Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/9p: fix uninit-value in p9_client_rpc()<br /> <br /> Syzbot with the help of KMSAN reported the following error:<br /> <br /> BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]<br /> BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754<br /> trace_9p_client_res include/trace/events/9p.h:146 [inline]<br /> p9_client_rpc+0x1314/0x1340 net/9p/client.c:754<br /> p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031<br /> v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410<br /> v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122<br /> legacy_get_tree+0x114/0x290 fs/fs_context.c:662<br /> vfs_get_tree+0xa7/0x570 fs/super.c:1797<br /> do_new_mount+0x71f/0x15e0 fs/namespace.c:3352<br /> path_mount+0x742/0x1f20 fs/namespace.c:3679<br /> do_mount fs/namespace.c:3692 [inline]<br /> __do_sys_mount fs/namespace.c:3898 [inline]<br /> __se_sys_mount+0x725/0x810 fs/namespace.c:3875<br /> __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875<br /> do_syscall_64+0xd5/0x1f0<br /> entry_SYSCALL_64_after_hwframe+0x6d/0x75<br /> <br /> Uninit was created at:<br /> __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598<br /> __alloc_pages_node include/linux/gfp.h:238 [inline]<br /> alloc_pages_node include/linux/gfp.h:261 [inline]<br /> alloc_slab_page mm/slub.c:2175 [inline]<br /> allocate_slab mm/slub.c:2338 [inline]<br /> new_slab+0x2de/0x1400 mm/slub.c:2391<br /> ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525<br /> __slab_alloc mm/slub.c:3610 [inline]<br /> __slab_alloc_node mm/slub.c:3663 [inline]<br /> slab_alloc_node mm/slub.c:3835 [inline]<br /> kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852<br /> p9_tag_alloc net/9p/client.c:278 [inline]<br /> p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641<br /> p9_client_rpc+0x27e/0x1340 net/9p/client.c:688<br /> p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031<br /> v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410<br /> v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122<br /> legacy_get_tree+0x114/0x290 fs/fs_context.c:662<br /> vfs_get_tree+0xa7/0x570 fs/super.c:1797<br /> do_new_mount+0x71f/0x15e0 fs/namespace.c:3352<br /> path_mount+0x742/0x1f20 fs/namespace.c:3679<br /> do_mount fs/namespace.c:3692 [inline]<br /> __do_sys_mount fs/namespace.c:3898 [inline]<br /> __se_sys_mount+0x725/0x810 fs/namespace.c:3875<br /> __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875<br /> do_syscall_64+0xd5/0x1f0<br /> entry_SYSCALL_64_after_hwframe+0x6d/0x75<br /> <br /> If p9_check_errors() fails early in p9_client_rpc(), req-&gt;rc.tag<br /> will not be properly initialized. However, trace_9p_client_res()<br /> ends up trying to print it out anyway before p9_client_rpc()<br /> finishes.<br /> <br /> Fix this issue by assigning default values to p9_fcall fields<br /> such as &amp;#39;tag&amp;#39; and (just in case KMSAN unearths something new) &amp;#39;id&amp;#39;<br /> during the tag allocation stage.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: bcm: rpi: Assign -&gt;num before accessing -&gt;hws<br /> <br /> Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with<br /> __counted_by") annotated the hws member of &amp;#39;struct clk_hw_onecell_data&amp;#39;<br /> with __counted_by, which informs the bounds sanitizer about the number<br /> of elements in hws, so that it can warn when hws is accessed out of<br /> bounds. As noted in that change, the __counted_by member must be<br /> initialized with the number of elements before the first array access<br /> happens, otherwise there will be a warning from each access prior to the<br /> initialization because the number of elements is zero. This occurs in<br /> raspberrypi_discover_clocks() due to -&gt;num being assigned after -&gt;hws<br /> has been accessed:<br /> <br /> UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-raspberrypi.c:374:4<br /> index 3 is out of range for type &amp;#39;struct clk_hw *[] __counted_by(num)&amp;#39; (aka &amp;#39;struct clk_hw *[]&amp;#39;)<br /> <br /> Move the -&gt;num initialization to before the first access of -&gt;hws, which<br /> clears up the warning.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: bcm: dvp: Assign -&gt;num before accessing -&gt;hws<br /> <br /> Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with<br /> __counted_by") annotated the hws member of &amp;#39;struct clk_hw_onecell_data&amp;#39;<br /> with __counted_by, which informs the bounds sanitizer about the number<br /> of elements in hws, so that it can warn when hws is accessed out of<br /> bounds. As noted in that change, the __counted_by member must be<br /> initialized with the number of elements before the first array access<br /> happens, otherwise there will be a warning from each access prior to the<br /> initialization because the number of elements is zero. This occurs in<br /> clk_dvp_probe() due to -&gt;num being assigned after -&gt;hws has been<br /> accessed:<br /> <br /> UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-bcm2711-dvp.c:59:2<br /> index 0 is out of range for type &amp;#39;struct clk_hw *[] __counted_by(num)&amp;#39; (aka &amp;#39;struct clk_hw *[]&amp;#39;)<br /> <br /> Move the -&gt;num initialization to before the first access of -&gt;hws, which<br /> clears up the warning.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: v4l: async: Fix notifier list entry init<br /> <br /> struct v4l2_async_notifier has several list_head members, but only<br /> waiting_list and done_list are initialized. notifier_entry was kept<br /> &amp;#39;zeroed&amp;#39; leading to an uninitialized list_head.<br /> This results in a NULL-pointer dereference if csi2_async_register() fails,<br /> e.g. node for remote endpoint is disabled, and returns -ENOTCONN.<br /> The following calls to v4l2_async_nf_unregister() results in a NULL<br /> pointer dereference.<br /> Add the missing list head initializer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/memory-failure: fix handling of dissolved but not taken off from buddy pages<br /> <br /> When I did memory failure tests recently, below panic occurs:<br /> <br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00<br /> flags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)<br /> raw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000<br /> raw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000<br /> page dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))<br /> ------------[ cut here ]------------<br /> kernel BUG at include/linux/page-flags.h:1009!<br /> invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> RIP: 0010:__del_page_from_free_list+0x151/0x180<br /> RSP: 0018:ffffa49c90437998 EFLAGS: 00000046<br /> RAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8<br /> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0<br /> RBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69<br /> R10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80<br /> R13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009<br /> FS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> __rmqueue_pcplist+0x23b/0x520<br /> get_page_from_freelist+0x26b/0xe40<br /> __alloc_pages_noprof+0x113/0x1120<br /> __folio_alloc_noprof+0x11/0xb0<br /> alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130<br /> __alloc_fresh_hugetlb_folio+0xe7/0x140<br /> alloc_pool_huge_folio+0x68/0x100<br /> set_max_huge_pages+0x13d/0x340<br /> hugetlb_sysctl_handler_common+0xe8/0x110<br /> proc_sys_call_handler+0x194/0x280<br /> vfs_write+0x387/0x550<br /> ksys_write+0x64/0xe0<br /> do_syscall_64+0xc2/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7ff916114887<br /> RSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001<br /> RAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887<br /> RDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003<br /> RBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0<br /> R10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004<br /> R13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00<br /> <br /> Modules linked in: mce_inject hwpoison_inject<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> And before the panic, there had an warning about bad page state:<br /> <br /> BUG: Bad page state in process page-types pfn:8cee00<br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00<br /> flags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)<br /> page_type: 0xffffff7f(buddy)<br /> raw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000<br /> raw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000<br /> page dumped because: nonzero mapcount<br /> Modules linked in: mce_inject hwpoison_inject<br /> CPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x83/0xa0<br /> bad_page+0x63/0xf0<br /> free_unref_page+0x36e/0x5c0<br /> unpoison_memory+0x50b/0x630<br /> simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110<br /> debugfs_attr_write+0x42/0x60<br /> full_proxy_write+0x5b/0x80<br /> vfs_write+0xcd/0x550<br /> ksys_write+0x64/0xe0<br /> do_syscall_64+0xc2/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f189a514887<br /> RSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887<br /> RDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003<br /> RBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8<br /> R13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040<br /> <br /> <br /> The root cause should be the below race:<br /> <br /> memory_failure<br /> try_memory_failure_hugetlb<br /> me_huge_page<br /> __page_handle_poison<br /> dissolve_free_hugetlb_folio<br /> drain_all_pages -- Buddy page can be isolated e.g. for compaction.<br /> take_page_off_buddy -- Failed as page is not in the <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: check for non-NULL file pointer in io_file_can_poll()<br /> <br /> In earlier kernels, it was possible to trigger a NULL pointer<br /> dereference off the forced async preparation path, if no file had<br /> been assigned. The trace leading to that looks as follows:<br /> <br /> BUG: kernel NULL pointer dereference, address: 00000000000000b0<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022<br /> RIP: 0010:io_buffer_select+0xc3/0x210<br /> Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b<br /> RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246<br /> RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040<br /> RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700<br /> RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020<br /> R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8<br /> R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000<br /> FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0<br /> Call Trace:<br /> <br /> ? __die+0x1f/0x60<br /> ? page_fault_oops+0x14d/0x420<br /> ? do_user_addr_fault+0x61/0x6a0<br /> ? exc_page_fault+0x6c/0x150<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? io_buffer_select+0xc3/0x210<br /> __io_import_iovec+0xb5/0x120<br /> io_readv_prep_async+0x36/0x70<br /> io_queue_sqe_fallback+0x20/0x260<br /> io_submit_sqes+0x314/0x630<br /> __do_sys_io_uring_enter+0x339/0xbc0<br /> ? __do_sys_io_uring_register+0x11b/0xc50<br /> ? vm_mmap_pgoff+0xce/0x160<br /> do_syscall_64+0x5f/0x180<br /> entry_SYSCALL_64_after_hwframe+0x46/0x4e<br /> RIP: 0033:0x55e0a110a67e<br /> Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6<br /> <br /> because the request is marked forced ASYNC and has a bad file fd, and<br /> hence takes the forced async prep path.<br /> <br /> Current kernels with the request async prep cleaned up can no longer hit<br /> this issue, but for ease of backporting, let&amp;#39;s add this safety check in<br /> here too as it really doesn&amp;#39;t hurt. For both cases, this will inevitably<br /> end with a CQE posted with -EBADF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> 9p: add missing locking around taking dentry fid list<br /> <br /> Fix a use-after-free on dentry&amp;#39;s d_fsdata fid list when a thread<br /> looks up a fid through dentry while another thread unlinks it:<br /> <br /> UAF thread:<br /> refcount_t: addition on 0; use-after-free.<br /> p9_fid_get linux/./include/net/9p/client.h:262<br /> v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129<br /> v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181<br /> v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314<br /> v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400<br /> vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248<br /> <br /> Freed by:<br /> p9_fid_destroy (inlined)<br /> p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456<br /> p9_fid_put linux/./include/net/9p/client.h:278<br /> v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55<br /> v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518<br /> vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335<br /> <br /> The problem is that d_fsdata was not accessed under d_lock, because<br /> d_release() normally is only called once the dentry is otherwise no<br /> longer accessible but since we also call it explicitly in v9fs_remove<br /> that lock is required:<br /> move the hlist out of the dentry under lock then unref its fids once<br /> they are no longer accessible.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: protect folio::private when attaching extent buffer folios<br /> <br /> [BUG]<br /> Since v6.8 there are rare kernel crashes reported by various people,<br /> the common factor is bad page status error messages like this:<br /> <br /> BUG: Bad page state in process kswapd0 pfn:d6e840<br /> page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c<br /> pfn:0xd6e840<br /> aops:btree_aops ino:1<br /> flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)<br /> page_type: 0xffffffff()<br /> raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0<br /> raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000<br /> page dumped because: non-NULL mapping<br /> <br /> [CAUSE]<br /> Commit 09e6cef19c9f ("btrfs: refactor alloc_extent_buffer() to<br /> allocate-then-attach method") changes the sequence when allocating a new<br /> extent buffer.<br /> <br /> Previously we always called grab_extent_buffer() under<br /> mapping-&gt;i_private_lock, to ensure the safety on modification on<br /> folio::private (which is a pointer to extent buffer for regular<br /> sectorsize).<br /> <br /> This can lead to the following race:<br /> <br /> Thread A is trying to allocate an extent buffer at bytenr X, with 4<br /> 4K pages, meanwhile thread B is trying to release the page at X + 4K<br /> (the second page of the extent buffer at X).<br /> <br /> Thread A | Thread B<br /> -----------------------------------+-------------------------------------<br /> | btree_release_folio()<br /> | | This is for the page at X + 4K,<br /> | | Not page X.<br /> | |<br /> alloc_extent_buffer() | |- release_extent_buffer()<br /> |- filemap_add_folio() for the | | |- atomic_dec_and_test(eb-&gt;refs)<br /> | page at bytenr X (the first | | |<br /> | page). | | |<br /> | Which returned -EEXIST. | | |<br /> | | | |<br /> |- filemap_lock_folio() | | |<br /> | Returned the first page locked. | | |<br /> | | | |<br /> |- grab_extent_buffer() | | |<br /> | |- atomic_inc_not_zero() | | |<br /> | | Returned false | | |<br /> | |- folio_detach_private() | | |- folio_detach_private() for X<br /> | |- folio_test_private() | | |- folio_test_private()<br /> | Returned true | | | Returned true<br /> |- folio_put() | |- folio_put()<br /> <br /> Now there are two puts on the same folio at folio X, leading to refcount<br /> underflow of the folio X, and eventually causing the BUG_ON() on the<br /> page-&gt;mapping.<br /> <br /> The condition is not that easy to hit:<br /> <br /> - The release must be triggered for the middle page of an eb<br /> If the release is on the same first page of an eb, page lock would kick<br /> in and prevent the race.<br /> <br /> - folio_detach_private() has a very small race window<br /> It&amp;#39;s only between folio_test_private() and folio_clear_private().<br /> <br /> That&amp;#39;s exactly when mapping-&gt;i_private_lock is used to prevent such race,<br /> and commit 09e6cef19c9f ("btrfs: refactor alloc_extent_buffer() to<br /> allocate-then-attach method") screwed that up.<br /> <br /> At that time, I thought the page lock would kick in as<br /> filemap_release_folio() also requires the page to be locked, but forgot<br /> the filemap_release_folio() only locks one page, not all pages of an<br /> extent buffer.<br /> <br /> [FIX]<br /> Move all the code requiring i_private_lock into<br /> attach_eb_folio_to_filemap(), so that everything is done with proper<br /> lock protection.<br /> <br /> Furthermore to prevent future problems, add an extra<br /> lockdep_assert_locked() to ensure we&amp;#39;re holding the proper lock.<br /> <br /> To reproducer that is able to hit the race (takes a few minutes with<br /> instrumented code inserting delays to alloc_extent_buffer()):<br /> <br /> #!/bin/sh<br /> drop_caches () {<br /> while(true); do<br /> echo 3 &gt; /proc/sys/vm/drop_caches<br /> echo 1 &gt; /proc/sys/vm/compact_memory<br /> done<br /> }<br /> <br /> run_tar () {<br /> while(true); do<br /> for x in `seq 1 80` ; do<br /> tar cf /dev/zero /mnt &gt; /dev/null &amp;<br /> done<br /> wait<br /> done<br /> }<br /> <br /> mkfs.btrfs -f -d single -m single<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()<br /> <br /> irq_find_at_or_after() dereferences the interrupt descriptor which is<br /> returned by mt_find() while neither holding sparse_irq_lock nor RCU read<br /> lock, which means the descriptor can be freed between mt_find() and the<br /> dereference:<br /> <br /> CPU0 CPU1<br /> desc = mt_find()<br /> delayed_free_desc(desc)<br /> irq_desc_get_irq(desc)<br /> <br /> The use-after-free is reported by KASAN:<br /> <br /> Call trace:<br /> irq_get_next_irq+0x58/0x84<br /> show_stat+0x638/0x824<br /> seq_read_iter+0x158/0x4ec<br /> proc_reg_read_iter+0x94/0x12c<br /> vfs_read+0x1e0/0x2c8<br /> <br /> Freed by task 4471:<br /> slab_free_freelist_hook+0x174/0x1e0<br /> __kmem_cache_free+0xa4/0x1dc<br /> kfree+0x64/0x128<br /> irq_kobj_release+0x28/0x3c<br /> kobject_put+0xcc/0x1e0<br /> delayed_free_desc+0x14/0x2c<br /> rcu_do_batch+0x214/0x720<br /> <br /> Guard the access with a RCU read lock section.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/ap: Fix crash in AP internal function modify_bitmap()<br /> <br /> A system crash like this<br /> <br /> Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403<br /> Fault in home space mode while using kernel ASCE.<br /> AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d<br /> Oops: 0038 ilc:3 [#1] PREEMPT SMP<br /> Modules linked in: mlx5_ib ...<br /> CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8<br /> Hardware name: IBM 3931 A01 704 (LPAR)<br /> Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)<br /> R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3<br /> Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3<br /> 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0<br /> 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff<br /> 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8<br /> Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a<br /> 0000014b75e7b600: 18b2 lr %r11,%r2<br /> #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616<br /> &gt;0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)<br /> 0000014b75e7b60c: a7680001 lhi %r6,1<br /> 0000014b75e7b610: 187b lr %r7,%r11<br /> 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654<br /> 0000014b75e7b616: 18e9 lr %r14,%r9<br /> Call Trace:<br /> [] ap_parse_bitmap_str+0x10e/0x1f8<br /> ([] ap_parse_bitmap_str+0xe4/0x1f8)<br /> [] apmask_store+0x68/0x140<br /> [] kernfs_fop_write_iter+0x14e/0x1e8<br /> [] vfs_write+0x1b4/0x448<br /> [] ksys_write+0x74/0x100<br /> [] __do_syscall+0x268/0x328<br /> [] system_call+0x70/0x98<br /> INFO: lockdep is turned off.<br /> Last Breaking-Event-Address:<br /> [] ap_parse_bitmap_str+0x13e/0x1f8<br /> Kernel panic - not syncing: Fatal exception: panic_on_oops<br /> <br /> occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value<br /> (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.<br /> <br /> The fix is simple: use unsigned long values for the internal variables. The<br /> correct checks are already in place in the function but a simple int for<br /> the internal variables was used with the possibility to overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix mb_cache_entry&amp;#39;s e_refcnt leak in ext4_xattr_block_cache_find()<br /> <br /> Syzbot reports a warning as follows:<br /> <br /> ============================================<br /> WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290<br /> Modules linked in:<br /> CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7<br /> RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419<br /> Call Trace:<br /> <br /> ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375<br /> generic_shutdown_super+0x136/0x2d0 fs/super.c:641<br /> kill_block_super+0x44/0x90 fs/super.c:1675<br /> ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327<br /> [...]<br /> ============================================<br /> <br /> This is because when finding an entry in ext4_xattr_block_cache_find(), if<br /> ext4_sb_bread() returns -ENOMEM, the ce&amp;#39;s e_refcnt, which has already grown<br /> in the __entry_find(), won&amp;#39;t be put away, and eventually trigger the above<br /> issue in mb_cache_destroy() due to reference count leakage.<br /> <br /> So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.