Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure<br /> <br /> When a context DAMON sysfs directory setup is failed after setup of attrs/<br /> directory, subdirectories of attrs/ directory are not cleaned up. As a<br /> result, DAMON sysfs interface is nearly broken until the system reboots,<br /> and the memory for the unremoved directory is leaked.<br /> <br /> Cleanup the directories under such failures.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio_net: Fix misalignment bug in struct virtnet_info<br /> <br /> Use the new TRAILING_OVERLAP() helper to fix a misalignment bug<br /> along with the following warning:<br /> <br /> drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]<br /> <br /> This helper creates a union between a flexible-array member (FAM)<br /> and a set of members that would otherwise follow it (in this case<br /> `u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This<br /> overlays the trailing members (rss_hash_key_data) onto the FAM<br /> (hash_key_data) while keeping the FAM and the start of MEMBERS aligned.<br /> The static_assert() ensures this alignment remains.<br /> <br /> Notice that due to tail padding in flexible `struct<br /> virtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`<br /> (at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at<br /> offset 84 in struct virtnet_info) are misaligned by one byte. See<br /> below:<br /> <br /> struct virtio_net_rss_config_trailer {<br /> __le16 max_tx_vq; /* 0 2 */<br /> __u8 hash_key_length; /* 2 1 */<br /> __u8 hash_key_data[]; /* 3 0 */<br /> <br /> /* size: 4, cachelines: 1, members: 3 */<br /> /* padding: 1 */<br /> /* last cacheline: 4 bytes */<br /> };<br /> <br /> struct virtnet_info {<br /> ...<br /> struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */<br /> <br /> /* XXX last struct has 1 byte of padding */<br /> <br /> u8 rss_hash_key_data[40]; /* 84 40 */<br /> ...<br /> /* size: 832, cachelines: 13, members: 48 */<br /> /* sum members: 801, holes: 8, sum holes: 31 */<br /> /* paddings: 2, sum paddings: 5 */<br /> };<br /> <br /> After changes, those members are correctly aligned at offset 795:<br /> <br /> struct virtnet_info {<br /> ...<br /> union {<br /> struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */<br /> struct {<br /> unsigned char __offset_to_hash_key_data[3]; /* 792 3 */<br /> u8 rss_hash_key_data[40]; /* 795 40 */<br /> }; /* 792 43 */<br /> }; /* 792 44 */<br /> ...<br /> /* size: 840, cachelines: 14, members: 47 */<br /> /* sum members: 801, holes: 8, sum holes: 35 */<br /> /* padding: 4 */<br /> /* paddings: 1, sum paddings: 4 */<br /> /* last cacheline: 8 bytes */<br /> };<br /> <br /> As a result, the RSS key passed to the device is shifted by 1<br /> byte: the last byte is cut off, and instead a (possibly<br /> uninitialized) byte is added at the beginning.<br /> <br /> As a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also<br /> moved to the end, since it seems those three members should stick<br /> around together. :)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure<br /> <br /> When a DAMOS-scheme DAMON sysfs directory setup fails after setup of<br /> access_pattern/ directory, subdirectories of access_pattern/ directory are<br /> not cleaned up. As a result, DAMON sysfs interface is nearly broken until<br /> the system reboots, and the memory for the unremoved directory is leaked.<br /> <br /> Cleanup the directories under such failures.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: send: check for inline extents in range_is_hole_in_parent()<br /> <br /> Before accessing the disk_bytenr field of a file extent item we need<br /> to check if we are dealing with an inline extent.<br /> This is because for inline extents their data starts at the offset of<br /> the disk_bytenr field. So accessing the disk_bytenr<br /> means we are accessing inline data or in case the inline data is less<br /> than 8 bytes we can actually cause an invalid<br /> memory access if this inline extent item is the first item in the leaf<br /> or access metadata from other items.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, test_run: Subtract size of xdp_frame from allowed metadata size<br /> <br /> The xdp_frame structure takes up part of the XDP frame headroom,<br /> limiting the size of the metadata. However, in bpf_test_run, we don&amp;#39;t<br /> take this into account, which makes it possible for userspace to supply<br /> a metadata size that is too large (taking up the entire headroom).<br /> <br /> If userspace supplies such a large metadata size in live packet mode,<br /> the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call<br /> will fail, after which packet transmission proceeds with an<br /> uninitialised frame structure, leading to the usual Bad Stuff.<br /> <br /> The commit in the Fixes tag fixed a related bug where the second check<br /> in xdp_update_frame_from_buff() could fail, but did not add any<br /> additional constraints on the metadata size. Complete the fix by adding<br /> an additional check on the metadata size. Reorder the checks slightly to<br /> make the logic clearer and add a comment.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_conncount: update last_gc only when GC has been performed<br /> <br /> Currently last_gc is being updated everytime a new connection is<br /> tracked, that means that it is updated even if a GC wasn&amp;#39;t performed.<br /> With a sufficiently high packet rate, it is possible to always bypass<br /> the GC, causing the list to grow infinitely.<br /> <br /> Update the last_gc value only when a GC has been actually performed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Add recursion protection in kernel stack trace recording<br /> <br /> A bug was reported about an infinite recursion caused by tracing the rcu<br /> events with the kernel stack trace trigger enabled. The stack trace code<br /> called back into RCU which then called the stack trace again.<br /> <br /> Expand the ftrace recursion protection to add a set of bits to protect<br /> events from recursion. Each bit represents the context that the event is<br /> in (normal, softirq, interrupt and NMI).<br /> <br /> Have the stack trace code use the interrupt context to protect against<br /> recursion.<br /> <br /> Note, the bug showed an issue in both the RCU code as well as the tracing<br /> stacktrace code. This only handles the tracing stack trace side of the<br /> bug. The RCU fix will be handled separately.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> of: unittest: Fix memory leak in unittest_data_add()<br /> <br /> In unittest_data_add(), if of_resolve_phandles() fails, the allocated<br /> unittest_data is not freed, leading to a memory leak.<br /> <br /> Fix this by using scope-based cleanup helper __free(kfree) for automatic<br /> resource cleanup. This ensures unittest_data is automatically freed when<br /> it goes out of scope in error paths.<br /> <br /> For the success path, use retain_and_null_ptr() to transfer ownership<br /> of the memory to the device tree and prevent double freeing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: reset sparse-read state in osd_fault()<br /> <br /> When a fault occurs, the connection is abandoned, reestablished, and any<br /> pending operations are retried. The OSD client tracks the progress of a<br /> sparse-read reply using a separate state machine, largely independent of<br /> the messenger&amp;#39;s state.<br /> <br /> If a connection is lost mid-payload or the sparse-read state machine<br /> returns an error, the sparse-read state is not reset. The OSD client<br /> will then interpret the beginning of a new reply as the continuation of<br /> the old one. If this makes the sparse-read machinery enter a failure<br /> state, it may never recover, producing loops like:<br /> <br /> libceph: [0] got 0 extents<br /> libceph: data len 142248331 != extent len 0<br /> libceph: osd0 (1)...:6801 socket error on read<br /> libceph: data len 142248331 != extent len 0<br /> libceph: osd0 (1)...:6801 socket error on read<br /> <br /> Therefore, reset the sparse-read state in osd_fault(), ensuring retries<br /> start from a clean state.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: fix dma_free_coherent() pointer<br /> <br /> dma_alloc_coherent() allocates a DMA mapped buffer and stores the<br /> addresses in XXX_unaligned fields. Those should be reused when freeing<br /> the buffer rather than the aligned addresses.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> slab: fix kmalloc_nolock() context check for PREEMPT_RT<br /> <br /> On PREEMPT_RT kernels, local_lock becomes a sleeping lock. The current<br /> check in kmalloc_nolock() only verifies we&amp;#39;re not in NMI or hard IRQ<br /> context, but misses the case where preemption is disabled.<br /> <br /> When a BPF program runs from a tracepoint with preemption disabled<br /> (preempt_count &gt; 0), kmalloc_nolock() proceeds to call<br /> local_lock_irqsave() which attempts to acquire a sleeping lock,<br /> triggering:<br /> <br /> BUG: sleeping function called from invalid context<br /> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6128<br /> preempt_count: 2, expected: 0<br /> <br /> Fix this by checking !preemptible() on PREEMPT_RT, which directly<br /> expresses the constraint that we cannot take a sleeping lock when<br /> preemption is disabled. This encompasses the previous checks for NMI<br /> and hard IRQ contexts while also catching cases where preemption is<br /> disabled.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath10k: fix dma_free_coherent() pointer<br /> <br /> dma_alloc_coherent() allocates a DMA mapped buffer and stores the<br /> addresses in XXX_unaligned fields. Those should be reused when freeing<br /> the buffer rather than the aligned addresses.