Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfs: Fix KMSAN warning in decode_getfattr_attrs()<br /> <br /> Fix the following KMSAN warning:<br /> <br /> CPU: 1 UID: 0 PID: 7651 Comm: cp Tainted: G B<br /> Tainted: [B]=BAD_PAGE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)<br /> =====================================================<br /> =====================================================<br /> BUG: KMSAN: uninit-value in decode_getfattr_attrs+0x2d6d/0x2f90<br /> decode_getfattr_attrs+0x2d6d/0x2f90<br /> decode_getfattr_generic+0x806/0xb00<br /> nfs4_xdr_dec_getattr+0x1de/0x240<br /> rpcauth_unwrap_resp_decode+0xab/0x100<br /> rpcauth_unwrap_resp+0x95/0xc0<br /> call_decode+0x4ff/0xb50<br /> __rpc_execute+0x57b/0x19d0<br /> rpc_execute+0x368/0x5e0<br /> rpc_run_task+0xcfe/0xee0<br /> nfs4_proc_getattr+0x5b5/0x990<br /> __nfs_revalidate_inode+0x477/0xd00<br /> nfs_access_get_cached+0x1021/0x1cc0<br /> nfs_do_access+0x9f/0xae0<br /> nfs_permission+0x1e4/0x8c0<br /> inode_permission+0x356/0x6c0<br /> link_path_walk+0x958/0x1330<br /> path_lookupat+0xce/0x6b0<br /> filename_lookup+0x23e/0x770<br /> vfs_statx+0xe7/0x970<br /> vfs_fstatat+0x1f2/0x2c0<br /> __se_sys_newfstatat+0x67/0x880<br /> __x64_sys_newfstatat+0xbd/0x120<br /> x64_sys_call+0x1826/0x3cf0<br /> do_syscall_64+0xd0/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> The KMSAN warning is triggered in decode_getfattr_attrs(), when calling<br /> decode_attr_mdsthreshold(). It appears that fattr-&gt;mdsthreshold is not<br /> initialized.<br /> <br /> Fix the issue by initializing fattr-&gt;mdsthreshold to NULL in<br /> nfs_fattr_init().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3: fix fault at system suspend if device was already runtime suspended<br /> <br /> If the device was already runtime suspended then during system suspend<br /> we cannot access the device registers else it will crash.<br /> <br /> Also we cannot access any registers after dwc3_core_exit() on some<br /> platforms so move the dwc3_enable_susphy() call to the top.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86/amd/pmc: Detect when STB is not available<br /> <br /> Loading the amd_pmc module as:<br /> <br /> amd_pmc enable_stb=1<br /> <br /> ...can result in the following messages in the kernel ring buffer:<br /> <br /> amd_pmc AMDI0009:00: SMU cmd failed. err: 0xff<br /> ioremap on RAM at 0x0000000000000000 - 0x0000000000ffffff<br /> WARNING: CPU: 10 PID: 2151 at arch/x86/mm/ioremap.c:217 __ioremap_caller+0x2cd/0x340<br /> <br /> Further debugging reveals that this occurs when the requests for<br /> S2D_PHYS_ADDR_LOW and S2D_PHYS_ADDR_HIGH return a value of 0,<br /> indicating that the STB is inaccessible. To prevent the ioremap<br /> warning and provide clarity to the user, handle the invalid address<br /> and display an error message.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: init: protect sched with rcu_read_lock<br /> <br /> Enabling CONFIG_PROVE_RCU_LIST with its dependence CONFIG_RCU_EXPERT<br /> creates this splat when an MPTCP socket is created:<br /> <br /> =============================<br /> WARNING: suspicious RCU usage<br /> 6.12.0-rc2+ #11 Not tainted<br /> -----------------------------<br /> net/mptcp/sched.c:44 RCU-list traversed in non-reader section!!<br /> <br /> other info that might help us debug this:<br /> <br /> rcu_scheduler_active = 2, debug_locks = 1<br /> no locks held by mptcp_connect/176.<br /> <br /> stack backtrace:<br /> CPU: 0 UID: 0 PID: 176 Comm: mptcp_connect Not tainted 6.12.0-rc2+ #11<br /> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:123)<br /> lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)<br /> mptcp_sched_find (net/mptcp/sched.c:44 (discriminator 7))<br /> mptcp_init_sock (net/mptcp/protocol.c:2867 (discriminator 1))<br /> ? sock_init_data_uid (arch/x86/include/asm/atomic.h:28)<br /> inet_create.part.0.constprop.0 (net/ipv4/af_inet.c:386)<br /> ? __sock_create (include/linux/rcupdate.h:347 (discriminator 1))<br /> __sock_create (net/socket.c:1576)<br /> __sys_socket (net/socket.c:1671)<br /> ? __pfx___sys_socket (net/socket.c:1712)<br /> ? do_user_addr_fault (arch/x86/mm/fault.c:1419 (discriminator 1))<br /> __x64_sys_socket (net/socket.c:1728)<br /> do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1))<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> <br /> That&amp;#39;s because when the socket is initialised, rcu_read_lock() is not<br /> used despite the explicit comment written above the declaration of<br /> mptcp_sched_find() in sched.c. Adding the missing lock/unlock avoids the<br /> warning.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix crash on probe for DPLL enabled E810 LOM<br /> <br /> The E810 Lan On Motherboard (LOM) design is vendor specific. Intel<br /> provides the reference design, but it is up to vendor on the final<br /> product design. For some cases, like Linux DPLL support, the static<br /> values defined in the driver does not reflect the actual LOM design.<br /> Current implementation of dpll pins is causing the crash on probe<br /> of the ice driver for such DPLL enabled E810 LOM designs:<br /> <br /> WARNING: (...) at drivers/dpll/dpll_core.c:495 dpll_pin_get+0x2c4/0x330<br /> ...<br /> Call Trace:<br /> <br /> ? __warn+0x83/0x130<br /> ? dpll_pin_get+0x2c4/0x330<br /> ? report_bug+0x1b7/0x1d0<br /> ? handle_bug+0x42/0x70<br /> ? exc_invalid_op+0x18/0x70<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? dpll_pin_get+0x117/0x330<br /> ? dpll_pin_get+0x2c4/0x330<br /> ? dpll_pin_get+0x117/0x330<br /> ice_dpll_get_pins.isra.0+0x52/0xe0 [ice]<br /> ...<br /> <br /> The number of dpll pins enabled by LOM vendor is greater than expected<br /> and defined in the driver for Intel designed NICs, which causes the crash.<br /> <br /> Prevent the crash and allow generic pin initialization within Linux DPLL<br /> subsystem for DPLL enabled E810 LOM designs.<br /> <br /> Newly designed solution for described issue will be based on "per HW<br /> design" pin initialization. It requires pin information dynamically<br /> acquired from the firmware and is already in progress, planned for<br /> next-tree only.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> slub/kunit: fix a WARNING due to unwrapped __kmalloc_cache_noprof<br /> <br /> &amp;#39;modprobe slub_kunit&amp;#39; will have a warning as shown below. The root cause<br /> is that __kmalloc_cache_noprof was directly used, which resulted in no<br /> alloc_tag being allocated. This caused current-&gt;alloc_tag to be null,<br /> leading to a warning in alloc_tag_add_check.<br /> <br /> Let&amp;#39;s add an alloc_hook layer to __kmalloc_cache_noprof specifically<br /> within lib/slub_kunit.c, which is the only user of this internal slub<br /> function outside kmalloc implementation itself.<br /> <br /> [58162.947016] WARNING: CPU: 2 PID: 6210 at<br /> ./include/linux/alloc_tag.h:125 alloc_tagging_slab_alloc_hook+0x268/0x27c<br /> [58162.957721] Call trace:<br /> [58162.957919] alloc_tagging_slab_alloc_hook+0x268/0x27c<br /> [58162.958286] __kmalloc_cache_noprof+0x14c/0x344<br /> [58162.958615] test_kmalloc_redzone_access+0x50/0x10c [slub_kunit]<br /> [58162.959045] kunit_try_run_case+0x74/0x184 [kunit]<br /> [58162.959401] kunit_generic_run_threadfn_adapter+0x2c/0x4c [kunit]<br /> [58162.959841] kthread+0x10c/0x118<br /> [58162.960093] ret_from_fork+0x10/0x20<br /> [58162.960363] ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/hdcp: Add encoder check in hdcp2_get_capability<br /> <br /> Add encoder check in intel_hdcp2_get_capability to avoid<br /> null pointer error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability<br /> <br /> Sometimes during hotplug scenario or suspend/resume scenario encoder is<br /> not always initialized when intel_hdcp_get_capability add<br /> a check to avoid kernel null pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix another deadlock during RTC update<br /> <br /> If ufshcd_rtc_work calls ufshcd_rpm_put_sync() and the pm&amp;#39;s usage_count<br /> is 0, we will enter the runtime suspend callback. However, the runtime<br /> suspend callback will wait to flush ufshcd_rtc_work, causing a deadlock.<br /> <br /> Replace ufshcd_rpm_put_sync() with ufshcd_rpm_put() to avoid the<br /> deadlock.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()<br /> <br /> In mtk_crtc_create(), if the call to mbox_request_channel() fails then we<br /> set the "mtk_crtc-&gt;cmdq_client.chan" pointer to NULL. In that situation,<br /> we do not call cmdq_pkt_create().<br /> <br /> During the cleanup, we need to check if the "mtk_crtc-&gt;cmdq_client.chan"<br /> is NULL first before calling cmdq_pkt_destroy(). Calling<br /> cmdq_pkt_destroy() is unnecessary if we didn&amp;#39;t call cmdq_pkt_create() and<br /> it will result in a NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/rw: fix missing NOWAIT check for O_DIRECT start write<br /> <br /> When io_uring starts a write, it&amp;#39;ll call kiocb_start_write() to bump the<br /> super block rwsem, preventing any freezes from happening while that<br /> write is in-flight. The freeze side will grab that rwsem for writing,<br /> excluding any new writers from happening and waiting for existing writes<br /> to finish. But io_uring unconditionally uses kiocb_start_write(), which<br /> will block if someone is currently attempting to freeze the mount point.<br /> This causes a deadlock where freeze is waiting for previous writes to<br /> complete, but the previous writes cannot complete, as the task that is<br /> supposed to complete them is blocked waiting on starting a new write.<br /> This results in the following stuck trace showing that dependency with<br /> the write blocked starting a new write:<br /> <br /> task:fio state:D stack:0 pid:886 tgid:886 ppid:876<br /> Call trace:<br /> __switch_to+0x1d8/0x348<br /> __schedule+0x8e8/0x2248<br /> schedule+0x110/0x3f0<br /> percpu_rwsem_wait+0x1e8/0x3f8<br /> __percpu_down_read+0xe8/0x500<br /> io_write+0xbb8/0xff8<br /> io_issue_sqe+0x10c/0x1020<br /> io_submit_sqes+0x614/0x2110<br /> __arm64_sys_io_uring_enter+0x524/0x1038<br /> invoke_syscall+0x74/0x268<br /> el0_svc_common.constprop.0+0x160/0x238<br /> do_el0_svc+0x44/0x60<br /> el0_svc+0x44/0xb0<br /> el0t_64_sync_handler+0x118/0x128<br /> el0t_64_sync+0x168/0x170<br /> INFO: task fsfreeze:7364 blocked for more than 15 seconds.<br /> Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963<br /> <br /> with the attempting freezer stuck trying to grab the rwsem:<br /> <br /> task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995<br /> Call trace:<br /> __switch_to+0x1d8/0x348<br /> __schedule+0x8e8/0x2248<br /> schedule+0x110/0x3f0<br /> percpu_down_write+0x2b0/0x680<br /> freeze_super+0x248/0x8a8<br /> do_vfs_ioctl+0x149c/0x1b18<br /> __arm64_sys_ioctl+0xd0/0x1a0<br /> invoke_syscall+0x74/0x268<br /> el0_svc_common.constprop.0+0x160/0x238<br /> do_el0_svc+0x44/0x60<br /> el0_svc+0x44/0xb0<br /> el0t_64_sync_handler+0x118/0x128<br /> el0t_64_sync+0x168/0x170<br /> <br /> Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a<br /> blocking grab of the super block rwsem if it isn&amp;#39;t set. For normal issue<br /> where IOCB_NOWAIT would always be set, this returns -EAGAIN which will<br /> have io_uring core issue a blocking attempt of the write. That will in<br /> turn also get completions run, ensuring forward progress.<br /> <br /> Since freezing requires CAP_SYS_ADMIN in the first place, this isn&amp;#39;t<br /> something that can be triggered by a regular user.