Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix memory leak when build ntlmssp negotiate blob failed<br /> <br /> There is a memory leak when mount cifs:<br /> unreferenced object 0xffff888166059600 (size 448):<br /> comm "mount.cifs", pid 51391, jiffies 4295596373 (age 330.596s)<br /> hex dump (first 32 bytes):<br /> fe 53 4d 42 40 00 00 00 00 00 00 00 01 00 82 00 .SMB@...........<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] mempool_alloc+0xe1/0x260<br /> [] cifs_small_buf_get+0x24/0x60<br /> [] __smb2_plain_req_init+0x32/0x460<br /> [] SMB2_sess_alloc_buffer+0xa4/0x3f0<br /> [] SMB2_sess_auth_rawntlmssp_negotiate+0xf5/0x480<br /> [] SMB2_sess_setup+0x253/0x410<br /> [] cifs_setup_session+0x18f/0x4c0<br /> [] cifs_get_smb_ses+0xae7/0x13c0<br /> [] mount_get_conns+0x7a/0x730<br /> [] cifs_mount+0x103/0xd10<br /> [] cifs_smb3_do_mount+0x1dd/0xc90<br /> [] smb3_get_tree+0x1d5/0x300<br /> [] vfs_get_tree+0x41/0xf0<br /> [] path_mount+0x9b3/0xdd0<br /> [] __x64_sys_mount+0x190/0x1d0<br /> [] do_syscall_64+0x35/0x80<br /> <br /> When build ntlmssp negotiate blob failed, the session setup request<br /> should be freed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: dlm: fix race in lowcomms<br /> <br /> This patch fixes a race between queue_work() in<br /> _dlm_lowcomms_commit_msg() and srcu_read_unlock(). The queue_work() can<br /> take the final reference of a dlm_msg and so msg-&gt;idx can contain<br /> garbage which is signaled by the following warning:<br /> <br /> [ 676.237050] ------------[ cut here ]------------<br /> [ 676.237052] WARNING: CPU: 0 PID: 1060 at include/linux/srcu.h:189 dlm_lowcomms_commit_msg+0x41/0x50<br /> [ 676.238945] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common iTCO_wdt iTCO_vendor_support qxl kvm_intel drm_ttm_helper vmw_vsock_virtio_transport kvm vmw_vsock_virtio_transport_common ttm irqbypass crc32_pclmul joydev crc32c_intel serio_raw drm_kms_helper vsock virtio_scsi virtio_console virtio_balloon snd_pcm drm syscopyarea sysfillrect sysimgblt snd_timer fb_sys_fops i2c_i801 lpc_ich snd i2c_smbus soundcore pcspkr<br /> [ 676.244227] CPU: 0 PID: 1060 Comm: lock_torture_wr Not tainted 5.19.0-rc3+ #1546<br /> [ 676.245216] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014<br /> [ 676.246460] RIP: 0010:dlm_lowcomms_commit_msg+0x41/0x50<br /> [ 676.247132] Code: fe ff ff ff 75 24 48 c7 c6 bd 0f 49 bb 48 c7 c7 38 7c 01 bd e8 00 e7 ca ff 89 de 48 c7 c7 60 78 01 bd e8 42 3d cd ff 5b 5d c3 0b eb d8 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48<br /> [ 676.249253] RSP: 0018:ffffa401c18ffc68 EFLAGS: 00010282<br /> [ 676.249855] RAX: 0000000000000001 RBX: 00000000ffff8b76 RCX: 0000000000000006<br /> [ 676.250713] RDX: 0000000000000000 RSI: ffffffffbccf3a10 RDI: ffffffffbcc7b62e<br /> [ 676.251610] RBP: ffffa401c18ffc70 R08: 0000000000000001 R09: 0000000000000001<br /> [ 676.252481] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000005<br /> [ 676.253421] R13: ffff8b76786ec370 R14: ffff8b76786ec370 R15: ffff8b76786ec480<br /> [ 676.254257] FS: 0000000000000000(0000) GS:ffff8b7777800000(0000) knlGS:0000000000000000<br /> [ 676.255239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 676.255897] CR2: 00005590205d88b8 CR3: 000000017656c003 CR4: 0000000000770ee0<br /> [ 676.256734] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 676.257567] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 676.258397] PKRU: 55555554<br /> [ 676.258729] Call Trace:<br /> [ 676.259063] <br /> [ 676.259354] dlm_midcomms_commit_mhandle+0xcc/0x110<br /> [ 676.259964] queue_bast+0x8b/0xb0<br /> [ 676.260423] grant_pending_locks+0x166/0x1b0<br /> [ 676.261007] _unlock_lock+0x75/0x90<br /> [ 676.261469] unlock_lock.isra.57+0x62/0xa0<br /> [ 676.262009] dlm_unlock+0x21e/0x330<br /> [ 676.262457] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]<br /> [ 676.263183] torture_unlock+0x5a/0x90 [dlm_locktorture]<br /> [ 676.263815] ? preempt_count_sub+0xba/0x100<br /> [ 676.264361] ? complete+0x1d/0x60<br /> [ 676.264777] lock_torture_writer+0xb8/0x150 [dlm_locktorture]<br /> [ 676.265555] kthread+0x10a/0x130<br /> [ 676.266007] ? kthread_complete_and_exit+0x20/0x20<br /> [ 676.266616] ret_from_fork+0x22/0x30<br /> [ 676.267097] <br /> [ 676.267381] irq event stamp: 9579855<br /> [ 676.267824] hardirqs last enabled at (9579863): [] __up_console_sem+0x58/0x60<br /> [ 676.268896] hardirqs last disabled at (9579872): [] __up_console_sem+0x3d/0x60<br /> [ 676.270008] softirqs last enabled at (9579798): [] __do_softirq+0x349/0x4c7<br /> [ 676.271438] softirqs last disabled at (9579897): [] irq_exit_rcu+0xb0/0xf0<br /> [ 676.272796] ---[ end trace 0000000000000000 ]---<br /> <br /> I reproduced this warning with dlm_locktorture test which is currently<br /> not upstream. However this patch fix the issue by make a additional<br /> refcount between dlm_lowcomms_new_msg() and dlm_lowcomms_commit_msg().<br /> In case of the race the kref_put() in dlm_lowcomms_commit_msg() will be<br /> the final put.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure<br /> <br /> syzbot is reporting NULL pointer dereference at hci_uart_tty_close() [1],<br /> for rcu_sync_enter() is called without rcu_sync_init() due to<br /> hci_uart_tty_open() ignoring percpu_init_rwsem() failure.<br /> <br /> While we are at it, fix that hci_uart_register_device() ignores<br /> percpu_init_rwsem() failure and hci_uart_unregister_device() does not<br /> call percpu_free_rwsem().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/cxgb4: Fix potential null-ptr-deref in pass_establish()<br /> <br /> If get_ep_from_tid() fails to lookup non-NULL value for ep, ep is<br /> dereferenced later regardless of whether it is empty.<br /> This patch adds a simple sanity check to fix the issue.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings<br /> <br /> When ipu_bridge_parse_rotation() and ipu_bridge_parse_orientation() run<br /> sensor-&gt;adev is not set yet.<br /> <br /> So if either of the dev_warn() calls about unknown values are hit this<br /> will lead to a NULL pointer deref.<br /> <br /> Set sensor-&gt;adev earlier, with a borrowed ref to avoid making unrolling<br /> on errors harder, to fix this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: do not write dirty data after degenerating to read-only<br /> <br /> According to syzbot&amp;#39;s report, mark_buffer_dirty() called from<br /> nilfs_segctor_do_construct() outputs a warning with some patterns after<br /> nilfs2 detects metadata corruption and degrades to read-only mode.<br /> <br /> After such read-only degeneration, page cache data may be cleared through<br /> nilfs_clear_dirty_page() which may also clear the uptodate flag for their<br /> buffer heads. However, even after the degeneration, log writes are still<br /> performed by unmount processing etc., which causes mark_buffer_dirty() to<br /> be called for buffer heads without the "uptodate" flag and causes the<br /> warning.<br /> <br /> Since any writes should not be done to a read-only file system in the<br /> first place, this fixes the warning in mark_buffer_dirty() by letting<br /> nilfs_segctor_do_construct() abort early if in read-only mode.<br /> <br /> This also changes the retry check of nilfs_segctor_write_out() to avoid<br /> unnecessary log write retries if it detects -EROFS that<br /> nilfs_segctor_do_construct() returned.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lwt: Fix return values of BPF xmit ops<br /> <br /> BPF encap ops can return different types of positive values, such like<br /> NET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function<br /> skb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return<br /> values would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in<br /> ip(6)_finish_output2. When this happens, skbs that have been freed would<br /> continue to the neighbor subsystem, causing use-after-free bug and<br /> kernel crashes.<br /> <br /> To fix the incorrect behavior, skb_do_redirect return values can be<br /> simply discarded, the same as tc-egress behavior. On the other hand,<br /> bpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU<br /> information. Thus convert its return values to avoid the conflict with<br /> LWTUNNEL_XMIT_CONTINUE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> skmsg: pass gfp argument to alloc_sk_msg()<br /> <br /> syzbot found that alloc_sk_msg() could be called from a<br /> non sleepable context. sk_psock_verdict_recv() uses<br /> rcu_read_lock() protection.<br /> <br /> We need the callers to pass a gfp_t argument to avoid issues.<br /> <br /> syzbot report was:<br /> <br /> BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274<br /> in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 3613, name: syz-executor414<br /> preempt_count: 0, expected: 0<br /> RCU nest depth: 1, expected: 0<br /> INFO: lockdep is turned off.<br /> CPU: 0 PID: 3613 Comm: syz-executor414 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106<br /> __might_resched+0x538/0x6a0 kernel/sched/core.c:9877<br /> might_alloc include/linux/sched/mm.h:274 [inline]<br /> slab_pre_alloc_hook mm/slab.h:700 [inline]<br /> slab_alloc_node mm/slub.c:3162 [inline]<br /> slab_alloc mm/slub.c:3256 [inline]<br /> kmem_cache_alloc_trace+0x59/0x310 mm/slub.c:3287<br /> kmalloc include/linux/slab.h:600 [inline]<br /> kzalloc include/linux/slab.h:733 [inline]<br /> alloc_sk_msg net/core/skmsg.c:507 [inline]<br /> sk_psock_skb_ingress_self+0x5c/0x330 net/core/skmsg.c:600<br /> sk_psock_verdict_apply+0x395/0x440 net/core/skmsg.c:1014<br /> sk_psock_verdict_recv+0x34d/0x560 net/core/skmsg.c:1201<br /> tcp_read_skb+0x4a1/0x790 net/ipv4/tcp.c:1770<br /> tcp_rcv_established+0x129d/0x1a10 net/ipv4/tcp_input.c:5971<br /> tcp_v4_do_rcv+0x479/0xac0 net/ipv4/tcp_ipv4.c:1681<br /> sk_backlog_rcv include/net/sock.h:1109 [inline]<br /> __release_sock+0x1d8/0x4c0 net/core/sock.c:2906<br /> release_sock+0x5d/0x1c0 net/core/sock.c:3462<br /> tcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1483<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> sock_sendmsg net/socket.c:734 [inline]<br /> __sys_sendto+0x46d/0x5f0 net/socket.c:2117<br /> __do_sys_sendto net/socket.c:2129 [inline]<br /> __se_sys_sendto net/socket.c:2125 [inline]<br /> __x64_sys_sendto+0xda/0xf0 net/socket.c:2125<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: mux: reg: check return value after calling platform_get_resource()<br /> <br /> It will cause null-ptr-deref in resource_size(), if platform_get_resource()<br /> returns NULL, move calling resource_size() after devm_ioremap_resource() that<br /> will check &amp;#39;res&amp;#39; to avoid null-ptr-deref.<br /> And use devm_platform_get_and_ioremap_resource() to simplify code.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> skbuff: Account for tail adjustment during pull operations<br /> <br /> Extending the tail can have some unexpected side effects if a program uses<br /> a helper like BPF_FUNC_skb_pull_data to read partial content beyond the<br /> head skb headlen when all the skbs in the gso frag_list are linear with no<br /> head_frag -<br /> <br /> kernel BUG at net/core/skbuff.c:4219!<br /> pc : skb_segment+0xcf4/0xd2c<br /> lr : skb_segment+0x63c/0xd2c<br /> Call trace:<br /> skb_segment+0xcf4/0xd2c<br /> __udp_gso_segment+0xa4/0x544<br /> udp4_ufo_fragment+0x184/0x1c0<br /> inet_gso_segment+0x16c/0x3a4<br /> skb_mac_gso_segment+0xd4/0x1b0<br /> __skb_gso_segment+0xcc/0x12c<br /> udp_rcv_segment+0x54/0x16c<br /> udp_queue_rcv_skb+0x78/0x144<br /> udp_unicast_rcv_skb+0x8c/0xa4<br /> __udp4_lib_rcv+0x490/0x68c<br /> udp_rcv+0x20/0x30<br /> ip_protocol_deliver_rcu+0x1b0/0x33c<br /> ip_local_deliver+0xd8/0x1f0<br /> ip_rcv+0x98/0x1a4<br /> deliver_ptype_list_skb+0x98/0x1ec<br /> __netif_receive_skb_core+0x978/0xc60<br /> <br /> Fix this by marking these skbs as GSO_DODGY so segmentation can handle<br /> the tail updates accordingly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue<br /> <br /> When value

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: fix UAF/GPF bug in nilfs_mdt_destroy<br /> <br /> In alloc_inode, inode_init_always() could return -ENOMEM if<br /> security_inode_alloc() fails, which causes inode-&gt;i_private<br /> uninitialized. Then nilfs_is_metadata_file_inode() returns<br /> true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),<br /> which frees the uninitialized inode-&gt;i_private<br /> and leads to crashes(e.g., UAF/GPF).<br /> <br /> Fix this by moving security_inode_alloc just prior to<br /> this_cpu_inc(nr_inodes)