Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()<br /> <br /> Fix a memory leak on logi_dj_recv_send_report() error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()<br /> <br /> Clang static checker (scan-build) warning:<br /> net/ethtool/ioctl.c:line 2233, column 2<br /> Called function pointer is null (null dereference).<br /> <br /> Return &amp;#39;-EOPNOTSUPP&amp;#39; when &amp;#39;ops-&gt;get_ethtool_phy_stats&amp;#39; is NULL to fix<br /> this typo error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix a potential use-after-free in bpf_link_free()<br /> <br /> After commit 1a80dbcb2dba, bpf_link can be freed by<br /> link-&gt;ops-&gt;dealloc_deferred, but the code still tests and uses<br /> link-&gt;ops-&gt;dealloc afterward, which leads to a use-after-free as<br /> reported by syzbot. Actually, one of them should be sufficient, so<br /> just call one of them instead of both. Also add a WARN_ON() in case<br /> of any problematic implementation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memblock: make memblock_set_node() also warn about use of MAX_NUMNODES<br /> <br /> On an (old) x86 system with SRAT just covering space above 4Gb:<br /> <br /> ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0xfffffffff] hotplug<br /> <br /> the commit referenced below leads to this NUMA configuration no longer<br /> being refused by a CONFIG_NUMA=y kernel (previously<br /> <br /> NUMA: nodes only cover 6144MB of your 8185MB e820 RAM. Not used.<br /> No NUMA configuration found<br /> Faking a node at [mem 0x0000000000000000-0x000000027fffffff]<br /> <br /> was seen in the log directly after the message quoted above), because of<br /> memblock_validate_numa_coverage() checking for NUMA_NO_NODE (only). This<br /> in turn led to memblock_alloc_range_nid()&amp;#39;s warning about MAX_NUMNODES<br /> triggering, followed by a NULL deref in memmap_init() when trying to<br /> access node 64&amp;#39;s (NODE_SHIFT=6) node data.<br /> <br /> To compensate said change, make memblock_set_node() warn on and adjust<br /> a passed in value of MAX_NUMNODES, just like various other functions<br /> already do.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Try to fix random segmentation faults in package builds<br /> <br /> PA-RISC systems with PA8800 and PA8900 processors have had problems<br /> with random segmentation faults for many years. Systems with earlier<br /> processors are much more stable.<br /> <br /> Systems with PA8800 and PA8900 processors have a large L2 cache which<br /> needs per page flushing for decent performance when a large range is<br /> flushed. The combined cache in these systems is also more sensitive to<br /> non-equivalent aliases than the caches in earlier systems.<br /> <br /> The majority of random segmentation faults that I have looked at<br /> appear to be memory corruption in memory allocated using mmap and<br /> malloc.<br /> <br /> My first attempt at fixing the random faults didn&amp;#39;t work. On<br /> reviewing the cache code, I realized that there were two issues<br /> which the existing code didn&amp;#39;t handle correctly. Both relate<br /> to cache move-in. Another issue is that the present bit in PTEs<br /> is racy.<br /> <br /> 1) PA-RISC caches have a mind of their own and they can speculatively<br /> load data and instructions for a page as long as there is a entry in<br /> the TLB for the page which allows move-in. TLBs are local to each<br /> CPU. Thus, the TLB entry for a page must be purged before flushing<br /> the page. This is particularly important on SMP systems.<br /> <br /> In some of the flush routines, the flush routine would be called<br /> and then the TLB entry would be purged. This was because the flush<br /> routine needed the TLB entry to do the flush.<br /> <br /> 2) My initial approach to trying the fix the random faults was to<br /> try and use flush_cache_page_if_present for all flush operations.<br /> This actually made things worse and led to a couple of hardware<br /> lockups. It finally dawned on me that some lines weren&amp;#39;t being<br /> flushed because the pte check code was racy. This resulted in<br /> random inequivalent mappings to physical pages.<br /> <br /> The __flush_cache_page tmpalias flush sets up its own TLB entry<br /> and it doesn&amp;#39;t need the existing TLB entry. As long as we can find<br /> the pte pointer for the vm page, we can get the pfn and physical<br /> address of the page. We can also purge the TLB entry for the page<br /> before doing the flush. Further, __flush_cache_page uses a special<br /> TLB entry that inhibits cache move-in.<br /> <br /> When switching page mappings, we need to ensure that lines are<br /> removed from the cache. It is not sufficient to just flush the<br /> lines to memory as they may come back.<br /> <br /> This made it clear that we needed to implement all the required<br /> flush operations using tmpalias routines. This includes flushes<br /> for user and kernel pages.<br /> <br /> After modifying the code to use tmpalias flushes, it became clear<br /> that the random segmentation faults were not fully resolved. The<br /> frequency of faults was worse on systems with a 64 MB L2 (PA8900)<br /> and systems with more CPUs (rp4440).<br /> <br /> The warning that I added to flush_cache_page_if_present to detect<br /> pages that couldn&amp;#39;t be flushed triggered frequently on some systems.<br /> <br /> Helge and I looked at the pages that couldn&amp;#39;t be flushed and found<br /> that the PTE was either cleared or for a swap page. Ignoring pages<br /> that were swapped out seemed okay but pages with cleared PTEs seemed<br /> problematic.<br /> <br /> I looked at routines related to pte_clear and noticed ptep_clear_flush.<br /> The default implementation just flushes the TLB entry. However, it was<br /> obvious that on parisc we need to flush the cache page as well. If<br /> we don&amp;#39;t flush the cache page, stale lines will be left in the cache<br /> and cause random corruption. Once a PTE is cleared, there is no way<br /> to find the physical address associated with the PTE and flush the<br /> associated page at a later time.<br /> <br /> I implemented an updated change with a parisc specific version of<br /> ptep_clear_flush. It fixed the random data corruption on Helge&amp;#39;s rp4440<br /> and rp3440, as well as on my c8000.<br /> <br /> At this point, I realized that I could restore the code where we only<br /> flush in flush_cache_page_if_present if the page has been accessed.<br /> However, for this, we also need to flush the cache when the accessed<br /> bit is cleared in<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Set run context for rawtp test_run callback<br /> <br /> syzbot reported crash when rawtp program executed through the<br /> test_run interface calls bpf_get_attach_cookie helper or any<br /> other helper that touches task-&gt;bpf_ctx pointer.<br /> <br /> Setting the run context (task-&gt;bpf_ctx pointer) for test_run<br /> callback.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ax25: Fix refcount imbalance on inbound connections<br /> <br /> When releasing a socket in ax25_release(), we call netdev_put() to<br /> decrease the refcount on the associated ax.25 device. However, the<br /> execution path for accepting an incoming connection never calls<br /> netdev_hold(). This imbalance leads to refcount errors, and ultimately<br /> to kernel crashes.<br /> <br /> A typical call trace for the above situation will start with one of the<br /> following errors:<br /> <br /> refcount_t: decrement hit 0; leaking memory.<br /> refcount_t: underflow; use-after-free.<br /> <br /> And will then have a trace like:<br /> <br /> Call Trace:<br /> <br /> ? show_regs+0x64/0x70<br /> ? __warn+0x83/0x120<br /> ? refcount_warn_saturate+0xb2/0x100<br /> ? report_bug+0x158/0x190<br /> ? prb_read_valid+0x20/0x30<br /> ? handle_bug+0x3e/0x70<br /> ? exc_invalid_op+0x1c/0x70<br /> ? asm_exc_invalid_op+0x1f/0x30<br /> ? refcount_warn_saturate+0xb2/0x100<br /> ? refcount_warn_saturate+0xb2/0x100<br /> ax25_release+0x2ad/0x360<br /> __sock_release+0x35/0xa0<br /> sock_close+0x19/0x20<br /> [...]<br /> <br /> On reboot (or any attempt to remove the interface), the kernel gets<br /> stuck in an infinite loop:<br /> <br /> unregister_netdevice: waiting for ax0 to become free. Usage count = 0<br /> <br /> This patch corrects these issues by ensuring that we call netdev_hold()<br /> and ax25_dev_hold() for new connections in ax25_accept(). This makes the<br /> logic leading to ax25_accept() match the logic for ax25_bind(): in both<br /> cases we increment the refcount, which is ultimately decremented in<br /> ax25_release().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: cfg80211: Lock wiphy in cfg80211_get_station<br /> <br /> Wiphy should be locked before calling rdev_get_station() (see lockdep<br /> assert in ieee80211_get_station()).<br /> <br /> This fixes the following kernel NULL dereference:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050<br /> Mem abort info:<br /> ESR = 0x0000000096000006<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x06: level 2 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000006<br /> CM = 0, WnR = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000<br /> [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000<br /> Internal error: Oops: 0000000096000006 [#1] SMP<br /> Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath<br /> CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705<br /> Hardware name: RPT (r1) (DT)<br /> Workqueue: bat_events batadv_v_elp_throughput_metric_update<br /> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]<br /> lr : sta_set_sinfo+0xcc/0xbd4<br /> sp : ffff000007b43ad0<br /> x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98<br /> x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000<br /> x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc<br /> x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000<br /> x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d<br /> x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e<br /> x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000<br /> x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000<br /> x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90<br /> x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000<br /> Call trace:<br /> ath10k_sta_statistics+0x10/0x2dc [ath10k_core]<br /> sta_set_sinfo+0xcc/0xbd4<br /> ieee80211_get_station+0x2c/0x44<br /> cfg80211_get_station+0x80/0x154<br /> batadv_v_elp_get_throughput+0x138/0x1fc<br /> batadv_v_elp_throughput_metric_update+0x1c/0xa4<br /> process_one_work+0x1ec/0x414<br /> worker_thread+0x70/0x46c<br /> kthread+0xdc/0xe0<br /> ret_from_fork+0x10/0x20<br /> Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)<br /> <br /> This happens because STA has time to disconnect and reconnect before<br /> batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In<br /> this situation, ath10k_sta_state() can be in the middle of resetting<br /> arsta data when the work queue get chance to be scheduled and ends up<br /> accessing it. Locking wiphy prevents that.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()<br /> <br /> The ieee80211_sta_ps_deliver_wakeup() function takes sta-&gt;ps_lock to<br /> synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from<br /> softirq context. However using only spin_lock() to get sta-&gt;ps_lock in<br /> ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute<br /> on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to<br /> take this same lock ending in deadlock. Below is an example of rcu stall<br /> that arises in such situation.<br /> <br /> rcu: INFO: rcu_sched self-detected stall on CPU<br /> rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996<br /> rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)<br /> CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742<br /> Hardware name: RPT (r1) (DT)<br /> pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : queued_spin_lock_slowpath+0x58/0x2d0<br /> lr : invoke_tx_handlers_early+0x5b4/0x5c0<br /> sp : ffff00001ef64660<br /> x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8<br /> x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000<br /> x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000<br /> x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000<br /> x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80<br /> x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da<br /> x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440<br /> x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880<br /> x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000<br /> x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8<br /> Call trace:<br /> queued_spin_lock_slowpath+0x58/0x2d0<br /> ieee80211_tx+0x80/0x12c<br /> ieee80211_tx_pending+0x110/0x278<br /> tasklet_action_common.constprop.0+0x10c/0x144<br /> tasklet_action+0x20/0x28<br /> _stext+0x11c/0x284<br /> ____do_softirq+0xc/0x14<br /> call_on_irq_stack+0x24/0x34<br /> do_softirq_own_stack+0x18/0x20<br /> do_softirq+0x74/0x7c<br /> __local_bh_enable_ip+0xa0/0xa4<br /> _ieee80211_wake_txqs+0x3b0/0x4b8<br /> __ieee80211_wake_queue+0x12c/0x168<br /> ieee80211_add_pending_skbs+0xec/0x138<br /> ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480<br /> ieee80211_mps_sta_status_update.part.0+0xd8/0x11c<br /> ieee80211_mps_sta_status_update+0x18/0x24<br /> sta_apply_parameters+0x3bc/0x4c0<br /> ieee80211_change_station+0x1b8/0x2dc<br /> nl80211_set_station+0x444/0x49c<br /> genl_family_rcv_msg_doit.isra.0+0xa4/0xfc<br /> genl_rcv_msg+0x1b0/0x244<br /> netlink_rcv_skb+0x38/0x10c<br /> genl_rcv+0x34/0x48<br /> netlink_unicast+0x254/0x2bc<br /> netlink_sendmsg+0x190/0x3b4<br /> ____sys_sendmsg+0x1e8/0x218<br /> ___sys_sendmsg+0x68/0x8c<br /> __sys_sendmsg+0x44/0x84<br /> __arm64_sys_sendmsg+0x20/0x28<br /> do_el0_svc+0x6c/0xe8<br /> el0_svc+0x14/0x48<br /> el0t_64_sync_handler+0xb0/0xb4<br /> el0t_64_sync+0x14c/0x150<br /> <br /> Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise<br /> on the same CPU that is holding the lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cachefiles: defer exposing anon_fd until after copy_to_user() succeeds<br /> <br /> After installing the anonymous fd, we can now see it in userland and close<br /> it. However, at this point we may not have gotten the reference count of<br /> the cache, but we will put it during colse fd, so this may cause a cache<br /> UAF.<br /> <br /> So grab the cache reference count before fd_install(). In addition, by<br /> kernel convention, fd is taken over by the user land after fd_install(),<br /> and the kernel should not call close_fd() after that, i.e., it should call<br /> fd_install() after everything is ready, thus fd_install() is called after<br /> copy_to_user() succeeds.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/huge_memory: don&amp;#39;t unpoison huge_zero_folio<br /> <br /> When I did memory failure tests recently, below panic occurs:<br /> <br /> kernel BUG at include/linux/mm.h:1135!<br /> invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14<br /> RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0<br /> RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246<br /> RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8<br /> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0<br /> RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492<br /> R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00<br /> FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> do_shrink_slab+0x14f/0x6a0<br /> shrink_slab+0xca/0x8c0<br /> shrink_node+0x2d0/0x7d0<br /> balance_pgdat+0x33a/0x720<br /> kswapd+0x1f3/0x410<br /> kthread+0xd5/0x100<br /> ret_from_fork+0x2f/0x50<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Modules linked in: mce_inject hwpoison_inject<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0<br /> RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246<br /> RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8<br /> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0<br /> RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492<br /> R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00<br /> FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0<br /> <br /> The root cause is that HWPoison flag will be set for huge_zero_folio<br /> without increasing the folio refcnt. But then unpoison_memory() will<br /> decrease the folio refcnt unexpectedly as it appears like a successfully<br /> hwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when<br /> releasing huge_zero_folio.<br /> <br /> Skip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. <br /> We&amp;#39;re not prepared to unpoison huge_zero_folio yet.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context<br /> <br /> __kernel_map_pages() is a debug function which clears the valid bit in page<br /> table entry for deallocated pages to detect illegal memory accesses to<br /> freed pages.<br /> <br /> This function set/clear the valid bit using __set_memory(). __set_memory()<br /> acquires init_mm&amp;#39;s semaphore, and this operation may sleep. This is<br /> problematic, because __kernel_map_pages() can be called in atomic context,<br /> and thus is illegal to sleep. An example warning that this causes:<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578<br /> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd<br /> preempt_count: 2, expected: 0<br /> CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37<br /> Hardware name: riscv-virtio,qemu (DT)<br /> Call Trace:<br /> [] dump_backtrace+0x1c/0x24<br /> [] show_stack+0x2c/0x38<br /> [] dump_stack_lvl+0x5a/0x72<br /> [] dump_stack+0x14/0x1c<br /> [] __might_resched+0x104/0x10e<br /> [] __might_sleep+0x3e/0x62<br /> [] down_write+0x20/0x72<br /> [] __set_memory+0x82/0x2fa<br /> [] __kernel_map_pages+0x5a/0xd4<br /> [] __alloc_pages_bulk+0x3b2/0x43a<br /> [] __vmalloc_node_range+0x196/0x6ba<br /> [] copy_process+0x72c/0x17ec<br /> [] kernel_clone+0x60/0x2fe<br /> [] kernel_thread+0x82/0xa0<br /> [] kthreadd+0x14a/0x1be<br /> [] ret_from_fork+0xe/0x1c<br /> <br /> Rewrite this function with apply_to_existing_page_range(). It is fine to<br /> not have any locking, because __kernel_map_pages() works with pages being<br /> allocated/deallocated and those pages are not changed by anyone else in the<br /> meantime.