Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: enetc: avoid deadlock in enetc_tx_onestep_tstamp()<br /> <br /> This lockdep splat says it better than I could:<br /> <br /> ================================<br /> WARNING: inconsistent lock state<br /> 6.2.0-rc2-07010-ga9b9500ffaac-dirty #967 Not tainted<br /> --------------------------------<br /> inconsistent {IN-SOFTIRQ-W} -&gt; {SOFTIRQ-ON-W} usage.<br /> kworker/1:3/179 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> ffff3ec4036ce098 (_xmit_ETHER#2){+.?.}-{3:3}, at: netif_freeze_queues+0x5c/0xc0<br /> {IN-SOFTIRQ-W} state was registered at:<br /> _raw_spin_lock+0x5c/0xc0<br /> sch_direct_xmit+0x148/0x37c<br /> __dev_queue_xmit+0x528/0x111c<br /> ip6_finish_output2+0x5ec/0xb7c<br /> ip6_finish_output+0x240/0x3f0<br /> ip6_output+0x78/0x360<br /> ndisc_send_skb+0x33c/0x85c<br /> ndisc_send_rs+0x54/0x12c<br /> addrconf_rs_timer+0x154/0x260<br /> call_timer_fn+0xb8/0x3a0<br /> __run_timers.part.0+0x214/0x26c<br /> run_timer_softirq+0x3c/0x74<br /> __do_softirq+0x14c/0x5d8<br /> ____do_softirq+0x10/0x20<br /> call_on_irq_stack+0x2c/0x5c<br /> do_softirq_own_stack+0x1c/0x30<br /> __irq_exit_rcu+0x168/0x1a0<br /> irq_exit_rcu+0x10/0x40<br /> el1_interrupt+0x38/0x64<br /> irq event stamp: 7825<br /> hardirqs last enabled at (7825): [] exit_to_kernel_mode+0x34/0x130<br /> hardirqs last disabled at (7823): [] __do_softirq+0x550/0x5d8<br /> softirqs last enabled at (7824): [] __do_softirq+0x46c/0x5d8<br /> softirqs last disabled at (7811): [] ____do_softirq+0x10/0x20<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> <br /> CPU0<br /> ----<br /> lock(_xmit_ETHER#2);<br /> <br /> lock(_xmit_ETHER#2);<br /> <br /> *** DEADLOCK ***<br /> <br /> 3 locks held by kworker/1:3/179:<br /> #0: ffff3ec400004748 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0<br /> #1: ffff80000a0bbdc8 ((work_completion)(&amp;priv-&gt;tx_onestep_tstamp)){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0<br /> #2: ffff3ec4036cd438 (&amp;dev-&gt;tx_global_lock){+.+.}-{3:3}, at: netif_tx_lock+0x1c/0x34<br /> <br /> Workqueue: events enetc_tx_onestep_tstamp<br /> Call trace:<br /> print_usage_bug.part.0+0x208/0x22c<br /> mark_lock+0x7f0/0x8b0<br /> __lock_acquire+0x7c4/0x1ce0<br /> lock_acquire.part.0+0xe0/0x220<br /> lock_acquire+0x68/0x84<br /> _raw_spin_lock+0x5c/0xc0<br /> netif_freeze_queues+0x5c/0xc0<br /> netif_tx_lock+0x24/0x34<br /> enetc_tx_onestep_tstamp+0x20/0x100<br /> process_one_work+0x28c/0x6c0<br /> worker_thread+0x74/0x450<br /> kthread+0x118/0x11c<br /> <br /> but I&amp;#39;ll say it anyway: the enetc_tx_onestep_tstamp() work item runs in<br /> process context, therefore with softirqs enabled (i.o.w., it can be<br /> interrupted by a softirq). If we hold the netif_tx_lock() when there is<br /> an interrupt, and the NET_TX softirq then gets scheduled, this will take<br /> the netif_tx_lock() a second time and deadlock the kernel.<br /> <br /> To solve this, use netif_tx_lock_bh(), which blocks softirqs from<br /> running.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_taprio: fix possible use-after-free<br /> <br /> syzbot reported a nasty crash [1] in net_tx_action() which<br /> made little sense until we got a repro.<br /> <br /> This repro installs a taprio qdisc, but providing an<br /> invalid TCA_RATE attribute.<br /> <br /> qdisc_create() has to destroy the just initialized<br /> taprio qdisc, and taprio_destroy() is called.<br /> <br /> However, the hrtimer used by taprio had already fired,<br /> therefore advance_sched() called __netif_schedule().<br /> <br /> Then net_tx_action was trying to use a destroyed qdisc.<br /> <br /> We can not undo the __netif_schedule(), so we must wait<br /> until one cpu serviced the qdisc before we can proceed.<br /> <br /> Many thanks to Alexander Potapenko for his help.<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]<br /> BUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]<br /> BUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]<br /> BUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138<br /> queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]<br /> do_raw_spin_trylock include/linux/spinlock.h:191 [inline]<br /> __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]<br /> _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138<br /> spin_trylock include/linux/spinlock.h:359 [inline]<br /> qdisc_run_begin include/net/sch_generic.h:187 [inline]<br /> qdisc_run+0xee/0x540 include/net/pkt_sched.h:125<br /> net_tx_action+0x77c/0x9a0 net/core/dev.c:5086<br /> __do_softirq+0x1cc/0x7fb kernel/softirq.c:571<br /> run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934<br /> smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164<br /> kthread+0x31b/0x430 kernel/kthread.c:376<br /> ret_from_fork+0x1f/0x30<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slab.h:732 [inline]<br /> slab_alloc_node mm/slub.c:3258 [inline]<br /> __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970<br /> kmalloc_reserve net/core/skbuff.c:358 [inline]<br /> __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430<br /> alloc_skb include/linux/skbuff.h:1257 [inline]<br /> nlmsg_new include/net/netlink.h:953 [inline]<br /> netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436<br /> netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507<br /> rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]<br /> netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345<br /> netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> sock_sendmsg net/socket.c:734 [inline]<br /> ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482<br /> ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536<br /> __sys_sendmsg net/socket.c:2565 [inline]<br /> __do_sys_sendmsg net/socket.c:2574 [inline]<br /> __se_sys_sendmsg net/socket.c:2572 [inline]<br /> __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: nfc: Fix use-after-free in local_cleanup()<br /> <br /> Fix a use-after-free that occurs in kfree_skb() called from<br /> local_cleanup(). This could happen when killing nfc daemon (e.g. neard)<br /> after detaching an nfc device.<br /> When detaching an nfc device, local_cleanup() called from<br /> nfc_llcp_unregister_device() frees local-&gt;rx_pending and decreases<br /> local-&gt;ref by kref_put() in nfc_llcp_local_put().<br /> In the terminating process, nfc daemon releases all sockets and it leads<br /> to decreasing local-&gt;ref. After the last release of local-&gt;ref,<br /> local_cleanup() called from local_release() frees local-&gt;rx_pending<br /> again, which leads to the bug.<br /> <br /> Setting local-&gt;rx_pending to NULL in local_cleanup() could prevent<br /> use-after-free when local_cleanup() is called twice.<br /> <br /> Found by a modified version of syzkaller.<br /> <br /> BUG: KASAN: use-after-free in kfree_skb()<br /> <br /> Call Trace:<br /> dump_stack_lvl (lib/dump_stack.c:106)<br /> print_address_description.constprop.0.cold (mm/kasan/report.c:306)<br /> kasan_check_range (mm/kasan/generic.c:189)<br /> kfree_skb (net/core/skbuff.c:955)<br /> local_cleanup (net/nfc/llcp_core.c:159)<br /> nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)<br /> nfc_llcp_local_put (net/nfc/llcp_core.c:181)<br /> llcp_sock_destruct (net/nfc/llcp_sock.c:959)<br /> __sk_destruct (net/core/sock.c:2133)<br /> sk_destruct (net/core/sock.c:2181)<br /> __sk_free (net/core/sock.c:2192)<br /> sk_free (net/core/sock.c:2203)<br /> llcp_sock_release (net/nfc/llcp_sock.c:646)<br /> __sock_release (net/socket.c:650)<br /> sock_close (net/socket.c:1365)<br /> __fput (fs/file_table.c:306)<br /> task_work_run (kernel/task_work.c:179)<br /> ptrace_notify (kernel/signal.c:2354)<br /> syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)<br /> syscall_exit_to_user_mode (kernel/entry/common.c:296)<br /> do_syscall_64 (arch/x86/entry/common.c:86)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)<br /> <br /> Allocated by task 4719:<br /> kasan_save_stack (mm/kasan/common.c:45)<br /> __kasan_slab_alloc (mm/kasan/common.c:325)<br /> slab_post_alloc_hook (mm/slab.h:766)<br /> kmem_cache_alloc_node (mm/slub.c:3497)<br /> __alloc_skb (net/core/skbuff.c:552)<br /> pn533_recv_response (drivers/nfc/pn533/usb.c:65)<br /> __usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)<br /> usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)<br /> tasklet_action_common.isra.0 (kernel/softirq.c:797)<br /> __do_softirq (kernel/softirq.c:571)<br /> <br /> Freed by task 1901:<br /> kasan_save_stack (mm/kasan/common.c:45)<br /> kasan_set_track (mm/kasan/common.c:52)<br /> kasan_save_free_info (mm/kasan/genericdd.c:518)<br /> __kasan_slab_free (mm/kasan/common.c:236)<br /> kmem_cache_free (mm/slub.c:3809)<br /> kfree_skbmem (net/core/skbuff.c:874)<br /> kfree_skb (net/core/skbuff.c:931)<br /> local_cleanup (net/nfc/llcp_core.c:159)<br /> nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)<br /> nfc_unregister_device (net/nfc/core.c:1179)<br /> pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)<br /> pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)<br /> usb_unbind_interface (drivers/usb/core/driver.c:458)<br /> device_release_driver_internal (drivers/base/dd.c:1279)<br /> bus_remove_device (drivers/base/bus.c:529)<br /> device_del (drivers/base/core.c:3665)<br /> usb_disable_device (drivers/usb/core/message.c:1420)<br /> usb_disconnect (drivers/usb/core.c:2261)<br /> hub_event (drivers/usb/core/hub.c:5833)<br /> process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)<br /> worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)<br /> kthread (kernel/kthread.c:319)<br /> ret_from_fork (arch/x86/entry/entry_64.S:301)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation<br /> <br /> To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to<br /> insufficient speculative store bypass mitigation") inserts lfence<br /> instructions after 1) initializing a stack slot and 2) spilling a<br /> pointer to the stack.<br /> <br /> However, this does not cover cases where a stack slot is first<br /> initialized with a pointer (subject to sanitization) but then<br /> overwritten with a scalar (not subject to sanitization because<br /> the slot was already initialized). In this case, the second write<br /> may be subject to speculative store bypass (SSB) creating a<br /> speculative pointer-as-scalar type confusion. This allows the<br /> program to subsequently leak the numerical pointer value using,<br /> for example, a branch-based cache side channel.<br /> <br /> To fix this, also sanitize scalars if they write a stack slot<br /> that previously contained a pointer. Assuming that pointer-spills<br /> are only generated by LLVM on register-pressure, the performance<br /> impact on most real-world BPF programs should be small.<br /> <br /> The following unprivileged BPF bytecode drafts a minimal exploit<br /> and the mitigation:<br /> <br /> [...]<br /> // r6 = 0 or 1 (skalar, unknown user input)<br /> // r7 = accessible ptr for side channel<br /> // r10 = frame pointer (fp), to be leaked<br /> //<br /> r9 = r10 # fp alias to encourage ssb<br /> *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked<br /> // lfence added here because of pointer spill to stack.<br /> //<br /> // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor<br /> // for no r9-r10 dependency.<br /> //<br /> *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr<br /> // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,<br /> // store may be subject to SSB<br /> //<br /> // fix: also add an lfence when the slot contained a ptr<br /> //<br /> r8 = *(u64 *)(r9 - 8)<br /> // r8 = architecturally a scalar, speculatively a ptr<br /> //<br /> // leak ptr using branch-based cache side channel:<br /> r8 &amp;= 1 // choose bit to leak<br /> if r8 == 0 goto SLOW // no mispredict<br /> // architecturally dead code if input r6 is 0,<br /> // only executes speculatively iff ptr bit is 1<br /> r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)<br /> SLOW:<br /> [...]<br /> <br /> After running this, the program can time the access to *(r7 + 0) to<br /> determine whether the chosen pointer bit was 0 or 1. Repeat this 64<br /> times to recover the whole address on amd64.<br /> <br /> In summary, sanitization can only be skipped if one scalar is<br /> overwritten with another scalar. Scalar-confusion due to speculative<br /> store bypass can not lead to invalid accesses because the pointer<br /> bounds deducted during verification are enforced using branchless<br /> logic. See 979d63d50c0c ("bpf: prevent out of bounds speculation on<br /> pointer arithmetic") for details.<br /> <br /> Do not make the mitigation depend on !env-&gt;allow_{uninit_stack,ptr_leaks}<br /> because speculative leaks are likely unexpected if these were enabled.<br /> For example, leaking the address to a protected log file may be acceptable<br /> while disabling the mitigation might unintentionally leak the address<br /> into the cached-state of a map that is accessible to unprivileged<br /> processes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: core: call put_device() only after device_register() fails<br /> <br /> put_device() shouldn&amp;#39;t be called before a prior call to<br /> device_register(). __thermal_cooling_device_register() doesn&amp;#39;t follow<br /> that properly and needs fixing. Also<br /> thermal_cooling_device_destroy_sysfs() is getting called unnecessarily<br /> on few error paths.<br /> <br /> Fix all this by placing the calls at the right place.<br /> <br /> Based on initial work done by Caleb Connolly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt: Do not read past the end of test names<br /> <br /> Test names were being concatenated based on a offset beyond the end of<br /> the first name, which tripped the buffer overflow detection logic:<br /> <br /> detected buffer overflow in strnlen<br /> [...]<br /> Call Trace:<br /> bnxt_ethtool_init.cold+0x18/0x18<br /> <br /> Refactor struct hwrm_selftest_qlist_output to use an actual array,<br /> and adjust the concatenation to use snprintf() rather than a series of<br /> strncat() calls.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: stmmac: enable all safety features by default<br /> <br /> In the original implementation of dwmac5<br /> commit 8bf993a5877e ("net: stmmac: Add support for DWMAC5 and implement Safety Features")<br /> all safety features were enabled by default.<br /> <br /> Later it seems some implementations didn&amp;#39;t have support for all the<br /> features, so in<br /> commit 5ac712dcdfef ("net: stmmac: enable platform specific safety features")<br /> the safety_feat_cfg structure was added to the callback and defined for<br /> some platforms to selectively enable these safety features.<br /> <br /> The problem is that only certain platforms were given that software<br /> support. If the automotive safety package bit is set in the hardware<br /> features register the safety feature callback is called for the platform,<br /> and for platforms that didn&amp;#39;t get a safety_feat_cfg defined this results<br /> in the following NULL pointer dereference:<br /> <br /> [ 7.933303] Call trace:<br /> [ 7.935812] dwmac5_safety_feat_config+0x20/0x170 [stmmac]<br /> [ 7.941455] __stmmac_open+0x16c/0x474 [stmmac]<br /> [ 7.946117] stmmac_open+0x38/0x70 [stmmac]<br /> [ 7.950414] __dev_open+0x100/0x1dc<br /> [ 7.954006] __dev_change_flags+0x18c/0x204<br /> [ 7.958297] dev_change_flags+0x24/0x6c<br /> [ 7.962237] do_setlink+0x2b8/0xfa4<br /> [ 7.965827] __rtnl_newlink+0x4ec/0x840<br /> [ 7.969766] rtnl_newlink+0x50/0x80<br /> [ 7.973353] rtnetlink_rcv_msg+0x12c/0x374<br /> [ 7.977557] netlink_rcv_skb+0x5c/0x130<br /> [ 7.981500] rtnetlink_rcv+0x18/0x2c<br /> [ 7.985172] netlink_unicast+0x2e8/0x340<br /> [ 7.989197] netlink_sendmsg+0x1a8/0x420<br /> [ 7.993222] ____sys_sendmsg+0x218/0x280<br /> [ 7.997249] ___sys_sendmsg+0xac/0x100<br /> [ 8.001103] __sys_sendmsg+0x84/0xe0<br /> [ 8.004776] __arm64_sys_sendmsg+0x24/0x30<br /> [ 8.008983] invoke_syscall+0x48/0x114<br /> [ 8.012840] el0_svc_common.constprop.0+0xcc/0xec<br /> [ 8.017665] do_el0_svc+0x38/0xb0<br /> [ 8.021071] el0_svc+0x2c/0x84<br /> [ 8.024212] el0t_64_sync_handler+0xf4/0x120<br /> [ 8.028598] el0t_64_sync+0x190/0x194<br /> <br /> Go back to the original behavior, if the automotive safety package<br /> is found to be supported in hardware enable all the features unless<br /> safety_feat_cfg is passed in saying this particular platform only<br /> supports a subset of the features.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ptdma: pt_core_execute_cmd() should use spinlock<br /> <br /> The interrupt handler (pt_core_irq_handler()) of the ptdma<br /> driver can be called from interrupt context. The code flow<br /> in this function can lead down to pt_core_execute_cmd() which<br /> will attempt to grab a mutex, which is not appropriate in<br /> interrupt context and ultimately leads to a kernel panic.<br /> The fix here changes this mutex to a spinlock, which has<br /> been verified to resolve the issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: tegra: Fix memory leak in terminate_all()<br /> <br /> Terminate vdesc when terminating an ongoing transfer.<br /> This will ensure that the vdesc is present in the desc_terminated list<br /> The descriptor will be freed later in desc_free_list().<br /> <br /> This fixes the memory leaks which can happen when terminating an<br /> ongoing transfer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: betop: check shape of output reports<br /> <br /> betopff_init() only checks the total sum of the report counts for each<br /> report field to be at least 4, but hid_betopff_play() expects 4 report<br /> fields.<br /> A device advertising an output report with one field and 4 report counts<br /> would pass the check but crash the kernel with a NULL pointer dereference<br /> in hid_betopff_play().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: Fix possible deadlock in rfcomm_sk_state_change<br /> <br /> syzbot reports a possible deadlock in rfcomm_sk_state_change [1].<br /> While rfcomm_sock_connect acquires the sk lock and waits for<br /> the rfcomm lock, rfcomm_sock_release could have the rfcomm<br /> lock and hit a deadlock for acquiring the sk lock.<br /> Here&amp;#39;s a simplified flow:<br /> <br /> rfcomm_sock_connect:<br /> lock_sock(sk)<br /> rfcomm_dlc_open:<br /> rfcomm_lock()<br /> <br /> rfcomm_sock_release:<br /> rfcomm_sock_shutdown:<br /> rfcomm_lock()<br /> __rfcomm_dlc_close:<br /> rfcomm_k_state_change:<br /> lock_sock(sk)<br /> <br /> This patch drops the sk lock before calling rfcomm_dlc_open to<br /> avoid the possible deadlock and holds sk&amp;#39;s reference count to<br /> prevent use-after-free after rfcomm_dlc_open completes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Add sync after creating vram bo<br /> <br /> There will be data corruption on vram allocated by svm<br /> if the initialization is not complete and application is<br /> writting on the memory. Adding sync to wait for the<br /> initialization completion is to resolve this issue.