Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error<br /> <br /> Make knav_dma_open_channel consistently return NULL on error instead<br /> of ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h<br /> returns NULL when the driver is disabled, but the driver<br /> implementation does not even return NULL or ERR_PTR on failure,<br /> causing inconsistency in the users. This results in a crash in<br /> netcp_free_navigator_resources as followed (trimmed):<br /> <br /> Unhandled fault: alignment exception (0x221) at 0xfffffff2<br /> [fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000<br /> Internal error: : 221 [#1] SMP ARM<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE<br /> Hardware name: Keystone<br /> PC is at knav_dma_close_channel+0x30/0x19c<br /> LR is at netcp_free_navigator_resources+0x2c/0x28c<br /> <br /> [... TRIM...]<br /> <br /> Call trace:<br /> knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c<br /> netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c<br /> netcp_ndo_open from __dev_open+0x114/0x29c<br /> __dev_open from __dev_change_flags+0x190/0x208<br /> __dev_change_flags from netif_change_flags+0x1c/0x58<br /> netif_change_flags from dev_change_flags+0x38/0xa0<br /> dev_change_flags from ip_auto_config+0x2c4/0x11f0<br /> ip_auto_config from do_one_initcall+0x58/0x200<br /> do_one_initcall from kernel_init_freeable+0x1cc/0x238<br /> kernel_init_freeable from kernel_init+0x1c/0x12c<br /> kernel_init from ret_from_fork+0x14/0x38<br /> [... TRIM...]<br /> <br /> Standardize the error handling by making the function return NULL on<br /> all error conditions. The API is used in just the netcp_core.c so the<br /> impact is limited.<br /> <br /> Note, this change, in effect reverts commit 5b6cb43b4d62 ("net:<br /> ethernet: ti: netcp_core: return error while dma channel open issue"),<br /> but provides a less error prone implementation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix address removal logic in mptcp_pm_nl_rm_addr<br /> <br /> Fix inverted WARN_ON_ONCE condition that prevented normal address<br /> removal counter updates. The current code only executes decrement<br /> logic when the counter is already 0 (abnormal state), while<br /> normal removals (counter &gt; 0) are ignored.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc<br /> <br /> s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its<br /> fields are initialized. Notably, num_custom_params is used in<br /> pinconf_generic_parse_dt_config(), resulting in intermittent allocation<br /> errors, such as the following splat when probing i2c-imx:<br /> <br /> WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300<br /> [...]<br /> Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)<br /> [...]<br /> Call trace:<br /> __alloc_pages_noprof+0x290/0x300 (P)<br /> ___kmalloc_large_node+0x84/0x168<br /> __kmalloc_large_node_noprof+0x34/0x120<br /> __kmalloc_noprof+0x2ac/0x378<br /> pinconf_generic_parse_dt_config+0x68/0x1a0<br /> s32_dt_node_to_map+0x104/0x248<br /> dt_to_map_one_config+0x154/0x1d8<br /> pinctrl_dt_to_map+0x12c/0x280<br /> create_pinctrl+0x6c/0x270<br /> pinctrl_get+0xc0/0x170<br /> devm_pinctrl_get+0x50/0xa0<br /> pinctrl_bind_pins+0x60/0x2a0<br /> really_probe+0x60/0x3a0<br /> [...]<br /> __platform_driver_register+0x2c/0x40<br /> i2c_adap_imx_init+0x28/0xff8 [i2c_imx]<br /> [...]<br /> <br /> This results in later parse failures that can cause issues in dependent<br /> drivers:<br /> <br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property<br /> [...]<br /> pca953x 0-0022: failed writing register: -6<br /> i2c i2c-0: IMX I2C adapter registered<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property<br /> i2c i2c-1: IMX I2C adapter registered<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property<br /> s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property<br /> i2c i2c-2: IMX I2C adapter registered<br /> <br /> Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of<br /> devm_kmalloc() in s32_pinctrl_probe(), which sets the previously<br /> uninitialized fields to zero.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: delete radeon_fence_process in is_signaled, no deadlock<br /> <br /> Delete the attempt to progress the queue when checking if fence is<br /> signaled. This avoids deadlock.<br /> <br /> dma-fence_ops::signaled can be called with the fence lock in unknown<br /> state. For radeon, the fence lock is also the wait queue lock. This can<br /> cause a self deadlock when signaled() tries to make forward progress on<br /> the wait queue. But advancing the queue is unneeded because incorrectly<br /> returning false from signaled() is perfectly acceptable.<br /> <br /> (cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: core: Fix a regression triggered by scsi_host_busy()<br /> <br /> Commit 995412e23bb2 ("blk-mq: Replace tags-&gt;lock with SRCU for tag<br /> iterators") introduced the following regression:<br /> <br /> Call trace:<br /> __srcu_read_lock+0x30/0x80 (P)<br /> blk_mq_tagset_busy_iter+0x44/0x300<br /> scsi_host_busy+0x38/0x70<br /> ufshcd_print_host_state+0x34/0x1bc<br /> ufshcd_link_startup.constprop.0+0xe4/0x2e0<br /> ufshcd_init+0x944/0xf80<br /> ufshcd_pltfrm_init+0x504/0x820<br /> ufs_rockchip_probe+0x2c/0x88<br /> platform_probe+0x5c/0xa4<br /> really_probe+0xc0/0x38c<br /> __driver_probe_device+0x7c/0x150<br /> driver_probe_device+0x40/0x120<br /> __driver_attach+0xc8/0x1e0<br /> bus_for_each_dev+0x7c/0xdc<br /> driver_attach+0x24/0x30<br /> bus_add_driver+0x110/0x230<br /> driver_register+0x68/0x130<br /> __platform_driver_register+0x20/0x2c<br /> ufs_rockchip_pltform_init+0x1c/0x28<br /> do_one_initcall+0x60/0x1e0<br /> kernel_init_freeable+0x248/0x2c4<br /> kernel_init+0x20/0x140<br /> ret_from_fork+0x10/0x20<br /> <br /> Fix this regression by making scsi_host_busy() check whether the SCSI<br /> host tag set has already been initialized. tag_set-&gt;ops is set by<br /> scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This<br /> fix is based on the assumption that scsi_host_busy() and<br /> scsi_mq_setup_tags() calls are serialized. This is the case in the UFS<br /> driver.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib/test_kho: check if KHO is enabled<br /> <br /> We must check whether KHO is enabled prior to issuing KHO commands,<br /> otherwise KHO internal data structures are not initialized.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: Fix uninitialized &amp;#39;offp&amp;#39; in statmount_string()<br /> <br /> In statmount_string(), most flags assign an output offset pointer (offp)<br /> which is later updated with the string offset. However, the<br /> STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the<br /> struct fields instead of using offp. This leaves offp uninitialized,<br /> leading to a possible uninitialized dereference when *offp is updated.<br /> <br /> Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code<br /> path consistent.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: fix possible vport_config NULL pointer deref in remove<br /> <br /> Attempting to remove the driver will cause a crash in cases where<br /> the vport failed to initialize. Following trace is from an instance where<br /> the driver failed during an attempt to create a VF:<br /> [ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated<br /> [ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)<br /> [ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028<br /> ...<br /> [ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]<br /> ...<br /> [ 1723.364973] Call Trace:<br /> [ 1723.365475] <br /> [ 1723.365972] pci_device_remove+0x42/0xb0<br /> [ 1723.366481] device_release_driver_internal+0x1a9/0x210<br /> [ 1723.366987] pci_stop_bus_device+0x6d/0x90<br /> [ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20<br /> [ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120<br /> [ 1723.368309] sriov_disable+0x34/0xe0<br /> [ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf]<br /> [ 1723.368982] sriov_numvfs_store+0xda/0x1c0<br /> <br /> Avoid the NULL pointer dereference by adding NULL pointer check for<br /> vport_config[i], before freeing user_config.q_coalesce.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> timers: Fix NULL function pointer race in timer_shutdown_sync()<br /> <br /> There is a race condition between timer_shutdown_sync() and timer<br /> expiration that can lead to hitting a WARN_ON in expire_timers().<br /> <br /> The issue occurs when timer_shutdown_sync() clears the timer function<br /> to NULL while the timer is still running on another CPU. The race<br /> scenario looks like this:<br /> <br /> CPU0 CPU1<br /> <br /> lock_timer_base()<br /> expire_timers()<br /> base-&gt;running_timer = timer;<br /> unlock_timer_base()<br /> [call_timer_fn enter]<br /> mod_timer()<br /> ...<br /> timer_shutdown_sync()<br /> lock_timer_base()<br /> // For now, will not detach the timer but only clear its function to NULL<br /> if (base-&gt;running_timer != timer)<br /> ret = detach_if_pending(timer, base, true);<br /> if (shutdown)<br /> timer-&gt;function = NULL;<br /> unlock_timer_base()<br /> [call_timer_fn exit]<br /> lock_timer_base()<br /> base-&gt;running_timer = NULL;<br /> unlock_timer_base()<br /> ...<br /> // Now timer is pending while its function set to NULL.<br /> // next timer trigger<br /> <br /> expire_timers()<br /> WARN_ON_ONCE(!fn) // hit<br /> ...<br /> lock_timer_base()<br /> // Now timer will detach<br /> if (base-&gt;running_timer != timer)<br /> ret = detach_if_pending(timer, base, true);<br /> if (shutdown)<br /> timer-&gt;function = NULL;<br /> unlock_timer_base()<br /> <br /> The problem is that timer_shutdown_sync() clears the timer function<br /> regardless of whether the timer is currently running. This can leave a<br /> pending timer with a NULL function pointer, which triggers the<br /> WARN_ON_ONCE(!fn) check in expire_timers().<br /> <br /> Fix this by only clearing the timer function when actually detaching the<br /> timer. If the timer is running, leave the function pointer intact, which is<br /> safe because the timer will be properly detached when it finishes running.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix PTP cleanup on driver removal in error path<br /> <br /> Improve the cleanup on releasing PTP resources in error path.<br /> The error case might happen either at the driver probe and PTP<br /> feature initialization or on PTP restart (errors in reset handling, NVM<br /> update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf<br /> function) and &amp;#39;ps_lock&amp;#39; mutex deinitialization were missed.<br /> Additionally, ptp clock was not unregistered in the latter case.<br /> <br /> Keep PTP state as &amp;#39;uninitialized&amp;#39; on init to distinguish between error<br /> scenarios and to avoid resource release duplication at driver removal.<br /> <br /> The consequence of missing ice_ptp_cleanup_pf call is the following call<br /> trace dumped when ice_adapter object is freed (port list is not empty,<br /> as it is required at this stage):<br /> <br /> [ T93022] ------------[ cut here ]------------<br /> [ T93022] WARNING: CPU: 10 PID: 93022 at<br /> ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice]<br /> ...<br /> [ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice]<br /> ...<br /> [ T93022] Call Trace:<br /> [ T93022] <br /> [ T93022] ? ice_adapter_put+0xef/0x100 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> [ T93022] ? __warn.cold+0xb0/0x10e<br /> [ T93022] ? ice_adapter_put+0xef/0x100 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> [ T93022] ? report_bug+0xd8/0x150<br /> [ T93022] ? handle_bug+0xe9/0x110<br /> [ T93022] ? exc_invalid_op+0x17/0x70<br /> [ T93022] ? asm_exc_invalid_op+0x1a/0x20<br /> [ T93022] ? ice_adapter_put+0xef/0x100 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> [ T93022] pci_device_remove+0x42/0xb0<br /> [ T93022] device_release_driver_internal+0x19f/0x200<br /> [ T93022] driver_detach+0x48/0x90<br /> [ T93022] bus_remove_driver+0x70/0xf0<br /> [ T93022] pci_unregister_driver+0x42/0xb0<br /> [ T93022] ice_module_exit+0x10/0xdb0 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> ...<br /> [ T93022] ---[ end trace 0000000000000000 ]---<br /> [ T93022] ice: module unloaded

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: BPF: Disable trampoline for kernel module function trace<br /> <br /> The current LoongArch BPF trampoline implementation is incompatible<br /> with tracing functions in kernel modules. This causes several severe<br /> and user-visible problems:<br /> <br /> * The `bpf_selftests/module_attach` test fails consistently.<br /> * Kernel lockup when a BPF program is attached to a module function [1].<br /> * Critical kernel modules like WireGuard experience traffic disruption<br /> when their functions are traced with fentry [2].<br /> <br /> Given the severity and the potential for other unknown side-effects, it<br /> is safest to disable the feature entirely for now. This patch prevents<br /> the BPF subsystem from allowing trampoline attachments to kernel module<br /> functions on LoongArch.<br /> <br /> This is a temporary mitigation until the core issues in the trampoline<br /> code for kernel module handling can be identified and fixed.<br /> <br /> [root@fedora bpf]# ./test_progs -a module_attach -v<br /> bpf_testmod.ko is already unloaded.<br /> Loading bpf_testmod.ko...<br /> Successfully loaded bpf_testmod.ko.<br /> test_module_attach:PASS:skel_open 0 nsec<br /> test_module_attach:PASS:set_attach_target 0 nsec<br /> test_module_attach:PASS:set_attach_target_explicit 0 nsec<br /> test_module_attach:PASS:skel_load 0 nsec<br /> libbpf: prog &amp;#39;handle_fentry&amp;#39;: failed to attach: -ENOTSUPP<br /> libbpf: prog &amp;#39;handle_fentry&amp;#39;: failed to auto-attach: -ENOTSUPP<br /> test_module_attach:FAIL:skel_attach skeleton attach failed: -524<br /> Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED<br /> Successfully unloaded bpf_testmod.ko.<br /> <br /> [1]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C13FMT58oqQ@mail.gmail.com/<br /> [2]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcFaK93uoELPg@mail.gmail.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: pegasus-notetaker - fix potential out-of-bounds access<br /> <br /> In the pegasus_notetaker driver, the pegasus_probe() function allocates<br /> the URB transfer buffer using the wMaxPacketSize value from<br /> the endpoint descriptor. An attacker can use a malicious USB descriptor<br /> to force the allocation of a very small buffer.<br /> <br /> Subsequently, if the device sends an interrupt packet with a specific<br /> pattern (e.g., where the first byte is 0x80 or 0x42),<br /> the pegasus_parse_packet() function parses the packet without checking<br /> the allocated buffer size. This leads to an out-of-bounds memory access.