Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: pata_macio: Fix DMA table overflow<br /> <br /> Kolbjørn and Jonáš reported that their 32-bit PowerMacs were crashing<br /> in pata-macio since commit 09fe2bfa6b83 ("ata: pata_macio: Fix<br /> max_segment_size with PAGE_SIZE == 64K").<br /> <br /> For example:<br /> <br /> kernel BUG at drivers/ata/pata_macio.c:544!<br /> Oops: Exception in kernel mode, sig: 5 [#1]<br /> BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac<br /> ...<br /> NIP pata_macio_qc_prep+0xf4/0x190<br /> LR pata_macio_qc_prep+0xfc/0x190<br /> Call Trace:<br /> 0xc1421660 (unreliable)<br /> ata_qc_issue+0x14c/0x2d4<br /> __ata_scsi_queuecmd+0x200/0x53c<br /> ata_scsi_queuecmd+0x50/0xe0<br /> scsi_queue_rq+0x788/0xb1c<br /> __blk_mq_issue_directly+0x58/0xf4<br /> blk_mq_plug_issue_direct+0x8c/0x1b4<br /> blk_mq_flush_plug_list.part.0+0x584/0x5e0<br /> __blk_flush_plug+0xf8/0x194<br /> __submit_bio+0x1b8/0x2e0<br /> submit_bio_noacct_nocheck+0x230/0x304<br /> btrfs_work_helper+0x200/0x338<br /> process_one_work+0x1a8/0x338<br /> worker_thread+0x364/0x4c0<br /> kthread+0x100/0x104<br /> start_kernel_thread+0x10/0x14<br /> <br /> That commit increased max_segment_size to 64KB, with the justification<br /> that the SCSI core was already using that size when PAGE_SIZE == 64KB,<br /> and that there was existing logic to split over-sized requests.<br /> <br /> However with a sufficiently large request, the splitting logic causes<br /> each sg to be split into two commands in the DMA table, leading to<br /> overflow of the DMA table, triggering the BUG_ON().<br /> <br /> With default settings the bug doesn&amp;#39;t trigger, because the request size<br /> is limited by max_sectors_kb == 1280, however max_sectors_kb can be<br /> increased, and apparently some distros do that by default using udev<br /> rules.<br /> <br /> Fix the bug for 4KB kernels by reverting to the old max_segment_size.<br /> <br /> For 64KB kernels the sg_tablesize needs to be halved, to allow for the<br /> possibility that each sg will be split into two.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Free job before xe_exec_queue_put<br /> <br /> Free job depends on job-&gt;vm being valid, the last xe_exec_queue_put can<br /> destroy the VM. Prevent UAF by freeing job before xe_exec_queue_put.<br /> <br /> (cherry picked from commit 32a42c93b74c8ca6d0915ea3eba21bceff53042f)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Fix missing workqueue destroy in xe_gt_pagefault<br /> <br /> On driver reload we never free up the memory for the pagefault and<br /> access counter workqueues. Add those destroy calls here.<br /> <br /> (cherry picked from commit 7586fc52b14e0b8edd0d1f8a434e0de2078b7b2b)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Fix opregion leak<br /> <br /> Being part o the display, ideally the setup and cleanup would be done by<br /> display itself. However this is a bigger refactor that needs to be done<br /> on both i915 and xe. For now, just fix the leak:<br /> <br /> unreferenced object 0xffff8881a0300008 (size 192):<br /> comm "modprobe", pid 4354, jiffies 4295647021<br /> hex dump (first 32 bytes):<br /> 00 00 87 27 81 88 ff ff 18 80 9b 00 00 c9 ff ff ...&amp;#39;............<br /> 18 81 9b 00 00 c9 ff ff 00 00 00 00 00 00 00 00 ................<br /> backtrace (crc 99260e31):<br /> [] kmemleak_alloc+0x4b/0x80<br /> [] kmalloc_trace_noprof+0x312/0x3d0<br /> [] intel_opregion_setup+0x89/0x700 [xe]<br /> [] xe_display_init_noirq+0x2f/0x90 [xe]<br /> [] xe_device_probe+0x7a3/0xbf0 [xe]<br /> [] xe_pci_probe+0x333/0x5b0 [xe]<br /> [] local_pci_probe+0x48/0xb0<br /> [] pci_device_probe+0xc8/0x280<br /> [] really_probe+0xf8/0x390<br /> [] __driver_probe_device+0x8a/0x170<br /> [] driver_probe_device+0x23/0xb0<br /> [] __driver_attach+0xc7/0x190<br /> [] bus_for_each_dev+0x7d/0xd0<br /> [] driver_attach+0x1e/0x30<br /> [] bus_add_driver+0x117/0x250<br /> <br /> (cherry picked from commit 6f4e43a2f771b737d991142ec4f6d4b7ff31fbb4)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> workqueue: Fix UBSAN &amp;#39;subtraction overflow&amp;#39; error in shift_and_mask()<br /> <br /> UBSAN reports the following &amp;#39;subtraction overflow&amp;#39; error when booting<br /> in a virtual machine on Android:<br /> <br /> | Internal error: UBSAN: integer subtraction overflow: 00000000f2005515 [#1] PREEMPT SMP<br /> | Modules linked in:<br /> | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-00006-g3cbe9e5abd46-dirty #4<br /> | Hardware name: linux,dummy-virt (DT)<br /> | pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> | pc : cancel_delayed_work+0x34/0x44<br /> | lr : cancel_delayed_work+0x2c/0x44<br /> | sp : ffff80008002ba60<br /> | x29: ffff80008002ba60 x28: 0000000000000000 x27: 0000000000000000<br /> | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000<br /> | x23: 0000000000000000 x22: 0000000000000000 x21: ffff1f65014cd3c0<br /> | x20: ffffc0e84c9d0da0 x19: ffffc0e84cab3558 x18: ffff800080009058<br /> | x17: 00000000247ee1f8 x16: 00000000247ee1f8 x15: 00000000bdcb279d<br /> | x14: 0000000000000001 x13: 0000000000000075 x12: 00000a0000000000<br /> | x11: ffff1f6501499018 x10: 00984901651fffff x9 : ffff5e7cc35af000<br /> | x8 : 0000000000000001 x7 : 3d4d455453595342 x6 : 000000004e514553<br /> | x5 : ffff1f6501499265 x4 : ffff1f650ff60b10 x3 : 0000000000000620<br /> | x2 : ffff80008002ba78 x1 : 0000000000000000 x0 : 0000000000000000<br /> | Call trace:<br /> | cancel_delayed_work+0x34/0x44<br /> | deferred_probe_extend_timeout+0x20/0x70<br /> | driver_register+0xa8/0x110<br /> | __platform_driver_register+0x28/0x3c<br /> | syscon_init+0x24/0x38<br /> | do_one_initcall+0xe4/0x338<br /> | do_initcall_level+0xac/0x178<br /> | do_initcalls+0x5c/0xa0<br /> | do_basic_setup+0x20/0x30<br /> | kernel_init_freeable+0x8c/0xf8<br /> | kernel_init+0x28/0x1b4<br /> | ret_from_fork+0x10/0x20<br /> | Code: f9000fbf 97fffa2f 39400268 37100048 (d42aa2a0)<br /> | ---[ end trace 0000000000000000 ]---<br /> | Kernel panic - not syncing: UBSAN: integer subtraction overflow: Fatal exception<br /> <br /> This is due to shift_and_mask() using a signed immediate to construct<br /> the mask and being called with a shift of 31 (WORK_OFFQ_POOL_SHIFT) so<br /> that it ends up decrementing from INT_MIN.<br /> <br /> Use an unsigned constant &amp;#39;1U&amp;#39; to generate the mask in shift_and_mask().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix double DMA unmapping for XDP_REDIRECT<br /> <br /> Remove the dma_unmap_page_attrs() call in the driver&amp;#39;s XDP_REDIRECT<br /> code path. This should have been removed when we let the page pool<br /> handle the DMA mapping. This bug causes the warning:<br /> <br /> WARNING: CPU: 7 PID: 59 at drivers/iommu/dma-iommu.c:1198 iommu_dma_unmap_page+0xd5/0x100<br /> CPU: 7 PID: 59 Comm: ksoftirqd/7 Tainted: G W 6.8.0-1010-gcp #11-Ubuntu<br /> Hardware name: Dell Inc. PowerEdge R7525/0PYVT1, BIOS 2.15.2 04/02/2024<br /> RIP: 0010:iommu_dma_unmap_page+0xd5/0x100<br /> Code: 89 ee 48 89 df e8 cb f2 69 ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 31 f6 31 ff 45 31 c0 e9 ab 17 71 00 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9<br /> RSP: 0018:ffffab1fc0597a48 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffff99ff838280c8 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> RBP: ffffab1fc0597a78 R08: 0000000000000002 R09: ffffab1fc0597c1c<br /> R10: ffffab1fc0597cd3 R11: ffff99ffe375acd8 R12: 00000000e65b9000<br /> R13: 0000000000000050 R14: 0000000000001000 R15: 0000000000000002<br /> FS: 0000000000000000(0000) GS:ffff9a06efb80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000565c34c37210 CR3: 00000005c7e3e000 CR4: 0000000000350ef0<br /> ? show_regs+0x6d/0x80<br /> ? __warn+0x89/0x150<br /> ? iommu_dma_unmap_page+0xd5/0x100<br /> ? report_bug+0x16a/0x190<br /> ? handle_bug+0x51/0xa0<br /> ? exc_invalid_op+0x18/0x80<br /> ? iommu_dma_unmap_page+0xd5/0x100<br /> ? iommu_dma_unmap_page+0x35/0x100<br /> dma_unmap_page_attrs+0x55/0x220<br /> ? bpf_prog_4d7e87c0d30db711_xdp_dispatcher+0x64/0x9f<br /> bnxt_rx_xdp+0x237/0x520 [bnxt_en]<br /> bnxt_rx_pkt+0x640/0xdd0 [bnxt_en]<br /> __bnxt_poll_work+0x1a1/0x3d0 [bnxt_en]<br /> bnxt_poll+0xaa/0x1e0 [bnxt_en]<br /> __napi_poll+0x33/0x1e0<br /> net_rx_action+0x18a/0x2f0

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Validate TA binary size<br /> <br /> Add TA binary size validation to avoid OOB write.<br /> <br /> (cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails<br /> <br /> If the dpu_format_populate_layout() fails, then FB is prepared, but not<br /> cleaned up. This ends up leaking the pin_count on the GEM object and<br /> causes a splat during DRM file closure:<br /> <br /> msm_obj-&gt;pin_count<br /> WARNING: CPU: 2 PID: 569 at drivers/gpu/drm/msm/msm_gem.c:121 update_lru_locked+0xc4/0xcc<br /> [...]<br /> Call trace:<br /> update_lru_locked+0xc4/0xcc<br /> put_pages+0xac/0x100<br /> msm_gem_free_object+0x138/0x180<br /> drm_gem_object_free+0x1c/0x30<br /> drm_gem_object_handle_put_unlocked+0x108/0x10c<br /> drm_gem_object_release_handle+0x58/0x70<br /> idr_for_each+0x68/0xec<br /> drm_gem_release+0x28/0x40<br /> drm_file_free+0x174/0x234<br /> drm_release+0xb0/0x160<br /> __fput+0xc0/0x2c8<br /> __fput_sync+0x50/0x5c<br /> __arm64_sys_close+0x38/0x7c<br /> invoke_syscall+0x48/0x118<br /> el0_svc_common.constprop.0+0x40/0xe0<br /> do_el0_svc+0x1c/0x28<br /> el0_svc+0x4c/0x120<br /> el0t_64_sync_handler+0x100/0x12c<br /> el0t_64_sync+0x190/0x194<br /> irq event stamp: 129818<br /> hardirqs last enabled at (129817): [] console_unlock+0x118/0x124<br /> hardirqs last disabled at (129818): [] el1_dbg+0x24/0x8c<br /> softirqs last enabled at (129808): [] handle_softirqs+0x4c8/0x4e8<br /> softirqs last disabled at (129785): [] __do_softirq+0x14/0x20<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/600714/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: flowtable: validate vlan header<br /> <br /> Ensure there is sufficient room to access the protocol field of the<br /> VLAN header, validate it once before the flowtable lookup.<br /> <br /> =====================================================<br /> BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32<br /> nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32<br /> nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]<br /> nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626<br /> nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]<br /> nf_ingress net/core/dev.c:5440 [inline]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: prevent possible UAF in ip6_xmit()<br /> <br /> If skb_expand_head() returns NULL, skb has been freed<br /> and the associated dst/idev could also have been freed.<br /> <br /> We must use rcu_read_lock() to prevent a possible UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: fix possible UAF in ip6_finish_output2()<br /> <br /> If skb_expand_head() returns NULL, skb has been freed<br /> and associated dst/idev could also have been freed.<br /> <br /> We need to hold rcu_read_lock() to make sure the dst and<br /> associated idev are alive.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: prevent UAF in ip6_send_skb()<br /> <br /> syzbot reported an UAF in ip6_send_skb() [1]<br /> <br /> After ip6_local_out() has returned, we no longer can safely<br /> dereference rt, unless we hold rcu_read_lock().<br /> <br /> A similar issue has been fixed in commit<br /> a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()")<br /> <br /> Another potential issue in ip6_finish_output2() is handled in a<br /> separate patch.<br /> <br /> [1]<br /> BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964<br /> Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530<br /> <br /> CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:93 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:488<br /> kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964<br /> rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588<br /> rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x1a6/0x270 net/socket.c:745<br /> sock_write_iter+0x2dd/0x400 net/socket.c:1160<br /> do_iter_readv_writev+0x60a/0x890<br /> vfs_writev+0x37c/0xbb0 fs/read_write.c:971<br /> do_writev+0x1b1/0x350 fs/read_write.c:1018<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f936bf79e79<br /> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014<br /> RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79<br /> RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004<br /> RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8<br /> <br /> <br /> Allocated by task 6530:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> unpoison_slab_object mm/kasan/common.c:312 [inline]<br /> __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338<br /> kasan_slab_alloc include/linux/kasan.h:201 [inline]<br /> slab_post_alloc_hook mm/slub.c:3988 [inline]<br /> slab_alloc_node mm/slub.c:4037 [inline]<br /> kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044<br /> dst_alloc+0x12b/0x190 net/core/dst.c:89<br /> ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670<br /> make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]<br /> xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313<br /> ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257<br /> rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x1a6/0x270 net/socket.c:745<br /> ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597<br /> ___sys_sendmsg net/socket.c:2651 [inline]<br /> __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 45:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579<br /> poison_slab_object+0xe0/0x150 mm/kasan/common.c:240<br /> __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256<br /> kasan_slab_free include/linux/kasan.h:184 [inline]<br /> slab_free_hook mm/slub.c:2252 [inline]<br /> slab_free mm/slub.c:4473 [inline]<br /> kmem_cache_free+0x145/0x350 mm/slub.c:4548<br /> dst_destroy+0x2ac/0x460 net/core/dst.c:124<br /> rcu_do_batch kernel/rcu/tree.c:2569 [inline]<br /> rcu_core+0xafd/0x1830 kernel/rcu/tree.<br /> ---truncated---