Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: core: Fix thermal zone device registration error path<br /> <br /> If thermal_zone_device_register_with_trips() fails after registering<br /> a thermal zone device, it needs to wait for the tz-&gt;removal completion<br /> like thermal_zone_device_unregister(), in case user space has managed<br /> to take a reference to the thermal zone device&amp;#39;s kobject, in which case<br /> thermal_release() may not be called by the error path itself and tz may<br /> be freed prematurely.<br /> <br /> Add the missing wait_for_completion() call to the thermal zone device<br /> registration error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: caam - fix overflow on long hmac keys<br /> <br /> When a key longer than block size is supplied, it is copied and then<br /> hashed into the real key. The memory allocated for the copy needs to<br /> be rounded to DMA cache alignment, as otherwise the hashed key may<br /> corrupt neighbouring memory.<br /> <br /> The copying is performed using kmemdup, however this leads to an overflow:<br /> reading more bytes (aligned_len - keylen) from the keylen source buffer.<br /> Fix this by replacing kmemdup with kmalloc, followed by memcpy.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: flowtable: strictly check for maximum number of actions<br /> <br /> The maximum number of flowtable hardware offload actions in IPv6 is:<br /> <br /> * ethernet mangling (4 payload actions, 2 for each ethernet address)<br /> * SNAT (4 payload actions)<br /> * DNAT (4 payload actions)<br /> * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)<br /> for QinQ.<br /> * Redirect (1 action)<br /> <br /> Which makes 17, while the maximum is 16. But act_ct supports for tunnels<br /> actions too. Note that payload action operates at 32-bit word level, so<br /> mangling an IPv6 address takes 4 payload actions.<br /> <br /> Update flow_action_entry_next() calls to check for the maximum number of<br /> supported actions.<br /> <br /> While at it, rise the maximum number of actions per flow from 16 to 24<br /> so this works fine with IPv6 setups.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/kexec: Disable KCOV instrumentation after load_segments()<br /> <br /> The load_segments() function changes segment registers, invalidating GS base<br /> (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any<br /> subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins<br /> crashing the kernel in an endless loop.<br /> <br /> To reproduce the problem, it&amp;#39;s sufficient to do kexec on a KCOV-instrumented<br /> kernel:<br /> <br /> $ kexec -l /boot/otherKernel<br /> $ kexec -e<br /> <br /> The real-world context for this problem is enabling crash dump collection in<br /> syzkaller. For this, the tool loads a panic kernel before fuzzing and then<br /> calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC<br /> and CONFIG_KCOV to be enabled simultaneously.<br /> <br /> Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())<br /> is also undesirable as it would introduce an extra performance overhead.<br /> <br /> Disabling instrumentation for the individual functions would be too fragile,<br /> so disable KCOV instrumentation for the entire machine_kexec_64.c and<br /> physaddr.c. If coverage-guided fuzzing ever needs these components in the<br /> future, other approaches should be considered.<br /> <br /> The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported<br /> there.<br /> <br /> [ bp: Space out comment for better readability. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path<br /> <br /> When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls<br /> kobject_put(&amp;dbs_data-&gt;attr_set.kobj).<br /> <br /> The kobject release callback cpufreq_dbs_data_release() calls<br /> gov-&gt;exit(dbs_data) and kfree(dbs_data), but the current error path<br /> then calls gov-&gt;exit(dbs_data) and kfree(dbs_data) again, causing a<br /> double free.<br /> <br /> Keep the direct kfree(dbs_data) for the gov-&gt;init() failure path, but<br /> after kobject_init_and_add() has been called, let kobject_put() handle<br /> the cleanup through cpufreq_dbs_data_release().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback<br /> <br /> SCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() using<br /> smp_cond_load_acquire() until the target CPU&amp;#39;s kick_sync advances. Because<br /> the irq_work runs in hardirq context, the waiting CPU cannot reschedule and<br /> its own kick_sync never advances. If multiple CPUs form a wait cycle, all<br /> CPUs deadlock.<br /> <br /> Replace the busy-wait in kick_cpus_irq_workfn() with resched_curr() to<br /> force the CPU through do_pick_task_scx(), which queues a balance callback<br /> to perform the wait. The balance callback drops the rq lock and enables<br /> IRQs following the sched_core_balance() pattern, so the CPU can process<br /> IPIs while waiting. The local CPU&amp;#39;s kick_sync is advanced on entry to<br /> do_pick_task_scx() and continuously during the wait, ensuring any CPU that<br /> starts waiting for us sees the advancement and cannot form cyclic<br /> dependencies.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: dummy-hcd: Fix locking/synchronization error<br /> <br /> Syzbot testing was able to provoke an addressing exception and crash<br /> in the usb_gadget_udc_reset() routine in<br /> drivers/usb/gadgets/udc/core.c, resulting from the fact that the<br /> routine was called with a second ("driver") argument of NULL. The bad<br /> caller was set_link_state() in dummy_hcd.c, and the problem arose<br /> because of a race between a USB reset and driver unbind.<br /> <br /> These sorts of races were not supposed to be possible; commit<br /> 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"),<br /> along with a few followup commits, was written specifically to prevent<br /> them. As it turns out, there are (at least) two errors remaining in<br /> the code. Another patch will address the second error; this one is<br /> concerned with the first.<br /> <br /> The error responsible for the syzbot crash occurred because the<br /> stop_activity() routine will sometimes drop and then re-acquire the<br /> dum-&gt;lock spinlock. A call to stop_activity() occurs in<br /> set_link_state() when handling an emulated USB reset, after the test<br /> of dum-&gt;ints_enabled and before the increment of dum-&gt;callback_usage.<br /> This allowed another thread (doing a driver unbind) to sneak in and<br /> grab the spinlock, and then clear dum-&gt;ints_enabled and dum-&gt;driver.<br /> Normally this other thread would have to wait for dum-&gt;callback_usage<br /> to go down to 0 before it would clear dum-&gt;driver, but in this case it<br /> didn&amp;#39;t have to wait since dum-&gt;callback_usage had not yet been<br /> incremented.<br /> <br /> The fix is to increment dum-&gt;callback_usage _before_ calling<br /> stop_activity() instead of after. Then the thread doing the unbind<br /> will not clear dum-&gt;driver until after the call to<br /> usb_gadget_udc_reset() safely returns and dum-&gt;callback_usage has been<br /> decremented again.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: dummy-hcd: Fix interrupt synchronization error<br /> <br /> This fixes an error in synchronization in the dummy-hcd driver. The<br /> error has a somewhat involved history. The synchronization mechanism<br /> was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous<br /> synchronization change"), which added an emulated "interrupts enabled"<br /> flag together with code emulating synchronize_irq() (it waits until<br /> all current handler callbacks have returned).<br /> <br /> But the emulated interrupt-disable occurred too late, after the driver<br /> containing the handler callback routines had been told that it was<br /> unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb:<br /> gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this by<br /> moving the synchronize_irq() emulation code from dummy_stop() to<br /> dummy_pullup(), which runs before the unbind callback.<br /> <br /> There still were races, though, because the emulated interrupt-disable<br /> still occurred too late. It couldn&amp;#39;t be moved to dummy_pullup(),<br /> because that routine can be called for reasons other than an impending<br /> unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add<br /> udc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implement<br /> udc_async_callbacks in dummy-hcd") added an API allowing the UDC core<br /> to tell dummy-hcd exactly when emulated interrupts and their callbacks<br /> should be disabled.<br /> <br /> That brings us to the current state of things, which is still wrong<br /> because the emulated synchronize_irq() occurs before the emulated<br /> interrupt-disable! That&amp;#39;s no good, beause it means that more emulated<br /> interrupts can occur after the synchronize_irq() emulation has run,<br /> leading to the possibility that a callback handler may be running when<br /> the gadget driver is unbound.<br /> <br /> To fix this, we have to move the synchronize_irq() emulation code yet<br /> again, to the dummy_udc_async_callbacks() routine, which takes care of<br /> enabling and disabling emulated interrupt requests. The<br /> synchronization will now run immediately after emulated interrupts are<br /> disabled, which is where it belongs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: don&amp;#39;t send a 6E related command when not supported<br /> <br /> MCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the<br /> device doesn&amp;#39;t support 6E.<br /> Apparently, the firmware is mistakenly advertising support for this<br /> command even on AX201 which does not support 6E and then the firmware<br /> crashes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: spidev: fix lock inversion between spi_lock and buf_lock<br /> <br /> The spidev driver previously used two mutexes, spi_lock and buf_lock,<br /> but acquired them in different orders depending on the code path:<br /> <br /> write()/read(): buf_lock -&gt; spi_lock<br /> ioctl(): spi_lock -&gt; buf_lock<br /> <br /> This AB-BA locking pattern triggers lockdep warnings and can<br /> cause real deadlocks:<br /> <br /> WARNING: possible circular locking dependency detected<br /> spidev_ioctl() -&gt; mutex_lock(&amp;spidev-&gt;buf_lock)<br /> spidev_sync_write() -&gt; mutex_lock(&amp;spidev-&gt;spi_lock)<br /> *** DEADLOCK ***<br /> <br /> The issue is reproducible with a simple userspace program that<br /> performs write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from<br /> separate threads on the same spidev file descriptor.<br /> <br /> Fix this by simplifying the locking model and removing the lock<br /> inversion entirely. spidev_sync() no longer performs any locking,<br /> and all callers serialize access using spi_lock.<br /> <br /> buf_lock is removed since its functionality is fully covered by<br /> spi_lock, eliminating the possibility of lock ordering issues.<br /> <br /> This removes the lock inversion and prevents deadlocks without<br /> changing userspace ABI or behaviour.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Properly mark live registers for indirect jumps<br /> <br /> For a `gotox rX` instruction the rX register should be marked as used<br /> in the compute_insn_live_regs() function. Fix this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: solo6x10: Check for out of bounds chip_id<br /> <br /> Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type<br /> (literal "1" is an "int") could end up being shifted beyond 32 bits,<br /> so instrumentation was added (and due to the double is_tw286x() call<br /> seen via inlining), Clang decides the second one must now be undefined<br /> behavior and elides the rest of the function[1]. This is a known problem<br /> with Clang (that is still being worked on), but we can avoid the entire<br /> problem by actually checking the existing max chip ID, and now there is<br /> no runtime instrumentation added at all since everything is known to be<br /> within bounds.<br /> <br /> Additionally use an unsigned value for the shift to remove the<br /> instrumentation even without the explicit bounds checking.<br /> <br /> [hverkuil: fix checkpatch warning for is_tw286x]