Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips<br /> <br /> The 5760X (P7) chip&amp;#39;s HW GRO/LRO interface is very similar to that of<br /> the previous generation (5750X or P5). However, the aggregation ID<br /> fields in the completion structures on P7 have been redefined from<br /> 16 bits to 12 bits. The freed up 4 bits are redefined for part of the<br /> metadata such as the VLAN ID. The aggregation ID mask was not modified<br /> when adding support for P7 chips. Including the extra 4 bits for the<br /> aggregation ID can potentially cause the driver to store or fetch the<br /> packet header of GRO/LRO packets in the wrong TPA buffer. It may hit<br /> the BUG() condition in __skb_pull() because the SKB contains no valid<br /> packet header:<br /> <br /> kernel BUG at include/linux/skbuff.h:2766!<br /> Oops: invalid opcode: 0000 1 PREEMPT SMP NOPTI<br /> CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022<br /> RIP: 0010:eth_type_trans+0xda/0x140<br /> Code: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48<br /> RSP: 0018:ff615003803fcc28 EFLAGS: 00010283<br /> RAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040<br /> RDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000<br /> RBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001<br /> R10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0<br /> R13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000<br /> FS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? die+0x33/0x90<br /> ? do_trap+0xd9/0x100<br /> ? eth_type_trans+0xda/0x140<br /> ? do_error_trap+0x65/0x80<br /> ? eth_type_trans+0xda/0x140<br /> ? exc_invalid_op+0x4e/0x70<br /> ? eth_type_trans+0xda/0x140<br /> ? asm_exc_invalid_op+0x16/0x20<br /> ? eth_type_trans+0xda/0x140<br /> bnxt_tpa_end+0x10b/0x6b0 [bnxt_en]<br /> ? bnxt_tpa_start+0x195/0x320 [bnxt_en]<br /> bnxt_rx_pkt+0x902/0xd90 [bnxt_en]<br /> ? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en]<br /> ? kmem_cache_free+0x343/0x440<br /> ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en]<br /> __bnxt_poll_work+0x193/0x370 [bnxt_en]<br /> bnxt_poll_p5+0x9a/0x300 [bnxt_en]<br /> ? try_to_wake_up+0x209/0x670<br /> __napi_poll+0x29/0x1b0<br /> <br /> Fix it by redefining the aggregation ID mask for P5_PLUS chips to be<br /> 12 bits. This will work because the maximum aggregation ID is less<br /> than 4096 on all P5_PLUS chips.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: control: Avoid WARN() for symlink errors<br /> <br /> Using WARN() for showing the error of symlink creations don&amp;#39;t give<br /> more information than telling that something goes wrong, since the<br /> usual code path is a lregister callback from each control element<br /> creation. More badly, the use of WARN() rather confuses fuzzer as if<br /> it were serious issues.<br /> <br /> This patch downgrades the warning messages to use the normal dev_err()<br /> instead of WARN(). For making it clearer, add the function name to<br /> the prefix, too.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: defer final &amp;#39;struct net&amp;#39; free in netns dismantle<br /> <br /> Ilya reported a slab-use-after-free in dst_destroy [1]<br /> <br /> Issue is in xfrm6_net_init() and xfrm4_net_init() :<br /> <br /> They copy xfrm[46]_dst_ops_template into net-&gt;xfrm.xfrm[46]_dst_ops.<br /> <br /> But net structure might be freed before all the dst callbacks are<br /> called. So when dst_destroy() calls later :<br /> <br /> if (dst-&gt;ops-&gt;destroy)<br /> dst-&gt;ops-&gt;destroy(dst);<br /> <br /> dst-&gt;ops points to the old net-&gt;xfrm.xfrm[46]_dst_ops, which has been freed.<br /> <br /> See a relevant issue fixed in :<br /> <br /> ac888d58869b ("net: do not delay dst_entries_add() in dst_release()")<br /> <br /> A fix is to queue the &amp;#39;struct net&amp;#39; to be freed after one<br /> another cleanup_net() round (and existing rcu_barrier())<br /> <br /> [1]<br /> <br /> BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112)<br /> Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0<br /> Dec 03 05:46:18 kernel:<br /> CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67<br /> Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:124)<br /> print_address_description.constprop.0 (mm/kasan/report.c:378)<br /> ? dst_destroy (net/core/dst.c:112)<br /> print_report (mm/kasan/report.c:489)<br /> ? dst_destroy (net/core/dst.c:112)<br /> ? kasan_addr_to_slab (mm/kasan/common.c:37)<br /> kasan_report (mm/kasan/report.c:603)<br /> ? dst_destroy (net/core/dst.c:112)<br /> ? rcu_do_batch (kernel/rcu/tree.c:2567)<br /> dst_destroy (net/core/dst.c:112)<br /> rcu_do_batch (kernel/rcu/tree.c:2567)<br /> ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491)<br /> ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406)<br /> rcu_core (kernel/rcu/tree.c:2825)<br /> handle_softirqs (kernel/softirq.c:554)<br /> __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637)<br /> irq_exit_rcu (kernel/softirq.c:651)<br /> sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049)<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)<br /> RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743)<br /> Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90<br /> RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246<br /> RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d<br /> R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000<br /> R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000<br /> ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148)<br /> ? cpuidle_idle_call (kernel/sched/idle.c:186)<br /> default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118)<br /> cpuidle_idle_call (kernel/sched/idle.c:186)<br /> ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168)<br /> ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)<br /> ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)<br /> ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59)<br /> do_idle (kernel/sched/idle.c:326)<br /> cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1))<br /> start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282)<br /> ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232)<br /> ? soft_restart_cpu (arch/x86/kernel/head_64.S:452)<br /> common_startup_64 (arch/x86/kernel/head_64.S:414)<br /> <br /> Dec 03 05:46:18 kernel:<br /> Allocated by task 12184:<br /> kasan_save_stack (mm/kasan/common.c:48)<br /> kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)<br /> __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)<br /> kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141)<br /> copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480)<br /> create_new_namespaces<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: lapb: increase LAPB_HEADER_LEN<br /> <br /> It is unclear if net/lapb code is supposed to be ready for 8021q.<br /> <br /> We can at least avoid crashes like the following :<br /> <br /> skbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824a400 data:ffff88802824a3fe tail:0x16 end:0x140 dev:nr0.2<br /> ------------[ cut here ]------------<br /> kernel BUG at net/core/skbuff.c:206 !<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 1 UID: 0 PID: 5508 Comm: dhcpcd Not tainted 6.12.0-rc7-syzkaller-00144-g66418447d27b #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024<br /> RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]<br /> RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216<br /> Code: 0d 8d 48 c7 c6 2e 9e 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 1a 6f 37 02 48 83 c4 20 90 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3<br /> RSP: 0018:ffffc90002ddf638 EFLAGS: 00010282<br /> RAX: 0000000000000086 RBX: dffffc0000000000 RCX: 7a24750e538ff600<br /> RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000<br /> RBP: ffff888034a86650 R08: ffffffff8174b13c R09: 1ffff920005bbe60<br /> R10: dffffc0000000000 R11: fffff520005bbe61 R12: 0000000000000140<br /> R13: ffff88802824a400 R14: ffff88802824a3fe R15: 0000000000000016<br /> FS: 00007f2a5990d740(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000110c2631fd CR3: 0000000029504000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> skb_push+0xe5/0x100 net/core/skbuff.c:2636<br /> nr_header+0x36/0x320 net/netrom/nr_dev.c:69<br /> dev_hard_header include/linux/netdevice.h:3148 [inline]<br /> vlan_dev_hard_header+0x359/0x480 net/8021q/vlan_dev.c:83<br /> dev_hard_header include/linux/netdevice.h:3148 [inline]<br /> lapbeth_data_transmit+0x1f6/0x2a0 drivers/net/wan/lapbether.c:257<br /> lapb_data_transmit+0x91/0xb0 net/lapb/lapb_iface.c:447<br /> lapb_transmit_buffer+0x168/0x1f0 net/lapb/lapb_out.c:149<br /> lapb_establish_data_link+0x84/0xd0<br /> lapb_device_event+0x4e0/0x670<br /> notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93<br /> __dev_notify_flags+0x207/0x400<br /> dev_change_flags+0xf0/0x1a0 net/core/dev.c:8922<br /> devinet_ioctl+0xa4e/0x1aa0 net/ipv4/devinet.c:1188<br /> inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1003<br /> sock_do_ioctl+0x158/0x460 net/socket.c:1227<br /> sock_ioctl+0x626/0x8e0 net/socket.c:1346<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: DR, prevent potential error pointer dereference<br /> <br /> The dr_domain_add_vport_cap() function generally returns NULL on error<br /> but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can<br /> retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM<br /> and if it&amp;#39;s and -ENOMEM then the error pointer is propogated back and<br /> eventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: fix NULL deref in cleanup_bearer()<br /> <br /> syzbot found [1] that after blamed commit, ub-&gt;ubsock-&gt;sk<br /> was NULL when attempting the atomic_dec() :<br /> <br /> atomic_dec(&amp;tipc_net(sock_net(ub-&gt;ubsock-&gt;sk))-&gt;wq_count);<br /> <br /> Fix this by caching the tipc_net pointer.<br /> <br /> [1]<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI<br /> KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Workqueue: events cleanup_bearer<br /> RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline]<br /> RIP: 0010:sock_net include/net/sock.h:655 [inline]<br /> RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820<br /> Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b<br /> RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206<br /> RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00<br /> RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900<br /> RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20<br /> R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980<br /> R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918<br /> FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Fix icmp host relookup triggering ip_rt_bug<br /> <br /> arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is:<br /> <br /> WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),<br /> BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:ip_rt_bug+0x14/0x20<br /> Call Trace:<br /> <br /> ip_send_skb+0x14/0x40<br /> __icmp_send+0x42d/0x6a0<br /> ipv4_link_failure+0xe2/0x1d0<br /> arp_error_report+0x3c/0x50<br /> neigh_invalidate+0x8d/0x100<br /> neigh_timer_handler+0x2e1/0x330<br /> call_timer_fn+0x21/0x120<br /> __run_timer_base.part.0+0x1c9/0x270<br /> run_timer_softirq+0x4c/0x80<br /> handle_softirqs+0xac/0x280<br /> irq_exit_rcu+0x62/0x80<br /> sysvec_apic_timer_interrupt+0x77/0x90<br /> <br /> The script below reproduces this scenario:<br /> ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \<br /> dir out priority 0 ptype main flag localok icmp<br /> ip l a veth1 type veth<br /> ip a a 192.168.141.111/24 dev veth0<br /> ip l s veth0 up<br /> ping 192.168.141.155 -c 1<br /> <br /> icmp_route_lookup() create input routes for locally generated packets<br /> while xfrm relookup ICMP traffic.Then it will set input route<br /> (dst-&gt;out = ip_rt_bug) to skb for DESTUNREACH.<br /> <br /> For ICMP err triggered by locally generated packets, dst-&gt;dev of output<br /> route is loopback. Generally, xfrm relookup verification is not required<br /> on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1).<br /> <br /> Skip icmp relookup for locally generated packets to fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: enetc: Do not configure preemptible TCs if SIs do not support<br /> <br /> Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure<br /> MQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs()<br /> to configure preemptible TCs. However, only PF is able to configure<br /> preemptible TCs. Because only PF has related registers, while VF does not<br /> have these registers. So for VF, its hw-&gt;port pointer is NULL. Therefore,<br /> VF will access an invalid pointer when accessing a non-existent register,<br /> which will cause a crash issue. The simplified log is as follows.<br /> <br /> root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \<br /> mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1<br /> [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00<br /> [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400<br /> [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400<br /> [ 187.511140] Call trace:<br /> [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400<br /> [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214<br /> [ 187.523374] enetc_vf_setup_tc+0x1c/0x30<br /> [ 187.527306] mqprio_enable_offload+0x144/0x178<br /> [ 187.531766] mqprio_init+0x3ec/0x668<br /> [ 187.535351] qdisc_create+0x15c/0x488<br /> [ 187.539023] tc_modify_qdisc+0x398/0x73c<br /> [ 187.542958] rtnetlink_rcv_msg+0x128/0x378<br /> [ 187.547064] netlink_rcv_skb+0x60/0x130<br /> [ 187.550910] rtnetlink_rcv+0x18/0x24<br /> [ 187.554492] netlink_unicast+0x300/0x36c<br /> [ 187.558425] netlink_sendmsg+0x1a8/0x420<br /> [ 187.606759] ---[ end trace 0000000000000000 ]---<br /> <br /> In addition, some PFs also do not support configuring preemptible TCs,<br /> such as eno1 and eno3 on LS1028A. It won&amp;#39;t crash like it does for VFs,<br /> but we should prevent these PFs from accessing these unimplemented<br /> registers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: avoid possible NULL deref in modify_prefix_route()<br /> <br /> syzbot found a NULL deref [1] in modify_prefix_route(), caused by one<br /> fib6_info without a fib6_table pointer set.<br /> <br /> This can happen for net-&gt;ipv6.fib6_null_entry<br /> <br /> [1]<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> CPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089<br /> Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84<br /> RSP: 0018:ffffc900035d7268 EFLAGS: 00010006<br /> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001<br /> R10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030<br /> R13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849<br /> __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]<br /> _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178<br /> spin_lock_bh include/linux/spinlock.h:356 [inline]<br /> modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831<br /> inet6_addr_modify net/ipv6/addrconf.c:4923 [inline]<br /> inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055<br /> rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920<br /> netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]<br /> netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347<br /> netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg net/socket.c:726 [inline]<br /> ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583<br /> ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637<br /> __sys_sendmsg+0x16e/0x220 net/socket.c:2669<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fd1dcef8b79<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79<br /> RDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004<br /> RBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006<br /> R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c<br /> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/ipv6: release expired exception dst cached in socket<br /> <br /> Dst objects get leaked in ip6_negative_advice() when this function is<br /> executed for an expired IPv6 route located in the exception table. There<br /> are several conditions that must be fulfilled for the leak to occur:<br /> * an ICMPv6 packet indicating a change of the MTU for the path is received,<br /> resulting in an exception dst being created<br /> * a TCP connection that uses the exception dst for routing packets must<br /> start timing out so that TCP begins retransmissions<br /> * after the exception dst expires, the FIB6 garbage collector must not run<br /> before TCP executes ip6_negative_advice() for the expired exception dst<br /> <br /> When TCP executes ip6_negative_advice() for an exception dst that has<br /> expired and if no other socket holds a reference to the exception dst, the<br /> refcount of the exception dst is 2, which corresponds to the increment<br /> made by dst_init() and the increment made by the TCP socket for which the<br /> connection is timing out. The refcount made by the socket is never<br /> released. The refcount of the dst is decremented in sk_dst_reset() but<br /> that decrement is counteracted by a dst_hold() intentionally placed just<br /> before the sk_dst_reset() in ip6_negative_advice(). After<br /> ip6_negative_advice() has finished, there is no other object tied to the<br /> dst. The socket lost its reference stored in sk_dst_cache and the dst is<br /> no longer in the exception table. The exception dst becomes a leaked<br /> object.<br /> <br /> As a result of this dst leak, an unbalanced refcount is reported for the<br /> loopback device of a net namespace being destroyed under kernels that do<br /> not contain e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"):<br /> unregister_netdevice: waiting for lo to become free. Usage count = 2<br /> <br /> Fix the dst leak by removing the dst_hold() in ip6_negative_advice(). The<br /> patch that introduced the dst_hold() in ip6_negative_advice() was<br /> 92f1655aa2b22 ("net: fix __dst_negative_advice() race"). But 92f1655aa2b22<br /> merely refactored the code with regards to the dst refcount so the issue<br /> was present even before 92f1655aa2b22. The bug was introduced in<br /> 54c1a859efd9f ("ipv6: Don&amp;#39;t drop cache route entry unless timer actually<br /> expired.") where the expired cached route is deleted and the sk_dst_cache<br /> member of the socket is set to NULL by calling dst_negative_advice() but<br /> the refcount belonging to the socket is left unbalanced.<br /> <br /> The IPv4 version - ipv4_negative_advice() - is not affected by this bug.<br /> When the TCP connection times out ipv4_negative_advice() merely resets the<br /> sk_dst_cache of the socket while decrementing the refcount of the<br /> exception dst.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dccp: Fix memory leak in dccp_feat_change_recv<br /> <br /> If dccp_feat_push_confirm() fails after new value for SP feature was accepted<br /> without reconciliation (&amp;#39;entry == NULL&amp;#39; branch), memory allocated for that value<br /> with dccp_feat_clone_sp_val() is never freed.<br /> <br /> Here is the kmemleak stack for this:<br /> <br /> unreferenced object 0xffff88801d4ab488 (size 8):<br /> comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s)<br /> hex dump (first 8 bytes):<br /> 01 b4 4a 1d 80 88 ff ff ..J.....<br /> backtrace:<br /> [] kmemdup+0x23/0x50 mm/util.c:128<br /> [] kmemdup include/linux/string.h:465 [inline]<br /> [] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]<br /> [] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]<br /> [] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]<br /> [] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416<br /> [] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125<br /> [] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650<br /> [] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688<br /> [] sk_backlog_rcv include/net/sock.h:1041 [inline]<br /> [] __release_sock+0x139/0x3b0 net/core/sock.c:2570<br /> [] release_sock+0x54/0x1b0 net/core/sock.c:3111<br /> [] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]<br /> [] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696<br /> [] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735<br /> [] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865<br /> [] __sys_connect+0x165/0x1a0 net/socket.c:1882<br /> [] __do_sys_connect net/socket.c:1892 [inline]<br /> [] __se_sys_connect net/socket.c:1889 [inline]<br /> [] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889<br /> [] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46<br /> [] entry_SYSCALL_64_after_hwframe+0x67/0xd1<br /> <br /> Clean up the allocated memory in case of dccp_feat_push_confirm() failure<br /> and bail out with an error reset code.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: j1939: j1939_session_new(): fix skb reference counting<br /> <br /> Since j1939_session_skb_queue() does an extra skb_get() for each new<br /> skb, do the same for the initial one in j1939_session_new() to avoid<br /> refcount underflow.<br /> <br /> [mkl: clean up commit message]