0x2ce<br /> netlink_sendmsg+0x24f/0x4d9<br /> __sock_sendmsg+0x65/0x6a<br /> ____sys_sendmsg+0x28f/0x2c9<br /> ? import_iovec+0x17/0x2b<br /> ___sys_sendmsg+0x97/0xe0<br /> __sys_sendmsg+0x81/0xd8<br /> do_syscall_64+0x35/0x87<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x0<br /> RIP: 0033:0x7fc328603727<br /> Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed<br /> ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 3d 00<br /> f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48<br /> RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727<br /> RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d<br /> RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000<br /> R13: 00000000000<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> devlink: rate: Unset parent pointer in devl_rate_nodes_destroy<br /> <br /> The function devl_rate_nodes_destroy is documented to "Unset parent for<br /> all rate objects". However, it was only calling the driver-specific<br /> `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing<br /> the parent&amp;#39;s refcount, without actually setting the<br /> `devlink_rate-&gt;parent` pointer to NULL.<br /> <br /> This leaves a dangling pointer in the `devlink_rate` struct, which cause<br /> refcount error in netdevsim[1] and mlx5[2]. In addition, this is<br /> inconsistent with the behavior of `devlink_nl_rate_parent_node_set`,<br /> where the parent pointer is correctly cleared.<br /> <br /> This patch fixes the issue by explicitly setting `devlink_rate-&gt;parent`<br /> to NULL after notifying the driver, thus fulfilling the function&amp;#39;s<br /> documented behavior for all rate objects.<br /> <br /> [1]<br /> repro steps:<br /> echo 1 &gt; /sys/bus/netdevsim/new_device<br /> devlink dev eswitch set netdevsim/netdevsim1 mode switchdev<br /> echo 1 &gt; /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs<br /> devlink port function rate add netdevsim/netdevsim1/test_node<br /> devlink port function rate set netdevsim/netdevsim1/128 parent test_node<br /> echo 1 &gt; /sys/bus/netdevsim/del_device<br /> <br /> dmesg:<br /> refcount_t: decrement hit 0; leaking memory.<br /> WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0<br /> CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0x42/0xe0<br /> Call Trace:<br /> <br /> devl_rate_leaf_destroy+0x8d/0x90<br /> __nsim_dev_port_del+0x6c/0x70 [netdevsim]<br /> nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]<br /> nsim_drv_remove+0x2b/0xb0 [netdevsim]<br /> device_release_driver_internal+0x194/0x1f0<br /> bus_remove_device+0xc6/0x130<br /> device_del+0x159/0x3c0<br /> device_unregister+0x1a/0x60<br /> del_device_store+0x111/0x170 [netdevsim]<br /> kernfs_fop_write_iter+0x12e/0x1e0<br /> vfs_write+0x215/0x3d0<br /> ksys_write+0x5f/0xd0<br /> do_syscall_64+0x55/0x10f0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> [2]<br /> devlink dev eswitch set pci/0000:08:00.0 mode switchdev<br /> devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000<br /> devlink port function rate add pci/0000:08:00.0/group1<br /> devlink port function rate set pci/0000:08:00.0/32768 parent group1<br /> modprobe -r mlx5_ib mlx5_fwctl mlx5_core<br /> <br /> dmesg:<br /> refcount_t: decrement hit 0; leaking memory.<br /> WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0<br /> CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0x42/0xe0<br /> Call Trace:<br /> <br /> devl_rate_leaf_destroy+0x8d/0x90<br /> mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]<br /> mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]<br /> mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]<br /> mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]<br /> notifier_call_chain+0x33/0xa0<br /> blocking_notifier_call_chain+0x3b/0x50<br /> mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]<br /> mlx5_eswitch_disable+0x63/0x90 [mlx5_core]<br /> mlx5_unload+0x1d/0x170 [mlx5_core]<br /> mlx5_uninit_one+0xa2/0x130 [mlx5_core]<br /> remove_one+0x78/0xd0 [mlx5_core]<br /> pci_device_remove+0x39/0xa0<br /> device_release_driver_internal+0x194/0x1f0<br /> unbind_store+0x99/0xa0<br /> kernfs_fop_write_iter+0x12e/0x1e0<br /> vfs_write+0x215/0x3d0<br /> ksys_write+0x5f/0xd0<br /> do_syscall_64+0x53/0x1f0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()<br /> <br /> The loops in &amp;#39;qede_tpa_cont()&amp;#39; and &amp;#39;qede_tpa_end()&amp;#39;, iterate<br /> over &amp;#39;cqe-&gt;len_list[]&amp;#39; using only a zero-length terminator as<br /> the stopping condition. If the terminator was missing or<br /> malformed, the loop could run past the end of the fixed-size array.<br /> <br /> Add an explicit bound check using ARRAY_SIZE() in both loops to prevent<br /> a potential out-of-bounds access.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/ctcm: Fix double-kfree<br /> <br /> The function &amp;#39;mpc_rcvd_sweep_req(mpcginfo)&amp;#39; is called conditionally<br /> from function &amp;#39;ctcmpc_unpack_skb&amp;#39;. It frees passed mpcginfo.<br /> After that a call to function &amp;#39;kfree&amp;#39; in function &amp;#39;ctcmpc_unpack_skb&amp;#39;<br /> frees it again.<br /> <br /> Remove &amp;#39;kfree&amp;#39; call in function &amp;#39;mpc_rcvd_sweep_req(mpcginfo)&amp;#39;.<br /> <br /> Bug detected by the clang static analyzer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sctp: avoid NULL dereference when chunk data buffer is missing<br /> <br /> chunk-&gt;skb pointer is dereferenced in the if-block where it&amp;#39;s supposed<br /> to be NULL only.<br /> <br /> chunk-&gt;skb can only be NULL if chunk-&gt;head_skb is not. Check for frag_list<br /> instead and do it just before replacing chunk-&gt;skb. We&amp;#39;re sure that<br /> otherwise chunk-&gt;skb is non-NULL because of outer if() condition.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix crafted invalid cases for encoded extents<br /> <br /> Robert recently reported two corrupted images that can cause system<br /> crashes, which are related to the new encoded extents introduced<br /> in Linux 6.15:<br /> <br /> - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but<br /> (plen &amp; Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent<br /> special extents such as sparse extents (!EROFS_MAP_MAPPED), but<br /> previously only plen == 0 was handled;<br /> <br /> - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000,<br /> then "cur [0xfffffffffffff000] += bvec.bv_len [0x1000]" in<br /> "} while ((cur += bvec.bv_len) compressed_bvecs[] in<br /> z_erofs_submit_queue(). EROFS only supports 48-bit physical block<br /> addresses (up to 1EiB for 4k blocks), so add a sanity check to<br /> enforce this.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gfs2: Fix unlikely race in gdlm_put_lock<br /> <br /> In gdlm_put_lock(), there is a small window of time in which the<br /> DFL_UNMOUNT flag has been set but the lockspace hasn&amp;#39;t been released,<br /> yet. In that window, dlm may still call gdlm_ast() and gdlm_bast().<br /> To prevent it from dereferencing freed glock objects, only free the<br /> glock if the lockspace has actually been released.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()<br /> <br /> The syzbot reported issue in hfs_find_set_zero_bits():<br /> <br /> =====================================================<br /> BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45<br /> hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45<br /> hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151<br /> hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408<br /> hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353<br /> __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151<br /> block_write_begin fs/buffer.c:2262 [inline]<br /> cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601<br /> hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52<br /> cont_expand_zero fs/buffer.c:2528 [inline]<br /> cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591<br /> hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52<br /> hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494<br /> hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654<br /> notify_change+0x1993/0x1aa0 fs/attr.c:552<br /> do_truncate+0x28f/0x310 fs/open.c:68<br /> do_ftruncate+0x698/0x730 fs/open.c:195<br /> do_sys_ftruncate fs/open.c:210 [inline]<br /> __do_sys_ftruncate fs/open.c:215 [inline]<br /> __se_sys_ftruncate fs/open.c:213 [inline]<br /> __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213<br /> x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:4154 [inline]<br /> slab_alloc_node mm/slub.c:4197 [inline]<br /> __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354<br /> kmalloc_noprof include/linux/slab.h:905 [inline]<br /> hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175<br /> hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337<br /> get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681<br /> get_tree_bdev+0x38/0x50 fs/super.c:1704<br /> hfs_get_tree+0x35/0x40 fs/hfs/super.c:388<br /> vfs_get_tree+0xb0/0x5c0 fs/super.c:1804<br /> do_new_mount+0x738/0x1610 fs/namespace.c:3902<br /> path_mount+0x6db/0x1e90 fs/namespace.c:4226<br /> do_mount fs/namespace.c:4239 [inline]<br /> __do_sys_mount fs/namespace.c:4450 [inline]<br /> __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427<br /> __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427<br /> x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025<br /> =====================================================<br /> <br /> The HFS_SB(sb)-&gt;bitmap buffer is allocated in hfs_mdb_get():<br /> <br /> HFS_SB(sb)-&gt;bitmap = kmalloc(8192, GFP_KERNEL);<br /> <br /> Finally, it can trigger the reported issue because kmalloc()<br /> doesn&amp;#39;t clear the allocated memory. If allocated memory contains<br /> only zeros, then everything will work pretty fine.<br /> But if the allocated memory contains the "garbage", then<br /> it can affect the bitmap operations and it triggers<br /> the reported issue.<br /> <br /> This patch simply exchanges the kmalloc() on kzalloc()<br /> with the goal to guarantee the correctness of bitmap operations.<br /> Because, newly created allocation bitmap should have all<br /> available blocks free. Potentially, initialization bitmap&amp;#39;s read<br /> operation could not fill the whole allocated memory and<br /> "garbage" in the not initialized memory will be the reason of<br /> volume coruptions and file system driver bugs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()<br /> <br /> The syzbot reported issue in __hfsplus_ext_cache_extent():<br /> <br /> [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990<br /> [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990<br /> [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0<br /> [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0<br /> [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0<br /> [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950<br /> [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130<br /> [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060<br /> [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460<br /> [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0<br /> [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0<br /> [ 70.199771][ T9350] ksys_write+0x23e/0x490<br /> [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0<br /> [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0<br /> [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0<br /> [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 70.202054][ T9350]<br /> [ 70.202279][ T9350] Uninit was created at:<br /> [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80<br /> [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0<br /> [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0<br /> [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0<br /> [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0<br /> [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950<br /> [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130<br /> [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060<br /> [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460<br /> [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0<br /> [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0<br /> [ 70.207961][ T9350] ksys_write+0x23e/0x490<br /> [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0<br /> [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0<br /> [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0<br /> [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 70.210230][ T9350]<br /> [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5<br /> [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 70.212115][ T9350] =====================================================<br /> [ 70.212734][ T9350] Disabling lock debugging due to kernel taint<br /> [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...<br /> [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5<br /> [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE<br /> [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 70.215999][ T9350] Call Trace:<br /> [ 70.216309][ T9350] <br /> [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0<br /> [ 70.217025][ T9350] dump_stack+0x1e/0x30<br /> [ 70.217421][ T9350] panic+0x502/0xca0<br /> [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0<br /> <br /> [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...<br /> kernel<br /> :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0<br /> set ...<br /> [ 70.221254][ T9350] ? __msan_warning+0x96/0x120<br /> [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990<br /> [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0<br /> [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0<br /> [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0<br /> [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950<br /> [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130<br /> [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060<br /> [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460<br /> [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0<br /> [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0<br /> [ 70.228997][ T9350] ? ksys_write+0x23e/0x490<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nios2: ensure that memblock.current_limit is set when setting pfn limits<br /> <br /> On nios2, with CONFIG_FLATMEM set, the kernel relies on<br /> memblock_get_current_limit() to determine the limits of mem_map, in<br /> particular for max_low_pfn.<br /> Unfortunately, memblock.current_limit is only default initialized to<br /> MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading<br /> to situations where max_low_pfn can erroneously exceed the value of<br /> max_pfn and, thus, the valid range of available DRAM.<br /> <br /> This can in turn cause kernel-level paging failures, e.g.:<br /> <br /> [ 76.900000] Unable to handle kernel paging request at virtual address 20303000<br /> [ 76.900000] ea = c0080890, ra = c000462c, cause = 14<br /> [ 76.900000] Kernel panic - not syncing: Oops<br /> [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---<br /> <br /> This patch fixes this by pre-calculating memblock.current_limit<br /> based on the upper limits of the available memory ranges via<br /> adjust_lowmem_bounds, a simplified version of the equivalent<br /> implementation within the arm architecture.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: fix out of bounds memory read error in symlink repair<br /> <br /> xfs/286 produced this report on my test fleet:<br /> <br /> ==================================================================<br /> BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110<br /> <br /> Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184):<br /> memcpy_orig+0x54/0x110<br /> xrep_symlink_salvage_inline+0xb3/0xf0 [xfs]<br /> xrep_symlink_salvage+0x100/0x110 [xfs]<br /> xrep_symlink+0x2e/0x80 [xfs]<br /> xrep_attempt+0x61/0x1f0 [xfs]<br /> xfs_scrub_metadata+0x34f/0x5c0 [xfs]<br /> xfs_ioc_scrubv_metadata+0x387/0x560 [xfs]<br /> xfs_file_ioctl+0xe23/0x10e0 [xfs]<br /> __x64_sys_ioctl+0x76/0xc0<br /> do_syscall_64+0x4e/0x1e0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128<br /> <br /> allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago):<br /> xfs_init_local_fork+0x79/0xe0 [xfs]<br /> xfs_iformat_local+0xa4/0x170 [xfs]<br /> xfs_iformat_data_fork+0x148/0x180 [xfs]<br /> xfs_inode_from_disk+0x2cd/0x480 [xfs]<br /> xfs_iget+0x450/0xd60 [xfs]<br /> xfs_bulkstat_one_int+0x6b/0x510 [xfs]<br /> xfs_bulkstat_iwalk+0x1e/0x30 [xfs]<br /> xfs_iwalk_ag_recs+0xdf/0x150 [xfs]<br /> xfs_iwalk_run_callbacks+0xb9/0x190 [xfs]<br /> xfs_iwalk_ag+0x1dc/0x2f0 [xfs]<br /> xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs]<br /> xfs_iwalk+0xa4/0xd0 [xfs]<br /> xfs_bulkstat+0xfa/0x170 [xfs]<br /> xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs]<br /> xfs_file_ioctl+0xbf2/0x10e0 [xfs]<br /> __x64_sys_ioctl+0x76/0xc0<br /> do_syscall_64+0x4e/0x1e0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014<br /> ==================================================================<br /> <br /> On further analysis, I realized that the second parameter to min() is<br /> not correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data<br /> buffer. if_bytes can be smaller than the data fork size because:<br /> <br /> (a) the forkoff code tries to keep the data area as large as possible<br /> (b) for symbolic links, if_bytes is the ondisk file size + 1<br /> (c) forkoff is always a multiple of 8.<br /> <br /> Case in point: for a single-byte symlink target, forkoff will be<br /> 8 but the buffer will only be 2 bytes long.<br /> <br /> In other words, the logic here is wrong and we walk off the end of the<br /> incore buffer. Fix that.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rv: Fully convert enabled_monitors to use list_head as iterator<br /> <br /> The callbacks in enabled_monitors_seq_ops are inconsistent. Some treat the<br /> iterator as struct rv_monitor *, while others treat the iterator as struct<br /> list_head *.<br /> <br /> This causes a wrong type cast and crashes the system as reported by Nathan.<br /> <br /> Convert everything to use struct list_head * as iterator. This also makes<br /> enabled_monitors consistent with available_monitors.