Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback<br /> <br /> SCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() using<br /> smp_cond_load_acquire() until the target CPU&amp;#39;s kick_sync advances. Because<br /> the irq_work runs in hardirq context, the waiting CPU cannot reschedule and<br /> its own kick_sync never advances. If multiple CPUs form a wait cycle, all<br /> CPUs deadlock.<br /> <br /> Replace the busy-wait in kick_cpus_irq_workfn() with resched_curr() to<br /> force the CPU through do_pick_task_scx(), which queues a balance callback<br /> to perform the wait. The balance callback drops the rq lock and enables<br /> IRQs following the sched_core_balance() pattern, so the CPU can process<br /> IPIs while waiting. The local CPU&amp;#39;s kick_sync is advanced on entry to<br /> do_pick_task_scx() and continuously during the wait, ensuring any CPU that<br /> starts waiting for us sees the advancement and cannot form cyclic<br /> dependencies.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: core: Fix thermal zone device registration error path<br /> <br /> If thermal_zone_device_register_with_trips() fails after registering<br /> a thermal zone device, it needs to wait for the tz-&gt;removal completion<br /> like thermal_zone_device_unregister(), in case user space has managed<br /> to take a reference to the thermal zone device&amp;#39;s kobject, in which case<br /> thermal_release() may not be called by the error path itself and tz may<br /> be freed prematurely.<br /> <br /> Add the missing wait_for_completion() call to the thermal zone device<br /> registration error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/kexec: Disable KCOV instrumentation after load_segments()<br /> <br /> The load_segments() function changes segment registers, invalidating GS base<br /> (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any<br /> subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins<br /> crashing the kernel in an endless loop.<br /> <br /> To reproduce the problem, it&amp;#39;s sufficient to do kexec on a KCOV-instrumented<br /> kernel:<br /> <br /> $ kexec -l /boot/otherKernel<br /> $ kexec -e<br /> <br /> The real-world context for this problem is enabling crash dump collection in<br /> syzkaller. For this, the tool loads a panic kernel before fuzzing and then<br /> calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC<br /> and CONFIG_KCOV to be enabled simultaneously.<br /> <br /> Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())<br /> is also undesirable as it would introduce an extra performance overhead.<br /> <br /> Disabling instrumentation for the individual functions would be too fragile,<br /> so disable KCOV instrumentation for the entire machine_kexec_64.c and<br /> physaddr.c. If coverage-guided fuzzing ever needs these components in the<br /> future, other approaches should be considered.<br /> <br /> The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported<br /> there.<br /> <br /> [ bp: Space out comment for better readability. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: caam - fix overflow on long hmac keys<br /> <br /> When a key longer than block size is supplied, it is copied and then<br /> hashed into the real key. The memory allocated for the copy needs to<br /> be rounded to DMA cache alignment, as otherwise the hashed key may<br /> corrupt neighbouring memory.<br /> <br /> The copying is performed using kmemdup, however this leads to an overflow:<br /> reading more bytes (aligned_len - keylen) from the keylen source buffer.<br /> Fix this by replacing kmemdup with kmalloc, followed by memcpy.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: flowtable: strictly check for maximum number of actions<br /> <br /> The maximum number of flowtable hardware offload actions in IPv6 is:<br /> <br /> * ethernet mangling (4 payload actions, 2 for each ethernet address)<br /> * SNAT (4 payload actions)<br /> * DNAT (4 payload actions)<br /> * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)<br /> for QinQ.<br /> * Redirect (1 action)<br /> <br /> Which makes 17, while the maximum is 16. But act_ct supports for tunnels<br /> actions too. Note that payload action operates at 32-bit word level, so<br /> mangling an IPv6 address takes 4 payload actions.<br /> <br /> Update flow_action_entry_next() calls to check for the maximum number of<br /> supported actions.<br /> <br /> While at it, rise the maximum number of actions per flow from 16 to 24<br /> so this works fine with IPv6 setups.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path<br /> <br /> When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls<br /> kobject_put(&amp;dbs_data-&gt;attr_set.kobj).<br /> <br /> The kobject release callback cpufreq_dbs_data_release() calls<br /> gov-&gt;exit(dbs_data) and kfree(dbs_data), but the current error path<br /> then calls gov-&gt;exit(dbs_data) and kfree(dbs_data) again, causing a<br /> double free.<br /> <br /> Keep the direct kfree(dbs_data) for the gov-&gt;init() failure path, but<br /> after kobject_init_and_add() has been called, let kobject_put() handle<br /> the cleanup through cpufreq_dbs_data_release().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: don&amp;#39;t send a 6E related command when not supported<br /> <br /> MCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the<br /> device doesn&amp;#39;t support 6E.<br /> Apparently, the firmware is mistakenly advertising support for this<br /> command even on AX201 which does not support 6E and then the firmware<br /> crashes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: dummy-hcd: Fix interrupt synchronization error<br /> <br /> This fixes an error in synchronization in the dummy-hcd driver. The<br /> error has a somewhat involved history. The synchronization mechanism<br /> was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous<br /> synchronization change"), which added an emulated "interrupts enabled"<br /> flag together with code emulating synchronize_irq() (it waits until<br /> all current handler callbacks have returned).<br /> <br /> But the emulated interrupt-disable occurred too late, after the driver<br /> containing the handler callback routines had been told that it was<br /> unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb:<br /> gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this by<br /> moving the synchronize_irq() emulation code from dummy_stop() to<br /> dummy_pullup(), which runs before the unbind callback.<br /> <br /> There still were races, though, because the emulated interrupt-disable<br /> still occurred too late. It couldn&amp;#39;t be moved to dummy_pullup(),<br /> because that routine can be called for reasons other than an impending<br /> unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add<br /> udc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implement<br /> udc_async_callbacks in dummy-hcd") added an API allowing the UDC core<br /> to tell dummy-hcd exactly when emulated interrupts and their callbacks<br /> should be disabled.<br /> <br /> That brings us to the current state of things, which is still wrong<br /> because the emulated synchronize_irq() occurs before the emulated<br /> interrupt-disable! That&amp;#39;s no good, beause it means that more emulated<br /> interrupts can occur after the synchronize_irq() emulation has run,<br /> leading to the possibility that a callback handler may be running when<br /> the gadget driver is unbound.<br /> <br /> To fix this, we have to move the synchronize_irq() emulation code yet<br /> again, to the dummy_udc_async_callbacks() routine, which takes care of<br /> enabling and disabling emulated interrupt requests. The<br /> synchronization will now run immediately after emulated interrupts are<br /> disabled, which is where it belongs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/fair: Fix zero_vruntime tracking fix<br /> <br /> John reported that stress-ng-yield could make his machine unhappy and<br /> managed to bisect it to commit b3d99f43c72b ("sched/fair: Fix<br /> zero_vruntime tracking").<br /> <br /> The combination of yield and that commit was specific enough to<br /> hypothesize the following scenario:<br /> <br /> Suppose we have 2 runnable tasks, both doing yield. Then one will be<br /> eligible and one will not be, because the average position must be in<br /> between these two entities.<br /> <br /> Therefore, the runnable task will be eligible, and be promoted a full<br /> slice (all the tasks do is yield after all). This causes it to jump over<br /> the other task and now the other task is eligible and current is no<br /> longer. So we schedule.<br /> <br /> Since we are runnable, there is no {de,en}queue. All we have is the<br /> __{en,de}queue_entity() from {put_prev,set_next}_task(). But per the<br /> fingered commit, those two no longer move zero_vruntime.<br /> <br /> All that moves zero_vruntime are tick and full {de,en}queue.<br /> <br /> This means, that if the two tasks playing leapfrog can reach the<br /> critical speed to reach the overflow point inside one tick&amp;#39;s worth of<br /> time, we&amp;#39;re up a creek.<br /> <br /> Additionally, when multiple cgroups are involved, there is no guarantee<br /> the tick will in fact hit every cgroup in a timely manner. Statistically<br /> speaking it will, but that same statistics does not rule out the<br /> possibility of one cgroup not getting a tick for a significant amount of<br /> time -- however unlikely.<br /> <br /> Therefore, just like with the yield() case, force an update at the end<br /> of every slice. This ensures the update is never more than a single<br /> slice behind and the whole thing is within 2 lag bounds as per the<br /> comment on entity_key().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_sync: Fix UAF in le_read_features_complete<br /> <br /> This fixes the following backtrace caused by hci_conn being freed<br /> before le_read_features_complete but after<br /> hci_le_read_remote_features_sync so hci_conn_del -&gt; hci_cmd_sync_dequeue<br /> is not able to prevent it:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]<br /> BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]<br /> BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]<br /> BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344<br /> Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52<br /> <br /> CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025<br /> Workqueue: hci0 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xcd/0x630 mm/kasan/report.c:482<br /> kasan_report+0xe0/0x110 mm/kasan/report.c:595<br /> check_region_inline mm/kasan/generic.c:194 [inline]<br /> kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200<br /> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]<br /> atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]<br /> hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]<br /> le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344<br /> hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334<br /> process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257<br /> process_scheduled_works kernel/workqueue.c:3340 [inline]<br /> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421<br /> kthread+0x3c5/0x780 kernel/kthread.c:463<br /> ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246<br /> <br /> <br /> Allocated by task 5932:<br /> kasan_save_stack+0x33/0x60 mm/kasan/common.c:56<br /> kasan_save_track+0x14/0x30 mm/kasan/common.c:77<br /> poison_kmalloc_redzone mm/kasan/common.c:400 [inline]<br /> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417<br /> kmalloc_noprof include/linux/slab.h:957 [inline]<br /> kzalloc_noprof include/linux/slab.h:1094 [inline]<br /> __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963<br /> hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084<br /> le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714<br /> hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861<br /> hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408<br /> hci_event_func net/bluetooth/hci_event.c:7716 [inline]<br /> hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773<br /> hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076<br /> process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257<br /> process_scheduled_works kernel/workqueue.c:3340 [inline]<br /> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421<br /> kthread+0x3c5/0x780 kernel/kthread.c:463<br /> ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246<br /> <br /> Freed by task 5932:<br /> kasan_save_stack+0x33/0x60 mm/kasan/common.c:56<br /> kasan_save_track+0x14/0x30 mm/kasan/common.c:77<br /> __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587<br /> kasan_save_free_info mm/kasan/kasan.h:406 [inline]<br /> poison_slab_object mm/kasan/common.c:252 [inline]<br /> __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284<br /> kasan_slab_free include/linux/kasan.h:234 [inline]<br /> slab_free_hook mm/slub.c:2540 [inline]<br /> slab_free mm/slub.c:6663 [inline]<br /> kfree+0x2f8/0x6e0 mm/slub.c:6871<br /> device_release+0xa4/0x240 drivers/base/core.c:2565<br /> kobject_cleanup lib/kobject.c:689 [inline]<br /> kobject_release lib/kobject.c:720 [inline]<br /> kref_put include/linux/kref.h:65 [inline]<br /> kobject_put+0x1e7/0x590 lib/kobject.<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Properly mark live registers for indirect jumps<br /> <br /> For a `gotox rX` instruction the rX register should be marked as used<br /> in the compute_insn_live_regs() function. Fix this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix dsc eDP issue<br /> <br /> [why]<br /> Need to add function hook check before use