Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock<br /> <br /> The parent function ext4_xattr_inode_lookup_create already uses GFP_NOFS for memory alloction, so the function ext4_xattr_inode_cache_find should use same gfp_flag.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: fix multifs mds auth caps issue<br /> <br /> The mds auth caps check should also validate the<br /> fsname along with the associated caps. Not doing<br /> so would result in applying the mds auth caps of<br /> one fs on to the other fs in a multifs ceph cluster.<br /> The bug causes multiple issues w.r.t user<br /> authentication, following is one such example.<br /> <br /> Steps to Reproduce (on vstart cluster):<br /> 1. Create two file systems in a cluster, say &amp;#39;fsname1&amp;#39; and &amp;#39;fsname2&amp;#39;<br /> 2. Authorize read only permission to the user &amp;#39;client.usr&amp;#39; on fs &amp;#39;fsname1&amp;#39;<br /> $ceph fs authorize fsname1 client.usr / r<br /> 3. Authorize read and write permission to the same user &amp;#39;client.usr&amp;#39; on fs &amp;#39;fsname2&amp;#39;<br /> $ceph fs authorize fsname2 client.usr / rw<br /> 4. Update the keyring<br /> $ceph auth get client.usr &gt;&gt; ./keyring<br /> <br /> With above permssions for the user &amp;#39;client.usr&amp;#39;, following is the<br /> expectation.<br /> a. The &amp;#39;client.usr&amp;#39; should be able to only read the contents<br /> and not allowed to create or delete files on file system &amp;#39;fsname1&amp;#39;.<br /> b. The &amp;#39;client.usr&amp;#39; should be able to read/write on file system &amp;#39;fsname2&amp;#39;.<br /> <br /> But, with this bug, the &amp;#39;client.usr&amp;#39; is allowed to read/write on file<br /> system &amp;#39;fsname1&amp;#39;. See below.<br /> <br /> 5. Mount the file system &amp;#39;fsname1&amp;#39; with the user &amp;#39;client.usr&amp;#39;<br /> $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/<br /> 6. Try creating a file on file system &amp;#39;fsname1&amp;#39; with user &amp;#39;client.usr&amp;#39;. This<br /> should fail but passes with this bug.<br /> $touch /kmnt_fsname1_usr/file1<br /> 7. Mount the file system &amp;#39;fsname1&amp;#39; with the user &amp;#39;client.admin&amp;#39; and create a<br /> file.<br /> $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin<br /> $echo "data" &gt; /kmnt_fsname1_admin/admin_file1<br /> 8. Try removing an existing file on file system &amp;#39;fsname1&amp;#39; with the user<br /> &amp;#39;client.usr&amp;#39;. This shoudn&amp;#39;t succeed but succeeds with the bug.<br /> $rm -f /kmnt_fsname1_usr/admin_file1<br /> <br /> For more information, please take a look at the corresponding mds/fuse patch<br /> and tests added by looking into the tracker mentioned below.<br /> <br /> v2: Fix a possible null dereference in doutc<br /> v3: Don&amp;#39;t store fsname from mdsmap, validate against<br /> ceph_mount_options&amp;#39;s fsname and use it<br /> v4: Code refactor, better warning message and<br /> fix possible compiler warning<br /> <br /> [ Slava.Dubeyko: "fsname check failed" -&gt; "fsname mismatch" ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipv6: fix field-spanning memcpy warning in AH output<br /> <br /> Fix field-spanning memcpy warnings in ah6_output() and<br /> ah6_output_done() where extension headers are copied to/from IPv6<br /> address fields, triggering fortify-string warnings about writes beyond<br /> the 16-byte address fields.<br /> <br /> memcpy: detected field-spanning write (size 40) of single field "&amp;top_iph-&gt;saddr" at net/ipv6/ah6.c:439 (size 16)<br /> WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439<br /> <br /> The warnings are false positives as the extension headers are<br /> intentionally placed after the IPv6 header in memory. Fix by properly<br /> copying addresses and extension headers separately, and introduce<br /> helper functions to avoid code duplication.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpiolib: fix invalid pointer access in debugfs<br /> <br /> If the memory allocation in gpiolib_seq_start() fails, the s-&gt;private<br /> field remains uninitialized and is later dereferenced without checking<br /> in gpiolib_seq_stop(). Initialize s-&gt;private to NULL before calling<br /> kzalloc() and check it before dereferencing it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jfs: fix uninitialized waitqueue in transaction manager<br /> <br /> The transaction manager initialization in txInit() was not properly<br /> initializing TxBlock[0].waitor waitqueue, causing a crash when<br /> txEnd(0) is called on read-only filesystems.<br /> <br /> When a filesystem is mounted read-only, txBegin() returns tid=0 to<br /> indicate no transaction. However, txEnd(0) still gets called and<br /> tries to access TxBlock[0].waitor via tid_to_tblock(0), but this<br /> waitqueue was never initialized because the initialization loop<br /> started at index 1 instead of 0.<br /> <br /> This causes a &amp;#39;non-static key&amp;#39; lockdep warning and system crash:<br /> INFO: trying to register non-static key in txEnd<br /> <br /> Fix by ensuring all transaction blocks including TxBlock[0] have<br /> their waitqueues properly initialized during txInit().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netpoll: Fix deadlock in memory allocation under spinlock<br /> <br /> Fix a AA deadlock in refill_skbs() where memory allocation while holding<br /> skb_pool-&gt;lock can trigger a recursive lock acquisition attempt.<br /> <br /> The deadlock scenario occurs when the system is under severe memory<br /> pressure:<br /> <br /> 1. refill_skbs() acquires skb_pool-&gt;lock (spinlock)<br /> 2. alloc_skb() is called while holding the lock<br /> 3. Memory allocator fails and calls slab_out_of_memory()<br /> 4. This triggers printk() for the OOM warning<br /> 5. The console output path calls netpoll_send_udp()<br /> 6. netpoll_send_udp() attempts to acquire the same skb_pool-&gt;lock<br /> 7. Deadlock: the lock is already held by the same CPU<br /> <br /> Call stack:<br /> refill_skbs()<br /> spin_lock_irqsave(&amp;skb_pool-&gt;lock) lock)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: Do not kfree() devres managed rdev<br /> <br /> Since the allocation of the drivers main structure was changed to<br /> devm_drm_dev_alloc() rdev is managed by devres and we shouldn&amp;#39;t be calling<br /> kfree() on it.<br /> <br /> This fixes things exploding if the driver probe fails and devres cleans up<br /> the rdev after we already free&amp;#39;d it.<br /> <br /> (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/fpu: Ensure XFD state on signal delivery<br /> <br /> Sean reported [1] the following splat when running KVM tests:<br /> <br /> WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70<br /> Call Trace:<br /> <br /> fpu__clear_user_states+0x9c/0x100<br /> arch_do_signal_or_restart+0x142/0x210<br /> exit_to_user_mode_loop+0x55/0x100<br /> do_syscall_64+0x205/0x2c0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> Chao further identified [2] a reproducible scenario involving signal<br /> delivery: a non-AMX task is preempted by an AMX-enabled task which<br /> modifies the XFD MSR.<br /> <br /> When the non-AMX task resumes and reloads XSTATE with init values,<br /> a warning is triggered due to a mismatch between fpstate::xfd and the<br /> CPU&amp;#39;s current XFD state. fpu__clear_user_states() does not currently<br /> re-synchronize the XFD state after such preemption.<br /> <br /> Invoke xfd_update_state() which detects and corrects the mismatch if<br /> there is a dynamic feature.<br /> <br /> This also benefits the sigreturn path, as fpu__restore_sig() may call<br /> fpu__clear_user_states() when the sigframe is inaccessible.<br /> <br /> [ dhansen: minor changelog munging ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init<br /> <br /> The lock-related debug logic (CONFIG_LOCK_STAT) in the kernel is noting<br /> the following warning when the BlueField-3 SOC is booted:<br /> <br /> BUG: key ffff00008a3402a8 has not been registered!<br /> ------------[ cut here ]------------<br /> DEBUG_LOCKS_WARN_ON(1)<br /> WARNING: CPU: 4 PID: 592 at kernel/locking/lockdep.c:4801 lockdep_init_map_type+0x1d4/0x2a0<br /> <br /> Call trace:<br /> lockdep_init_map_type+0x1d4/0x2a0<br /> __kernfs_create_file+0x84/0x140<br /> sysfs_add_file_mode_ns+0xcc/0x1cc<br /> internal_create_group+0x110/0x3d4<br /> internal_create_groups.part.0+0x54/0xcc<br /> sysfs_create_groups+0x24/0x40<br /> device_add+0x6e8/0x93c<br /> device_register+0x28/0x40<br /> __hwmon_device_register+0x4b0/0x8a0<br /> devm_hwmon_device_register_with_groups+0x7c/0xe0<br /> mlxbf_pmc_probe+0x1e8/0x3e0 [mlxbf_pmc]<br /> platform_probe+0x70/0x110<br /> <br /> The mlxbf_pmc driver must call sysfs_attr_init() during the<br /> initialization of the "count_clock" data structure to avoid<br /> this warning.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: mte: Do not warn if the page is already tagged in copy_highpage()<br /> <br /> The arm64 copy_highpage() assumes that the destination page is newly<br /> allocated and not MTE-tagged (PG_mte_tagged unset) and warns<br /> accordingly. However, following commit 060913999d7a ("mm: migrate:<br /> support poisoned recover from migrate folio"), folio_mc_copy() is called<br /> before __folio_migrate_mapping(). If the latter fails (-EAGAIN), the<br /> copy will be done again to the same destination page. Since<br /> copy_highpage() already set the PG_mte_tagged flag, this second copy<br /> will warn.<br /> <br /> Replace the WARN_ON_ONCE(page already tagged) in the arm64<br /> copy_highpage() with a comment.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: increase max link count and fix link-&gt;enc NULL pointer access<br /> <br /> [why]<br /> 1.) dc-&gt;links[MAX_LINKS] array size smaller than actual requested.<br /> max_connector + max_dpia + 4 virtual = 14.<br /> increase from 12 to 14.<br /> <br /> 2.) hw_init() access null LINK_ENC for dpia non display_endpoint.<br /> <br /> (cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sysfs: check visibility before changing group attribute ownership<br /> <br /> Since commit 0c17270f9b92 ("net: sysfs: Implement is_visible for<br /> phys_(port_id, port_name, switch_id)"), __dev_change_net_namespace() can<br /> hit WARN_ON() when trying to change owner of a file that isn&amp;#39;t visible.<br /> See the trace below:<br /> <br /> WARNING: CPU: 6 PID: 2938 at net/core/dev.c:12410 __dev_change_net_namespace+0xb89/0xc30<br /> CPU: 6 UID: 0 PID: 2938 Comm: incusd Not tainted 6.17.1-1-mainline #1 PREEMPT(full) 4b783b4a638669fb644857f484487d17cb45ed1f<br /> Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP07, BIOS 03.07 02/19/2025<br /> RIP: 0010:__dev_change_net_namespace+0xb89/0xc30<br /> [...]<br /> Call Trace:<br /> <br /> ? if6_seq_show+0x30/0x50<br /> do_setlink.isra.0+0xc7/0x1270<br /> ? __nla_validate_parse+0x5c/0xcc0<br /> ? security_capable+0x94/0x1a0<br /> rtnl_newlink+0x858/0xc20<br /> ? update_curr+0x8e/0x1c0<br /> ? update_entity_lag+0x71/0x80<br /> ? sched_balance_newidle+0x358/0x450<br /> ? psi_task_switch+0x113/0x2a0<br /> ? __pfx_rtnl_newlink+0x10/0x10<br /> rtnetlink_rcv_msg+0x346/0x3e0<br /> ? sched_clock+0x10/0x30<br /> ? __pfx_rtnetlink_rcv_msg+0x10/0x10<br /> netlink_rcv_skb+0x59/0x110<br /> netlink_unicast+0x285/0x3c0<br /> ? __alloc_skb+0xdb/0x1a0<br /> netlink_sendmsg+0x20d/0x430<br /> ____sys_sendmsg+0x39f/0x3d0<br /> ? import_iovec+0x2f/0x40<br /> ___sys_sendmsg+0x99/0xe0<br /> __sys_sendmsg+0x8a/0xf0<br /> do_syscall_64+0x81/0x970<br /> ? __sys_bind+0xe3/0x110<br /> ? syscall_exit_work+0x143/0x1b0<br /> ? do_syscall_64+0x244/0x970<br /> ? sock_alloc_file+0x63/0xc0<br /> ? syscall_exit_work+0x143/0x1b0<br /> ? do_syscall_64+0x244/0x970<br /> ? alloc_fd+0x12e/0x190<br /> ? put_unused_fd+0x2a/0x70<br /> ? do_sys_openat2+0xa2/0xe0<br /> ? syscall_exit_work+0x143/0x1b0<br /> ? do_syscall_64+0x244/0x970<br /> ? exc_page_fault+0x7e/0x1a0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [...]<br /> <br /> <br /> Fix this by checking is_visible() before trying to touch the attribute.