Vulnerabilities

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fat: fix uninitialized field in nostale filehandles<br /> <br /> When fat_encode_fh_nostale() encodes file handle without a parent it<br /> stores only first 10 bytes of the file handle. However the length of the<br /> file handle must be a multiple of 4 so the file handle is actually 12<br /> bytes long and the last two bytes remain uninitialized. This is not<br /> great at we potentially leak uninitialized information with the handle<br /> to userspace. Properly initialize the full handle length.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfs: fix UAF in direct writes<br /> <br /> In production we have been hitting the following warning consistently<br /> <br /> ------------[ cut here ]------------<br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0<br /> Workqueue: nfsiod nfs_direct_write_schedule_work [nfs]<br /> RIP: 0010:refcount_warn_saturate+0x9c/0xe0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __warn+0x9f/0x130<br /> ? refcount_warn_saturate+0x9c/0xe0<br /> ? report_bug+0xcc/0x150<br /> ? handle_bug+0x3d/0x70<br /> ? exc_invalid_op+0x16/0x40<br /> ? asm_exc_invalid_op+0x16/0x20<br /> ? refcount_warn_saturate+0x9c/0xe0<br /> nfs_direct_write_schedule_work+0x237/0x250 [nfs]<br /> process_one_work+0x12f/0x4a0<br /> worker_thread+0x14e/0x3b0<br /> ? ZSTD_getCParams_internal+0x220/0x220<br /> kthread+0xdc/0x120<br /> ? __btf_name_valid+0xa0/0xa0<br /> ret_from_fork+0x1f/0x30<br /> <br /> This is because we&amp;#39;re completing the nfs_direct_request twice in a row.<br /> <br /> The source of this is when we have our commit requests to submit, we<br /> process them and send them off, and then in the completion path for the<br /> commit requests we have<br /> <br /> if (nfs_commit_end(cinfo.mds))<br /> nfs_direct_write_complete(dreq);<br /> <br /> However since we&amp;#39;re submitting asynchronous requests we sometimes have<br /> one that completes before we submit the next one, so we end up calling<br /> complete on the nfs_direct_request twice.<br /> <br /> The only other place we use nfs_generic_commit_list() is in<br /> __nfs_commit_inode, which wraps this call in a<br /> <br /> nfs_commit_begin();<br /> nfs_commit_end();<br /> <br /> Which is a common pattern for this style of completion handling, one<br /> that is also repeated in the direct code with get_dreq()/put_dreq()<br /> calls around where we process events as well as in the completion paths.<br /> <br /> Fix this by using the same pattern for the commit requests.<br /> <br /> Before with my 200 node rocksdb stress running this warning would pop<br /> every 10ish minutes. With my patch the stress test has been running for<br /> several hours without popping.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btnxpuart: Fix btnxpuart_close<br /> <br /> Fix scheduling while atomic BUG in btnxpuart_close(), properly<br /> purge the transmit queue and free the receive skb.<br /> <br /> [ 10.973809] BUG: scheduling while atomic: kworker/u9:0/80/0x00000002<br /> ...<br /> [ 10.980740] CPU: 3 PID: 80 Comm: kworker/u9:0 Not tainted 6.8.0-rc7-0.0.0-devel-00005-g61fdfceacf09 #1<br /> [ 10.980751] Hardware name: Toradex Verdin AM62 WB on Dahlia Board (DT)<br /> [ 10.980760] Workqueue: hci0 hci_power_off [bluetooth]<br /> [ 10.981169] Call trace:<br /> ...<br /> [ 10.981363] uart_update_mctrl+0x58/0x78<br /> [ 10.981373] uart_dtr_rts+0x104/0x114<br /> [ 10.981381] tty_port_shutdown+0xd4/0xdc<br /> [ 10.981396] tty_port_close+0x40/0xbc<br /> [ 10.981407] uart_close+0x34/0x9c<br /> [ 10.981414] ttyport_close+0x50/0x94<br /> [ 10.981430] serdev_device_close+0x40/0x50<br /> [ 10.981442] btnxpuart_close+0x24/0x98 [btnxpuart]<br /> [ 10.981469] hci_dev_close_sync+0x2d8/0x718 [bluetooth]<br /> [ 10.981728] hci_dev_do_close+0x2c/0x70 [bluetooth]<br /> [ 10.981862] hci_power_off+0x20/0x64 [bluetooth]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: swap: fix race between free_swap_and_cache() and swapoff()<br /> <br /> There was previously a theoretical window where swapoff() could run and<br /> teardown a swap_info_struct while a call to free_swap_and_cache() was<br /> running in another thread. This could cause, amongst other bad<br /> possibilities, swap_page_trans_huge_swapped() (called by<br /> free_swap_and_cache()) to access the freed memory for swap_map.<br /> <br /> This is a theoretical problem and I haven&amp;#39;t been able to provoke it from a<br /> test case. But there has been agreement based on code review that this is<br /> possible (see link below).<br /> <br /> Fix it by using get_swap_device()/put_swap_device(), which will stall<br /> swapoff(). There was an extra check in _swap_info_get() to confirm that<br /> the swap entry was not free. This isn&amp;#39;t present in get_swap_device()<br /> because it doesn&amp;#39;t make sense in general due to the race between getting<br /> the reference and swapoff. So I&amp;#39;ve added an equivalent check directly in<br /> free_swap_and_cache().<br /> <br /> Details of how to provoke one possible issue (thanks to David Hildenbrand<br /> for deriving this):<br /> <br /> --8try_to_unuse() will stop as soon as soon as si-&gt;inuse_pages==0.<br /> <br /> So the question is: could someone reclaim the folio and turn<br /> si-&gt;inuse_pages==0, before we completed swap_page_trans_huge_swapped().<br /> <br /> Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are<br /> still references by swap entries.<br /> <br /> Process 1 still references subpage 0 via swap entry.<br /> Process 2 still references subpage 1 via swap entry.<br /> <br /> Process 1 quits. Calls free_swap_and_cache().<br /> -&gt; count == SWAP_HAS_CACHE<br /> [then, preempted in the hypervisor etc.]<br /> <br /> Process 2 quits. Calls free_swap_and_cache().<br /> -&gt; count == SWAP_HAS_CACHE<br /> <br /> Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls<br /> __try_to_reclaim_swap().<br /> <br /> __try_to_reclaim_swap()-&gt;folio_free_swap()-&gt;delete_from_swap_cache()-&gt;<br /> put_swap_folio()-&gt;free_swap_slot()-&gt;swapcache_free_entries()-&gt;<br /> swap_entry_free()-&gt;swap_range_free()-&gt;<br /> ...<br /> WRITE_ONCE(si-&gt;inuse_pages, si-&gt;inuse_pages - nr_entries);<br /> <br /> What stops swapoff to succeed after process 2 reclaimed the swap cache<br /> but before process1 finished its call to swap_page_trans_huge_swapped()?<br /> <br /> --8

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mac802154: fix llsec key resources release in mac802154_llsec_key_del<br /> <br /> mac802154_llsec_key_del() can free resources of a key directly without<br /> following the RCU rules for waiting before the end of a grace period. This<br /> may lead to use-after-free in case llsec_lookup_key() is traversing the<br /> list of keys in parallel with a key deletion:<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0<br /> Modules linked in:<br /> CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0x162/0x2a0<br /> Call Trace:<br /> <br /> llsec_lookup_key.isra.0+0x890/0x9e0<br /> mac802154_llsec_encrypt+0x30c/0x9c0<br /> ieee802154_subif_start_xmit+0x24/0x1e0<br /> dev_hard_start_xmit+0x13e/0x690<br /> sch_direct_xmit+0x2ae/0xbc0<br /> __dev_queue_xmit+0x11dd/0x3c20<br /> dgram_sendmsg+0x90b/0xd60<br /> __sys_sendto+0x466/0x4c0<br /> __x64_sys_sendto+0xe0/0x1c0<br /> do_syscall_64+0x45/0xf0<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x76<br /> <br /> Also, ieee802154_llsec_key_entry structures are not freed by<br /> mac802154_llsec_key_del():<br /> <br /> unreferenced object 0xffff8880613b6980 (size 64):<br /> comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s)<br /> hex dump (first 32 bytes):<br /> 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......".......<br /> 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................<br /> backtrace:<br /> [] __kmem_cache_alloc_node+0x1e2/0x2d0<br /> [] kmalloc_trace+0x25/0xc0<br /> [] mac802154_llsec_key_add+0xac9/0xcf0<br /> [] ieee802154_add_llsec_key+0x5a/0x80<br /> [] nl802154_add_llsec_key+0x426/0x5b0<br /> [] genl_family_rcv_msg_doit+0x1fe/0x2f0<br /> [] genl_rcv_msg+0x531/0x7d0<br /> [] netlink_rcv_skb+0x169/0x440<br /> [] genl_rcv+0x28/0x40<br /> [] netlink_unicast+0x53c/0x820<br /> [] netlink_sendmsg+0x93b/0xe60<br /> [] ____sys_sendmsg+0xac5/0xca0<br /> [] ___sys_sendmsg+0x11d/0x1c0<br /> [] __sys_sendmsg+0xfa/0x1d0<br /> [] do_syscall_64+0x45/0xf0<br /> [] entry_SYSCALL_64_after_hwframe+0x6e/0x76<br /> <br /> Handle the proper resource release in the RCU callback function<br /> mac802154_llsec_key_del_rcu().<br /> <br /> Note that if llsec_lookup_key() finds a key, it gets a refcount via<br /> llsec_key_get() and locally copies key id from key_entry (which is a<br /> list element). So it&amp;#39;s safe to call llsec_key_put() and free the list<br /> entry after the RCU grace period elapses.<br /> <br /> Found by Linux Verification Center (linuxtesting.org).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape<br /> <br /> For raid456, if reshape is still in progress, then IO across reshape<br /> position will wait for reshape to make progress. However, for dm-raid,<br /> in following cases reshape will never make progress hence IO will hang:<br /> <br /> 1) the array is read-only;<br /> 2) MD_RECOVERY_WAIT is set;<br /> 3) MD_RECOVERY_FROZEN is set;<br /> <br /> After commit c467e97f079f ("md/raid6: use valid sector values to determine<br /> if an I/O should wait on the reshape") fix the problem that IO across<br /> reshape position doesn&amp;#39;t wait for reshape, the dm-raid test<br /> shell/lvconvert-raid-reshape.sh start to hang:<br /> <br /> [root@fedora ~]# cat /proc/979/stack<br /> [] wait_woken+0x7d/0x90<br /> [] raid5_make_request+0x929/0x1d70 [raid456]<br /> [] md_handle_request+0xc2/0x3b0 [md_mod]<br /> [] raid_map+0x2c/0x50 [dm_raid]<br /> [] __map_bio+0x251/0x380 [dm_mod]<br /> [] dm_submit_bio+0x1f0/0x760 [dm_mod]<br /> [] __submit_bio+0xc2/0x1c0<br /> [] submit_bio_noacct_nocheck+0x17f/0x450<br /> [] submit_bio_noacct+0x2bc/0x780<br /> [] submit_bio+0x70/0xc0<br /> [] mpage_readahead+0x169/0x1f0<br /> [] blkdev_readahead+0x18/0x30<br /> [] read_pages+0x7c/0x3b0<br /> [] page_cache_ra_unbounded+0x1ab/0x280<br /> [] force_page_cache_ra+0x9e/0x130<br /> [] page_cache_sync_ra+0x3b/0x110<br /> [] filemap_get_pages+0x143/0xa30<br /> [] filemap_read+0xdc/0x4b0<br /> [] blkdev_read_iter+0x75/0x200<br /> [] vfs_read+0x272/0x460<br /> [] ksys_read+0x7a/0x170<br /> [] __x64_sys_read+0x1c/0x30<br /> [] do_syscall_64+0xc6/0x230<br /> [] entry_SYSCALL_64_after_hwframe+0x6c/0x74<br /> <br /> This is because reshape can&amp;#39;t make progress.<br /> <br /> For md/raid, the problem doesn&amp;#39;t exist because register new sync_thread<br /> doesn&amp;#39;t rely on the IO to be done any more:<br /> <br /> 1) If array is read-only, it can switch to read-write by ioctl/sysfs;<br /> 2) md/raid never set MD_RECOVERY_WAIT;<br /> 3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn&amp;#39;t hold<br /> &amp;#39;reconfig_mutex&amp;#39;, hence it can be cleared and reshape can continue by<br /> sysfs api &amp;#39;sync_action&amp;#39;.<br /> <br /> However, I&amp;#39;m not sure yet how to avoid the problem in dm-raid yet. This<br /> patch on the one hand make sure raid_message() can&amp;#39;t change<br /> sync_thread() through raid_message() after presuspend(), on the other<br /> hand detect the above 3 cases before wait for IO do be done in<br /> dm_suspend(), and let dm-raid requeue those IO.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3-am62: fix module unload/reload behavior<br /> <br /> As runtime PM is enabled, the module can be runtime<br /> suspended when .remove() is called.<br /> <br /> Do a pm_runtime_get_sync() to make sure module is active<br /> before doing any register operations.<br /> <br /> Doing a pm_runtime_put_sync() should disable the refclk<br /> so no need to disable it again.<br /> <br /> Fixes the below warning at module removel.<br /> <br /> [ 39.705310] ------------[ cut here ]------------<br /> [ 39.710004] clk:162:3 already disabled<br /> [ 39.713941] WARNING: CPU: 0 PID: 921 at drivers/clk/clk.c:1090 clk_core_disable+0xb0/0xb8<br /> <br /> We called of_platform_populate() in .probe() so call the<br /> cleanup function of_platform_depopulate() in .remove().<br /> Get rid of the now unnnecessary dwc3_ti_remove_core().<br /> Without this, module re-load doesn&amp;#39;t work properly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: Add error handling in xhci_map_urb_for_dma<br /> <br /> Currently xhci_map_urb_for_dma() creates a temporary buffer and copies<br /> the SG list to the new linear buffer. But if the kzalloc_node() fails,<br /> then the following sg_pcopy_to_buffer() can lead to crash since it<br /> tries to memcpy to NULL pointer.<br /> <br /> So return -ENOMEM if kzalloc returns null pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays<br /> <br /> The frequency table arrays are supposed to be terminated with an<br /> empty element. Add such entry to the end of the arrays where it<br /> is missing in order to avoid possible out-of-bound access when<br /> the table is traversed by functions like qcom_find_freq() or<br /> qcom_find_freq_floor().<br /> <br /> Only compile tested.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wireguard: netlink: access device through ctx instead of peer<br /> <br /> The previous commit fixed a bug that led to a NULL peer-&gt;device being<br /> dereferenced. It&amp;#39;s actually easier and faster performance-wise to<br /> instead get the device from ctx-&gt;wg. This semantically makes more sense<br /> too, since ctx-&gt;wg-&gt;peer_allowedips.seq is compared with<br /> ctx-&gt;allowedips_seq, basing them both in ctx. This also acts as a<br /> defence in depth provision against freed peers.