Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()<br /> <br /> With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER<br /> for FW trace data type that has not been initialized. This will result<br /> in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a<br /> valid magic_byte pointer before proceeding.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crash: fix crashkernel resource shrink<br /> <br /> When crashkernel is configured with a high reservation, shrinking its<br /> value below the low crashkernel reservation causes two issues:<br /> <br /> 1. Invalid crashkernel resource objects<br /> 2. Kernel crash if crashkernel shrinking is done twice<br /> <br /> For example, with crashkernel=200M,high, the kernel reserves 200MB of high<br /> memory and some default low memory (say 256MB). The reservation appears<br /> as:<br /> <br /> cat /proc/iomem | grep -i crash<br /> af000000-beffffff : Crash kernel<br /> 433000000-43f7fffff : Crash kernel<br /> <br /> If crashkernel is then shrunk to 50MB (echo 52428800 &gt;<br /> /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved:<br /> af000000-beffffff : Crash kernel<br /> <br /> Instead, it should show 50MB:<br /> af000000-b21fffff : Crash kernel<br /> <br /> Further shrinking crashkernel to 40MB causes a kernel crash with the<br /> following trace (x86):<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000038<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> <br /> Call Trace: <br /> ? __die_body.cold+0x19/0x27<br /> ? page_fault_oops+0x15a/0x2f0<br /> ? search_module_extables+0x19/0x60<br /> ? search_bpf_extables+0x5f/0x80<br /> ? exc_page_fault+0x7e/0x180<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? __release_resource+0xd/0xb0<br /> release_resource+0x26/0x40<br /> __crash_shrink_memory+0xe5/0x110<br /> crash_shrink_memory+0x12a/0x190<br /> kexec_crash_size_store+0x41/0x80<br /> kernfs_fop_write_iter+0x141/0x1f0<br /> vfs_write+0x294/0x460<br /> ksys_write+0x6d/0xf0<br /> <br /> <br /> This happens because __crash_shrink_memory()/kernel/crash_core.c<br /> incorrectly updates the crashk_res resource object even when<br /> crashk_low_res should be updated.<br /> <br /> Fix this by ensuring the correct crashkernel resource object is updated<br /> when shrinking crashkernel memory.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext<br /> <br /> When alloc_slab_obj_exts() fails and then later succeeds in allocating a<br /> slab extension vector, it calls handle_failed_objexts_alloc() to mark all<br /> objects in the vector as empty. As a result all objects in this slab<br /> (slabA) will have their extensions set to CODETAG_EMPTY.<br /> <br /> Later on if this slabA is used to allocate a slabobj_ext vector for<br /> another slab (slabB), we end up with the slabB-&gt;obj_exts pointing to a<br /> slabobj_ext vector that itself has a non-NULL slabobj_ext equal to<br /> CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to<br /> free slabB-&gt;obj_exts vector. <br /> <br /> free_slab_obj_exts() calls mark_objexts_empty(slabB-&gt;obj_exts) which will<br /> generate a warning because it expects slabobj_ext vectors to have a NULL<br /> obj_ext, not CODETAG_EMPTY.<br /> <br /> Modify mark_objexts_empty() to skip the warning and setting the obj_ext<br /> value if it&amp;#39;s already set to CODETAG_EMPTY.<br /> <br /> <br /> To quickly detect this WARN, I modified the code from<br /> WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1);<br /> <br /> We then obtained this message:<br /> <br /> [21630.898561] ------------[ cut here ]------------<br /> [21630.898596] kernel BUG at mm/slub.c:2050!<br /> [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP<br /> [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 <br /> vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap <br /> vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace <br /> netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs <br /> blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel <br /> udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib <br /> nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct <br /> nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 <br /> nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink <br /> virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper <br /> drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi <br /> net_failover virtio_console failover virtio_mmio dm_mirror <br /> dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci <br /> virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 <br /> aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject]<br /> [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: <br /> loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary)<br /> [21630.910495] Tainted: [W]=WARN<br /> [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown <br /> 2/2/2022<br /> [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS <br /> BTYPE=--)<br /> [21630.912392] pc : __free_slab+0x228/0x250<br /> [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : <br /> ffff8000a02f73e0<br /> [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: <br /> ffff0000c0011c40<br /> [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: <br /> ffff000102199b40<br /> [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: <br /> ffff0000c0011c40<br /> [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: <br /> 0000000000000000<br /> [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: <br /> 0000000000000000<br /> [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: <br /> ffff70001405ee66<br /> [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : <br /> ffff800080a295dc<br /> [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : <br /> 0000000000003000<br /> [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : <br /> 0000000000000007<br /> [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : <br /> 0000000000000001<br /> [21630.921810] Call trace:<br /> [21630.922130]  __free_slab+0x228/0x250 (P)<br /> [21630.922669]  free_slab+0x38/0x118<br /> [21630.923079]  free_to_partial_list+0x1d4/0x340<br /> [21630.923591]  __slab_free+0x24c/0x348<br /> [21630.924024]  ___cache_free+0xf0/0x110<br /> [21630.924468]  qlist_free_all+0x78/0x130<br /> [21630.924922]  kasan_quarantine_reduce+0x11<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Add bpf_prog_run_data_pointers()<br /> <br /> syzbot found that cls_bpf_classify() is able to change<br /> tc_skb_cb(skb)-&gt;drop_reason triggering a warning in sk_skb_reason_drop().<br /> <br /> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]<br /> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214<br /> <br /> struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:<br /> Extend qdisc control block with tc control block"), which added a wrong<br /> interaction with db58ba459202 ("bpf: wire in data and data_end for<br /> cls_act_bpf").<br /> <br /> drop_reason was added later.<br /> <br /> Add bpf_prog_run_data_pointers() helper to save/restore the net_sched<br /> storage colliding with BPF data_meta/data_end.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: remove two invalid BUG_ON()s<br /> <br /> Those can be triggered trivially by userspace.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfs4_setup_readdir(): insufficient locking for -&gt;d_parent-&gt;d_inode dereferencing<br /> <br /> Theoretically it&amp;#39;s an oopsable race, but I don&amp;#39;t believe one can manage<br /> to hit it on real hardware; might become doable on a KVM, but it still<br /> won&amp;#39;t be easy to attack.<br /> <br /> Anyway, it&amp;#39;s easy to deal with - since xdr_encode_hyper() is just a call of<br /> put_unaligned_be64(), we can put that under -&gt;d_lock and be done with that.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up<br /> <br /> The function ring_buffer_map_get_reader() is a bit more strict than the<br /> other get reader functions, and except for certain situations the<br /> rb_get_reader_page() should not return NULL. If it does, it triggers a<br /> warning.<br /> <br /> This warning was triggering but after looking at why, it was because<br /> another acceptable situation was happening and it wasn&amp;#39;t checked for.<br /> <br /> If the reader catches up to the writer and there&amp;#39;s still data to be read<br /> on the reader page, then the rb_get_reader_page() will return NULL as<br /> there&amp;#39;s no new page to get.<br /> <br /> In this situation, the reader page should not be updated and no warning<br /> should trigger.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mdio: Check regmap pointer returned by device_node_to_regmap()<br /> <br /> The call to device_node_to_regmap() in airoha_mdio_probe() can return<br /> an ERR_PTR() if regmap initialization fails. Currently, the driver<br /> stores the pointer without validation, which could lead to a crash<br /> if it is later dereferenced.<br /> <br /> Add an IS_ERR() check and return the corresponding error code to make<br /> the probe path more robust.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()<br /> <br /> Use RCU to avoid a pair of atomic operations and a potential<br /> UAF on dst_dev()-&gt;flags.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm: Fix GEM free for imported dma-bufs<br /> <br /> Imported dma-bufs also have obj-&gt;resv != &amp;obj-&gt;_resv. So we should<br /> check both this condition in addition to flags for handling the<br /> _NO_SHARE case.<br /> <br /> Fixes this splat that was reported with IRIS video playback:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm]<br /> CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT<br /> pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> pc : msm_gem_free_object+0x1f8/0x264 [msm]<br /> lr : msm_gem_free_object+0x138/0x264 [msm]<br /> sp : ffff800092a1bb30<br /> x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08<br /> x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6<br /> x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200<br /> x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000<br /> x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540<br /> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f<br /> x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020<br /> x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032<br /> x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8<br /> Call trace:<br /> msm_gem_free_object+0x1f8/0x264 [msm] (P)<br /> drm_gem_object_free+0x1c/0x30 [drm]<br /> drm_gem_object_handle_put_unlocked+0x138/0x150 [drm]<br /> drm_gem_object_release_handle+0x5c/0xcc [drm]<br /> drm_gem_handle_delete+0x68/0xbc [drm]<br /> drm_gem_close_ioctl+0x34/0x40 [drm]<br /> drm_ioctl_kernel+0xc0/0x130 [drm]<br /> drm_ioctl+0x360/0x4e0 [drm]<br /> __arm64_sys_ioctl+0xac/0x104<br /> invoke_syscall+0x48/0x104<br /> el0_svc_common.constprop.0+0x40/0xe0<br /> do_el0_svc+0x1c/0x28<br /> el0_svc+0x34/0xec<br /> el0t_64_sync_handler+0xa0/0xe4<br /> el0t_64_sync+0x198/0x19c<br /> ---[ end trace 0000000000000000 ]---<br /> ------------[ cut here ]------------<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/676273/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()<br /> <br /> kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws<br /> remains NULL while ectx.ws_size is set, leading to a potential NULL<br /> pointer dereference in atom_get_src_int() when accessing WS entries.<br /> <br /> Return -ENOMEM on allocation failure to avoid the NULL dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp_tunnel: use netdev_warn() instead of netdev_WARN()<br /> <br /> netdev_WARN() uses WARN/WARN_ON to print a backtrace along with<br /> file and line information. In this case, udp_tunnel_nic_register()<br /> returning an error is just a failed operation, not a kernel bug.<br /> <br /> udp_tunnel_nic_register() can fail due to a memory allocation<br /> failure (kzalloc() or udp_tunnel_nic_alloc()).<br /> This is a normal runtime error and not a kernel bug.<br /> <br /> Replace netdev_WARN() with netdev_warn() accordingly.