Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> veth: Fix use after free in XDP_REDIRECT<br /> <br /> Commit 718a18a0c8a6 ("veth: Rework veth_xdp_rcv_skb in order<br /> to accept non-linear skb") introduced a bug where it tried to<br /> use pskb_expand_head() if the headroom was less than<br /> XDP_PACKET_HEADROOM. This however uses kmalloc to expand the head,<br /> which will later allow consume_skb() to free the skb while is it still<br /> in use by AF_XDP.<br /> <br /> Previously if the headroom was less than XDP_PACKET_HEADROOM we<br /> continued on to allocate a new skb from pages so this restores that<br /> behavior.<br /> <br /> BUG: KASAN: use-after-free in __xsk_rcv+0x18d/0x2c0<br /> Read of size 78 at addr ffff888976250154 by task napi/iconduit-g/148640<br /> <br /> CPU: 5 PID: 148640 Comm: napi/iconduit-g Kdump: loaded Tainted: G O 6.1.4-cloudflare-kasan-2023.1.2 #1<br /> Hardware name: Quanta Computer Inc. QuantaPlex T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x48<br /> print_report+0x170/0x473<br /> ? __xsk_rcv+0x18d/0x2c0<br /> kasan_report+0xad/0x130<br /> ? __xsk_rcv+0x18d/0x2c0<br /> kasan_check_range+0x149/0x1a0<br /> memcpy+0x20/0x60<br /> __xsk_rcv+0x18d/0x2c0<br /> __xsk_map_redirect+0x1f3/0x490<br /> ? veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]<br /> xdp_do_redirect+0x5ca/0xd60<br /> veth_xdp_rcv_skb+0x935/0x1ba0 [veth]<br /> ? __netif_receive_skb_list_core+0x671/0x920<br /> ? veth_xdp+0x670/0x670 [veth]<br /> veth_xdp_rcv+0x304/0xa20 [veth]<br /> ? do_xdp_generic+0x150/0x150<br /> ? veth_xdp_rcv_one+0xde0/0xde0 [veth]<br /> ? _raw_spin_lock_bh+0xe0/0xe0<br /> ? newidle_balance+0x887/0xe30<br /> ? __perf_event_task_sched_in+0xdb/0x800<br /> veth_poll+0x139/0x571 [veth]<br /> ? veth_xdp_rcv+0xa20/0xa20 [veth]<br /> ? _raw_spin_unlock+0x39/0x70<br /> ? finish_task_switch.isra.0+0x17e/0x7d0<br /> ? __switch_to+0x5cf/0x1070<br /> ? __schedule+0x95b/0x2640<br /> ? io_schedule_timeout+0x160/0x160<br /> __napi_poll+0xa1/0x440<br /> napi_threaded_poll+0x3d1/0x460<br /> ? __napi_poll+0x440/0x440<br /> ? __kthread_parkme+0xc6/0x1f0<br /> ? __napi_poll+0x440/0x440<br /> kthread+0x2a2/0x340<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x22/0x30<br /> <br /> <br /> Freed by task 148640:<br /> kasan_save_stack+0x23/0x50<br /> kasan_set_track+0x21/0x30<br /> kasan_save_free_info+0x2a/0x40<br /> ____kasan_slab_free+0x169/0x1d0<br /> slab_free_freelist_hook+0xd2/0x190<br /> __kmem_cache_free+0x1a1/0x2f0<br /> skb_release_data+0x449/0x600<br /> consume_skb+0x9f/0x1c0<br /> veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]<br /> veth_xdp_rcv+0x304/0xa20 [veth]<br /> veth_poll+0x139/0x571 [veth]<br /> __napi_poll+0xa1/0x440<br /> napi_threaded_poll+0x3d1/0x460<br /> kthread+0x2a2/0x340<br /> ret_from_fork+0x22/0x30<br /> <br /> The buggy address belongs to the object at ffff888976250000<br /> which belongs to the cache kmalloc-2k of size 2048<br /> The buggy address is located 340 bytes inside of<br /> 2048-byte region [ffff888976250000, ffff888976250800)<br /> <br /> The buggy address belongs to the physical page:<br /> page:00000000ae18262a refcount:2 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x976250<br /> head:00000000ae18262a order:3 compound_mapcount:0 compound_pincount:0<br /> flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)<br /> raw: 002ffff800010200 0000000000000000 dead000000000122 ffff88810004cf00<br /> raw: 0000000000000000 0000000080080008 00000002ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff888976250000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff888976250080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt; ffff888976250100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff888976250180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff888976250200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition<br /> <br /> This bug influences both st_nci_i2c_remove and st_nci_spi_remove.<br /> Take st_nci_i2c_remove as an example.<br /> <br /> In st_nci_i2c_probe, it called ndlc_probe and bound &amp;ndlc-&gt;sm_work<br /> with llt_ndlc_sm_work.<br /> <br /> When it calls ndlc_recv or timeout handler, it will finally call<br /> schedule_work to start the work.<br /> <br /> When we call st_nci_i2c_remove to remove the driver, there<br /> may be a sequence as follows:<br /> <br /> Fix it by finishing the work before cleanup in ndlc_remove<br /> <br /> CPU0 CPU1<br /> <br /> |llt_ndlc_sm_work<br /> st_nci_i2c_remove |<br /> ndlc_remove |<br /> st_nci_remove |<br /> nci_free_device|<br /> kfree(ndev) |<br /> //free ndlc-&gt;ndev |<br /> |llt_ndlc_rcv_queue<br /> |nci_recv_frame<br /> |//use ndlc-&gt;ndev

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix cleanup null-ptr deref on encap lock<br /> <br /> During module is unloaded while a peer tc flow is still offloaded,<br /> first the peer uplink rep profile is changed to a nic profile, and so<br /> neigh encap lock is destroyed. Next during unload, the VF reps netdevs<br /> are unregistered which causes the original non-peer tc flow to be deleted,<br /> which deletes the peer flow. The peer flow deletion detaches the encap<br /> entry and try to take the already destroyed encap lock, causing the<br /> below trace.<br /> <br /> Fix this by clearing peer flows during tc eswitch cleanup<br /> (mlx5e_tc_esw_cleanup()).<br /> <br /> Relevant trace:<br /> [ 4316.837128] BUG: kernel NULL pointer dereference, address: 00000000000001d8<br /> [ 4316.842239] RIP: 0010:__mutex_lock+0xb5/0xc40<br /> [ 4316.851897] Call Trace:<br /> [ 4316.852481] <br /> [ 4316.857214] mlx5e_rep_neigh_entry_release+0x93/0x790 [mlx5_core]<br /> [ 4316.858258] mlx5e_rep_encap_entry_detach+0xa7/0xf0 [mlx5_core]<br /> [ 4316.859134] mlx5e_encap_dealloc+0xa3/0xf0 [mlx5_core]<br /> [ 4316.859867] clean_encap_dests.part.0+0x5c/0xe0 [mlx5_core]<br /> [ 4316.860605] mlx5e_tc_del_fdb_flow+0x32a/0x810 [mlx5_core]<br /> [ 4316.862609] __mlx5e_tc_del_fdb_peer_flow+0x1a2/0x250 [mlx5_core]<br /> [ 4316.863394] mlx5e_tc_del_flow+0x(/0x630 [mlx5_core]<br /> [ 4316.864090] mlx5e_flow_put+0x5f/0x100 [mlx5_core]<br /> [ 4316.864771] mlx5e_delete_flower+0x4de/0xa40 [mlx5_core]<br /> [ 4316.865486] tc_setup_cb_reoffload+0x20/0x80<br /> [ 4316.865905] fl_reoffload+0x47c/0x510 [cls_flower]<br /> [ 4316.869181] tcf_block_playback_offloads+0x91/0x1d0<br /> [ 4316.869649] tcf_block_unbind+0xe7/0x1b0<br /> [ 4316.870049] tcf_block_offload_cmd.isra.0+0x1ee/0x270<br /> [ 4316.879266] tcf_block_offload_unbind+0x61/0xa0<br /> [ 4316.879711] __tcf_block_put+0xa4/0x310

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bonding: restore bond&amp;#39;s IFF_SLAVE flag if a non-eth dev enslave fails<br /> <br /> syzbot reported a warning[1] where the bond device itself is a slave and<br /> we try to enslave a non-ethernet device as the first slave which fails<br /> but then in the error path when ether_setup() restores the bond device<br /> it also clears all flags. In my previous fix[2] I restored the<br /> IFF_MASTER flag, but I didn&amp;#39;t consider the case that the bond device<br /> itself might also be a slave with IFF_SLAVE set, so we need to restore<br /> that flag as well. Use the bond_ether_setup helper which does the right<br /> thing and restores the bond&amp;#39;s flags properly.<br /> <br /> Steps to reproduce using a nlmon dev:<br /> $ ip l add nlmon0 type nlmon<br /> $ ip l add bond1 type bond<br /> $ ip l add bond2 type bond<br /> $ ip l set bond1 master bond2<br /> $ ip l set dev nlmon0 master bond1<br /> $ ip -d l sh dev bond1<br /> 22: bond1: mtu 1500 qdisc noqueue master bond2 state DOWN mode DEFAULT group default qlen 1000<br /> (now bond1&amp;#39;s IFF_SLAVE flag is gone and we&amp;#39;ll hit a warning[3] if we<br /> try to delete it)<br /> <br /> [1] https://syzkaller.appspot.com/bug?id=391c7b1f6522182899efba27d891f1743e8eb3ef<br /> [2] commit 7d5cd2ce5292 ("bonding: correctly handle bonding type change on enslave failure")<br /> [3] example warning:<br /> [ 27.008664] bond1: (slave nlmon0): The slave device specified does not support setting the MAC address<br /> [ 27.008692] bond1: (slave nlmon0): Error -95 calling set_mac_address<br /> [ 32.464639] bond1 (unregistering): Released all slaves<br /> [ 32.464685] ------------[ cut here ]------------<br /> [ 32.464686] WARNING: CPU: 1 PID: 2004 at net/core/dev.c:10829 unregister_netdevice_many+0x72a/0x780<br /> [ 32.464694] Modules linked in: br_netfilter bridge bonding virtio_net<br /> [ 32.464699] CPU: 1 PID: 2004 Comm: ip Kdump: loaded Not tainted 5.18.0-rc3+ #47<br /> [ 32.464703] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014<br /> [ 32.464704] RIP: 0010:unregister_netdevice_many+0x72a/0x780<br /> [ 32.464707] Code: 99 fd ff ff ba 90 1a 00 00 48 c7 c6 f4 02 66 96 48 c7 c7 20 4d 35 96 c6 05 fa c7 2b 02 01 e8 be 6f 4a 00 0f 0b e9 73 fd ff ff 0b e9 5f fd ff ff 80 3d e3 c7 2b 02 00 0f 85 3b fd ff ff ba 59<br /> [ 32.464710] RSP: 0018:ffffa006422d7820 EFLAGS: 00010206<br /> [ 32.464712] RAX: ffff8f6e077140a0 RBX: ffffa006422d7888 RCX: 0000000000000000<br /> [ 32.464714] RDX: ffff8f6e12edbe58 RSI: 0000000000000296 RDI: ffffffff96d4a520<br /> [ 32.464716] RBP: ffff8f6e07714000 R08: ffffffff96d63600 R09: ffffa006422d7728<br /> [ 32.464717] R10: 0000000000000ec0 R11: ffffffff9698c988 R12: ffff8f6e12edb140<br /> [ 32.464719] R13: dead000000000122 R14: dead000000000100 R15: ffff8f6e12edb140<br /> [ 32.464723] FS: 00007f297c2f1740(0000) GS:ffff8f6e5d900000(0000) knlGS:0000000000000000<br /> [ 32.464725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 32.464726] CR2: 00007f297bf1c800 CR3: 00000000115e8000 CR4: 0000000000350ee0<br /> [ 32.464730] Call Trace:<br /> [ 32.464763] <br /> [ 32.464767] rtnl_dellink+0x13e/0x380<br /> [ 32.464776] ? cred_has_capability.isra.0+0x68/0x100<br /> [ 32.464780] ? __rtnl_unlock+0x33/0x60<br /> [ 32.464783] ? bpf_lsm_capset+0x10/0x10<br /> [ 32.464786] ? security_capable+0x36/0x50<br /> [ 32.464790] rtnetlink_rcv_msg+0x14e/0x3b0<br /> [ 32.464792] ? _copy_to_iter+0xb1/0x790<br /> [ 32.464796] ? post_alloc_hook+0xa0/0x160<br /> [ 32.464799] ? rtnl_calcit.isra.0+0x110/0x110<br /> [ 32.464802] netlink_rcv_skb+0x50/0xf0<br /> [ 32.464806] netlink_unicast+0x216/0x340<br /> [ 32.464809] netlink_sendmsg+0x23f/0x480<br /> [ 32.464812] sock_sendmsg+0x5e/0x60<br /> [ 32.464815] ____sys_sendmsg+0x22c/0x270<br /> [ 32.464818] ? import_iovec+0x17/0x20<br /> [ 32.464821] ? sendmsg_copy_msghdr+0x59/0x90<br /> [ 32.464823] ? do_set_pte+0xa0/0xe0<br /> [ 32.464828] ___sys_sendmsg+0x81/0xc0<br /> [ 32.464832] ? mod_objcg_state+0xc6/0x300<br /> [ 32.464835] ? refill_obj_stock+0xa9/0x160<br /> [ 32.464838] ? memcg_slab_free_hook+0x1a5/0x1f0<br /> [ 32.464842] __sys_sendm<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: xsk: disable txq irq before flushing hw<br /> <br /> ice_qp_dis() intends to stop a given queue pair that is a target of xsk<br /> pool attach/detach. One of the steps is to disable interrupts on these<br /> queues. It currently is broken in a way that txq irq is turned off<br /> *after* HW flush which in turn takes no effect.<br /> <br /> ice_qp_dis():<br /> -&gt; ice_qvec_dis_irq()<br /> --&gt; disable rxq irq<br /> --&gt; flush hw<br /> -&gt; ice_vsi_stop_tx_ring()<br /> --&gt;disable txq irq<br /> <br /> Below splat can be triggered by following steps:<br /> - start xdpsock WITHOUT loading xdp prog<br /> - run xdp_rxq_info with XDP_TX action on this interface<br /> - start traffic<br /> - terminate xdpsock<br /> <br /> [ 256.312485] BUG: kernel NULL pointer dereference, address: 0000000000000018<br /> [ 256.319560] #PF: supervisor read access in kernel mode<br /> [ 256.324775] #PF: error_code(0x0000) - not-present page<br /> [ 256.329994] PGD 0 P4D 0<br /> [ 256.332574] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 256.337006] CPU: 3 PID: 32 Comm: ksoftirqd/3 Tainted: G OE 6.2.0-rc5+ #51<br /> [ 256.345218] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019<br /> [ 256.355807] RIP: 0010:ice_clean_rx_irq_zc+0x9c/0x7d0 [ice]<br /> [ 256.361423] Code: b7 8f 8a 00 00 00 66 39 ca 0f 84 f1 04 00 00 49 8b 47 40 4c 8b 24 d0 41 0f b7 45 04 66 25 ff 3f 66 89 04 24 0f 84 85 02 00 00 8b 44 24 18 0f b7 14 24 48 05 00 01 00 00 49 89 04 24 49 89 44<br /> [ 256.380463] RSP: 0018:ffffc900088bfd20 EFLAGS: 00010206<br /> [ 256.385765] RAX: 000000000000003c RBX: 0000000000000035 RCX: 000000000000067f<br /> [ 256.393012] RDX: 0000000000000775 RSI: 0000000000000000 RDI: ffff8881deb3ac80<br /> [ 256.400256] RBP: 000000000000003c R08: ffff889847982710 R09: 0000000000010000<br /> [ 256.407500] R10: ffffffff82c060c0 R11: 0000000000000004 R12: 0000000000000000<br /> [ 256.414746] R13: ffff88811165eea0 R14: ffffc9000d255000 R15: ffff888119b37600<br /> [ 256.421990] FS: 0000000000000000(0000) GS:ffff8897e0cc0000(0000) knlGS:0000000000000000<br /> [ 256.430207] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 256.436036] CR2: 0000000000000018 CR3: 0000000005c0a006 CR4: 00000000007706e0<br /> [ 256.443283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 256.450527] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 256.457770] PKRU: 55555554<br /> [ 256.460529] Call Trace:<br /> [ 256.463015] <br /> [ 256.465157] ? ice_xmit_zc+0x6e/0x150 [ice]<br /> [ 256.469437] ice_napi_poll+0x46d/0x680 [ice]<br /> [ 256.473815] ? _raw_spin_unlock_irqrestore+0x1b/0x40<br /> [ 256.478863] __napi_poll+0x29/0x160<br /> [ 256.482409] net_rx_action+0x136/0x260<br /> [ 256.486222] __do_softirq+0xe8/0x2e5<br /> [ 256.489853] ? smpboot_thread_fn+0x2c/0x270<br /> [ 256.494108] run_ksoftirqd+0x2a/0x50<br /> [ 256.497747] smpboot_thread_fn+0x1c1/0x270<br /> [ 256.501907] ? __pfx_smpboot_thread_fn+0x10/0x10<br /> [ 256.506594] kthread+0xea/0x120<br /> [ 256.509785] ? __pfx_kthread+0x10/0x10<br /> [ 256.513597] ret_from_fork+0x29/0x50<br /> [ 256.517238] <br /> <br /> In fact, irqs were not disabled and napi managed to be scheduled and run<br /> while xsk_pool pointer was still valid, but SW ring of xdp_buff pointers<br /> was already freed.<br /> <br /> To fix this, call ice_qvec_dis_irq() after ice_vsi_stop_tx_ring(). Also<br /> while at it, remove redundant ice_clean_rx_ring() call - this is handled<br /> in ice_qp_clean_rings().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: zero i_disksize when initializing the bootloader inode<br /> <br /> If the boot loader inode has never been used before, the<br /> EXT4_IOC_SWAP_BOOT inode will initialize it, including setting the<br /> i_size to 0. However, if the "never before used" boot loader has a<br /> non-zero i_size, then i_disksize will be non-zero, and the<br /> inconsistency between i_size and i_disksize can trigger a kernel<br /> warning:<br /> <br /> WARNING: CPU: 0 PID: 2580 at fs/ext4/file.c:319<br /> CPU: 0 PID: 2580 Comm: bb Not tainted 6.3.0-rc1-00004-g703695902cfa<br /> RIP: 0010:ext4_file_write_iter+0xbc7/0xd10<br /> Call Trace:<br /> vfs_write+0x3b1/0x5c0<br /> ksys_write+0x77/0x160<br /> __x64_sys_write+0x22/0x30<br /> do_syscall_64+0x39/0x80<br /> <br /> Reproducer:<br /> 1. create corrupted image and mount it:<br /> mke2fs -t ext4 /tmp/foo.img 200<br /> debugfs -wR "sif size 25700" /tmp/foo.img<br /> mount -t ext4 /tmp/foo.img /mnt<br /> cd /mnt<br /> echo 123 &gt; file<br /> 2. Run the reproducer program:<br /> posix_memalign(&amp;buf, 1024, 1024)<br /> fd = open("file", O_RDWR | O_DIRECT);<br /> ioctl(fd, EXT4_IOC_SWAP_BOOT);<br /> write(fd, buf, 1024);<br /> <br /> Fix this by setting i_disksize as well as i_size to zero when<br /> initiaizing the boot loader inode.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix WARNING in ext4_update_inline_data<br /> <br /> Syzbot found the following issue:<br /> EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.<br /> fscrypt: AES-256-CTS-CBC using implementation "cts-cbc-aes-aesni"<br /> fscrypt: AES-256-XTS using implementation "xts-aes-aesni"<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 5071 at mm/page_alloc.c:5525 __alloc_pages+0x30a/0x560 mm/page_alloc.c:5525<br /> Modules linked in:<br /> CPU: 1 PID: 5071 Comm: syz-executor263 Not tainted 6.2.0-rc1-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022<br /> RIP: 0010:__alloc_pages+0x30a/0x560 mm/page_alloc.c:5525<br /> RSP: 0018:ffffc90003c2f1c0 EFLAGS: 00010246<br /> RAX: ffffc90003c2f220 RBX: 0000000000000014 RCX: 0000000000000000<br /> RDX: 0000000000000028 RSI: 0000000000000000 RDI: ffffc90003c2f248<br /> RBP: ffffc90003c2f2d8 R08: dffffc0000000000 R09: ffffc90003c2f220<br /> R10: fffff52000785e49 R11: 1ffff92000785e44 R12: 0000000000040d40<br /> R13: 1ffff92000785e40 R14: dffffc0000000000 R15: 1ffff92000785e3c<br /> FS: 0000555556c0d300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f95d5e04138 CR3: 00000000793aa000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __alloc_pages_node include/linux/gfp.h:237 [inline]<br /> alloc_pages_node include/linux/gfp.h:260 [inline]<br /> __kmalloc_large_node+0x95/0x1e0 mm/slab_common.c:1113<br /> __do_kmalloc_node mm/slab_common.c:956 [inline]<br /> __kmalloc+0xfe/0x190 mm/slab_common.c:981<br /> kmalloc include/linux/slab.h:584 [inline]<br /> kzalloc include/linux/slab.h:720 [inline]<br /> ext4_update_inline_data+0x236/0x6b0 fs/ext4/inline.c:346<br /> ext4_update_inline_dir fs/ext4/inline.c:1115 [inline]<br /> ext4_try_add_inline_entry+0x328/0x990 fs/ext4/inline.c:1307<br /> ext4_add_entry+0x5a4/0xeb0 fs/ext4/namei.c:2385<br /> ext4_add_nondir+0x96/0x260 fs/ext4/namei.c:2772<br /> ext4_create+0x36c/0x560 fs/ext4/namei.c:2817<br /> lookup_open fs/namei.c:3413 [inline]<br /> open_last_lookups fs/namei.c:3481 [inline]<br /> path_openat+0x12ac/0x2dd0 fs/namei.c:3711<br /> do_filp_open+0x264/0x4f0 fs/namei.c:3741<br /> do_sys_openat2+0x124/0x4e0 fs/open.c:1310<br /> do_sys_open fs/open.c:1326 [inline]<br /> __do_sys_openat fs/open.c:1342 [inline]<br /> __se_sys_openat fs/open.c:1337 [inline]<br /> __x64_sys_openat+0x243/0x290 fs/open.c:1337<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Above issue happens as follows:<br /> ext4_iget<br /> ext4_find_inline_data_nolock -&gt;i_inline_off=164 i_inline_size=60<br /> ext4_try_add_inline_entry<br /> __ext4_mark_inode_dirty<br /> ext4_expand_extra_isize_ea -&gt;i_extra_isize=32 s_want_extra_isize=44<br /> ext4_xattr_shift_entries<br /> -&gt;after shift i_inline_off is incorrect, actually is change to 176<br /> ext4_try_add_inline_entry<br /> ext4_update_inline_dir<br /> get_max_inline_xattr_value_size<br /> if (EXT4_I(inode)-&gt;i_inline_off)<br /> entry = (struct ext4_xattr_entry *)((void *)raw_inode +<br /> EXT4_I(inode)-&gt;i_inline_off);<br /> free += EXT4_XATTR_SIZE(le32_to_cpu(entry-&gt;e_value_size));<br /> -&gt;As entry is incorrect, then &amp;#39;free&amp;#39; may be negative<br /> ext4_update_inline_data<br /> value = kzalloc(len, GFP_NOFS);<br /> -&gt; len is unsigned int, maybe very large, then trigger warning when<br /> &amp;#39;kzalloc()&amp;#39;<br /> <br /> To resolve the above issue we need to update &amp;#39;i_inline_off&amp;#39; after<br /> &amp;#39;ext4_xattr_shift_entries()&amp;#39;. We do not need to set<br /> EXT4_STATE_MAY_INLINE_DATA flag here, since ext4_mark_inode_dirty()<br /> already sets this flag if needed. Setting EXT4_STATE_MAY_INLINE_DATA<br /> when it is needed may trigger a BUG_ON in ext4_writepages().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: xilinx: don&amp;#39;t make a sleepable memory allocation from an atomic context<br /> <br /> The following issue was discovered using lockdep:<br /> [ 6.691371] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:209<br /> [ 6.694602] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0<br /> [ 6.702431] 2 locks held by swapper/0/1:<br /> [ 6.706300] #0: ffffff8800f6f188 (&amp;dev-&gt;mutex){....}-{3:3}, at: __device_driver_lock+0x4c/0x90<br /> [ 6.714900] #1: ffffffc009a2abb8 (enable_lock){....}-{2:2}, at: clk_enable_lock+0x4c/0x140<br /> [ 6.723156] irq event stamp: 304030<br /> [ 6.726596] hardirqs last enabled at (304029): [] _raw_spin_unlock_irqrestore+0xc0/0xd0<br /> [ 6.736142] hardirqs last disabled at (304030): [] clk_enable_lock+0xfc/0x140<br /> [ 6.744742] softirqs last enabled at (303958): [] _stext+0x4f0/0x894<br /> [ 6.752655] softirqs last disabled at (303951): [] irq_exit+0x238/0x280<br /> [ 6.760744] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G U 5.15.36 #2<br /> [ 6.768048] Hardware name: xlnx,zynqmp (DT)<br /> [ 6.772179] Call trace:<br /> [ 6.774584] dump_backtrace+0x0/0x300<br /> [ 6.778197] show_stack+0x18/0x30<br /> [ 6.781465] dump_stack_lvl+0xb8/0xec<br /> [ 6.785077] dump_stack+0x1c/0x38<br /> [ 6.788345] ___might_sleep+0x1a8/0x2a0<br /> [ 6.792129] __might_sleep+0x6c/0xd0<br /> [ 6.795655] kmem_cache_alloc_trace+0x270/0x3d0<br /> [ 6.800127] do_feature_check_call+0x100/0x220<br /> [ 6.804513] zynqmp_pm_invoke_fn+0x8c/0xb0<br /> [ 6.808555] zynqmp_pm_clock_getstate+0x90/0xe0<br /> [ 6.813027] zynqmp_pll_is_enabled+0x8c/0x120<br /> [ 6.817327] zynqmp_pll_enable+0x38/0xc0<br /> [ 6.821197] clk_core_enable+0x144/0x400<br /> [ 6.825067] clk_core_enable+0xd4/0x400<br /> [ 6.828851] clk_core_enable+0xd4/0x400<br /> [ 6.832635] clk_core_enable+0xd4/0x400<br /> [ 6.836419] clk_core_enable+0xd4/0x400<br /> [ 6.840203] clk_core_enable+0xd4/0x400<br /> [ 6.843987] clk_core_enable+0xd4/0x400<br /> [ 6.847771] clk_core_enable+0xd4/0x400<br /> [ 6.851555] clk_core_enable_lock+0x24/0x50<br /> [ 6.855683] clk_enable+0x24/0x40<br /> [ 6.858952] fclk_probe+0x84/0xf0<br /> [ 6.862220] platform_probe+0x8c/0x110<br /> [ 6.865918] really_probe+0x110/0x5f0<br /> [ 6.869530] __driver_probe_device+0xcc/0x210<br /> [ 6.873830] driver_probe_device+0x64/0x140<br /> [ 6.877958] __driver_attach+0x114/0x1f0<br /> [ 6.881828] bus_for_each_dev+0xe8/0x160<br /> [ 6.885698] driver_attach+0x34/0x50<br /> [ 6.889224] bus_add_driver+0x228/0x300<br /> [ 6.893008] driver_register+0xc0/0x1e0<br /> [ 6.896792] __platform_driver_register+0x44/0x60<br /> [ 6.901436] fclk_driver_init+0x1c/0x28<br /> [ 6.905220] do_one_initcall+0x104/0x590<br /> [ 6.909091] kernel_init_freeable+0x254/0x2bc<br /> [ 6.913390] kernel_init+0x24/0x130<br /> [ 6.916831] ret_from_fork+0x10/0x20<br /> <br /> Fix it by passing the GFP_ATOMIC gfp flag for the corresponding<br /> memory allocation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: rc: gpio-ir-recv: add remove function<br /> <br /> In case runtime PM is enabled, do runtime PM clean up to remove<br /> cpu latency qos request, otherwise driver removal may have below<br /> kernel dump:<br /> <br /> [ 19.463299] Unable to handle kernel NULL pointer dereference at<br /> virtual address 0000000000000048<br /> [ 19.472161] Mem abort info:<br /> [ 19.474985] ESR = 0x0000000096000004<br /> [ 19.478754] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 19.484081] SET = 0, FnV = 0<br /> [ 19.487149] EA = 0, S1PTW = 0<br /> [ 19.490361] FSC = 0x04: level 0 translation fault<br /> [ 19.495256] Data abort info:<br /> [ 19.498149] ISV = 0, ISS = 0x00000004<br /> [ 19.501997] CM = 0, WnR = 0<br /> [ 19.504977] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000049f81000<br /> [ 19.511432] [0000000000000048] pgd=0000000000000000,<br /> p4d=0000000000000000<br /> [ 19.518245] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> [ 19.524520] Modules linked in: gpio_ir_recv(+) rc_core [last<br /> unloaded: rc_core]<br /> [ 19.531845] CPU: 0 PID: 445 Comm: insmod Not tainted<br /> 6.2.0-rc1-00028-g2c397a46d47c #72<br /> [ 19.531854] Hardware name: FSL i.MX8MM EVK board (DT)<br /> [ 19.531859] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS<br /> BTYPE=--)<br /> [ 19.551777] pc : cpu_latency_qos_remove_request+0x20/0x110<br /> [ 19.557277] lr : gpio_ir_recv_runtime_suspend+0x18/0x30<br /> [gpio_ir_recv]<br /> [ 19.557294] sp : ffff800008ce3740<br /> [ 19.557297] x29: ffff800008ce3740 x28: 0000000000000000 x27:<br /> ffff800008ce3d50<br /> [ 19.574270] x26: ffffc7e3e9cea100 x25: 00000000000f4240 x24:<br /> ffffc7e3f9ef0e30<br /> [ 19.574284] x23: 0000000000000000 x22: ffff0061803820f4 x21:<br /> 0000000000000008<br /> [ 19.574296] x20: ffffc7e3fa75df30 x19: 0000000000000020 x18:<br /> ffffffffffffffff<br /> [ 19.588570] x17: 0000000000000000 x16: ffffc7e3f9efab70 x15:<br /> ffffffffffffffff<br /> [ 19.595712] x14: ffff800008ce37b8 x13: ffff800008ce37aa x12:<br /> 0000000000000001<br /> [ 19.602853] x11: 0000000000000001 x10: ffffcbe3ec0dff87 x9 :<br /> 0000000000000008<br /> [ 19.609991] x8 : 0101010101010101 x7 : 0000000000000000 x6 :<br /> 000000000f0bfe9f<br /> [ 19.624261] x5 : 00ffffffffffffff x4 : 0025ab8e00000000 x3 :<br /> ffff006180382010<br /> [ 19.631405] x2 : ffffc7e3e9ce8030 x1 : ffffc7e3fc3eb810 x0 :<br /> 0000000000000020<br /> [ 19.638548] Call trace:<br /> [ 19.640995] cpu_latency_qos_remove_request+0x20/0x110<br /> [ 19.646142] gpio_ir_recv_runtime_suspend+0x18/0x30 [gpio_ir_recv]<br /> [ 19.652339] pm_generic_runtime_suspend+0x2c/0x44<br /> [ 19.657055] __rpm_callback+0x48/0x1dc<br /> [ 19.660807] rpm_callback+0x6c/0x80<br /> [ 19.664301] rpm_suspend+0x10c/0x640<br /> [ 19.667880] rpm_idle+0x250/0x2d0<br /> [ 19.671198] update_autosuspend+0x38/0xe0<br /> [ 19.675213] pm_runtime_set_autosuspend_delay+0x40/0x60<br /> [ 19.680442] gpio_ir_recv_probe+0x1b4/0x21c [gpio_ir_recv]<br /> [ 19.685941] platform_probe+0x68/0xc0<br /> [ 19.689610] really_probe+0xc0/0x3dc<br /> [ 19.693189] __driver_probe_device+0x7c/0x190<br /> [ 19.697550] driver_probe_device+0x3c/0x110<br /> [ 19.701739] __driver_attach+0xf4/0x200<br /> [ 19.705578] bus_for_each_dev+0x70/0xd0<br /> [ 19.709417] driver_attach+0x24/0x30<br /> [ 19.712998] bus_add_driver+0x17c/0x240<br /> [ 19.716834] driver_register+0x78/0x130<br /> [ 19.720676] __platform_driver_register+0x28/0x34<br /> [ 19.725386] gpio_ir_recv_driver_init+0x20/0x1000 [gpio_ir_recv]<br /> [ 19.731404] do_one_initcall+0x44/0x2ac<br /> [ 19.735243] do_init_module+0x48/0x1d0<br /> [ 19.739003] load_module+0x19fc/0x2034<br /> [ 19.742759] __do_sys_finit_module+0xac/0x12c<br /> [ 19.747124] __arm64_sys_finit_module+0x20/0x30<br /> [ 19.751664] invoke_syscall+0x48/0x114<br /> [ 19.755420] el0_svc_common.constprop.0+0xcc/0xec<br /> [ 19.760132] do_el0_svc+0x38/0xb0<br /> [ 19.763456] el0_svc+0x2c/0x84<br /> [ 19.766516] el0t_64_sync_handler+0xf4/0x120<br /> [ 19.770789] el0t_64_sync+0x190/0x194<br /> [ 19.774460] Code: 910003fd a90153f3 aa0003f3 91204021 (f9401400)<br /> [ 19.780556] ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/iommu: fix memory leak with using debugfs_lookup()<br /> <br /> When calling debugfs_lookup() the result must have dput() called on it,<br /> otherwise the memory will leak over time. To make things simpler, just<br /> call debugfs_lookup_and_remove() instead which handles all of the logic<br /> at once.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> interconnect: fix mem leak when freeing nodes<br /> <br /> The node link array is allocated when adding links to a node but is not<br /> deallocated when nodes are destroyed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ttm: Fix a NULL pointer dereference<br /> <br /> The LRU mechanism may look up a resource in the process of being removed<br /> from an object. The locking rules here are a bit unclear but it looks<br /> currently like res-&gt;bo assignment is protected by the LRU lock, whereas<br /> bo-&gt;resource is protected by the object lock, while *clearing* of<br /> bo-&gt;resource is also protected by the LRU lock. This means that if<br /> we check that bo-&gt;resource points to the LRU resource under the LRU<br /> lock we should be safe.<br /> So perform that check before deciding to swap out a bo. That avoids<br /> dereferencing a NULL bo-&gt;resource in ttm_bo_swapout().