Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> timers: Fix NULL function pointer race in timer_shutdown_sync()<br /> <br /> There is a race condition between timer_shutdown_sync() and timer<br /> expiration that can lead to hitting a WARN_ON in expire_timers().<br /> <br /> The issue occurs when timer_shutdown_sync() clears the timer function<br /> to NULL while the timer is still running on another CPU. The race<br /> scenario looks like this:<br /> <br /> CPU0 CPU1<br /> <br /> lock_timer_base()<br /> expire_timers()<br /> base-&gt;running_timer = timer;<br /> unlock_timer_base()<br /> [call_timer_fn enter]<br /> mod_timer()<br /> ...<br /> timer_shutdown_sync()<br /> lock_timer_base()<br /> // For now, will not detach the timer but only clear its function to NULL<br /> if (base-&gt;running_timer != timer)<br /> ret = detach_if_pending(timer, base, true);<br /> if (shutdown)<br /> timer-&gt;function = NULL;<br /> unlock_timer_base()<br /> [call_timer_fn exit]<br /> lock_timer_base()<br /> base-&gt;running_timer = NULL;<br /> unlock_timer_base()<br /> ...<br /> // Now timer is pending while its function set to NULL.<br /> // next timer trigger<br /> <br /> expire_timers()<br /> WARN_ON_ONCE(!fn) // hit<br /> ...<br /> lock_timer_base()<br /> // Now timer will detach<br /> if (base-&gt;running_timer != timer)<br /> ret = detach_if_pending(timer, base, true);<br /> if (shutdown)<br /> timer-&gt;function = NULL;<br /> unlock_timer_base()<br /> <br /> The problem is that timer_shutdown_sync() clears the timer function<br /> regardless of whether the timer is currently running. This can leave a<br /> pending timer with a NULL function pointer, which triggers the<br /> WARN_ON_ONCE(!fn) check in expire_timers().<br /> <br /> Fix this by only clearing the timer function when actually detaching the<br /> timer. If the timer is running, leave the function pointer intact, which is<br /> safe because the timer will be properly detached when it finishes running.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix PTP cleanup on driver removal in error path<br /> <br /> Improve the cleanup on releasing PTP resources in error path.<br /> The error case might happen either at the driver probe and PTP<br /> feature initialization or on PTP restart (errors in reset handling, NVM<br /> update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf<br /> function) and &amp;#39;ps_lock&amp;#39; mutex deinitialization were missed.<br /> Additionally, ptp clock was not unregistered in the latter case.<br /> <br /> Keep PTP state as &amp;#39;uninitialized&amp;#39; on init to distinguish between error<br /> scenarios and to avoid resource release duplication at driver removal.<br /> <br /> The consequence of missing ice_ptp_cleanup_pf call is the following call<br /> trace dumped when ice_adapter object is freed (port list is not empty,<br /> as it is required at this stage):<br /> <br /> [ T93022] ------------[ cut here ]------------<br /> [ T93022] WARNING: CPU: 10 PID: 93022 at<br /> ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice]<br /> ...<br /> [ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice]<br /> ...<br /> [ T93022] Call Trace:<br /> [ T93022] <br /> [ T93022] ? ice_adapter_put+0xef/0x100 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> [ T93022] ? __warn.cold+0xb0/0x10e<br /> [ T93022] ? ice_adapter_put+0xef/0x100 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> [ T93022] ? report_bug+0xd8/0x150<br /> [ T93022] ? handle_bug+0xe9/0x110<br /> [ T93022] ? exc_invalid_op+0x17/0x70<br /> [ T93022] ? asm_exc_invalid_op+0x1a/0x20<br /> [ T93022] ? ice_adapter_put+0xef/0x100 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> [ T93022] pci_device_remove+0x42/0xb0<br /> [ T93022] device_release_driver_internal+0x19f/0x200<br /> [ T93022] driver_detach+0x48/0x90<br /> [ T93022] bus_remove_driver+0x70/0xf0<br /> [ T93022] pci_unregister_driver+0x42/0xb0<br /> [ T93022] ice_module_exit+0x10/0xdb0 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> ...<br /> [ T93022] ---[ end trace 0000000000000000 ]---<br /> [ T93022] ice: module unloaded

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: BPF: Disable trampoline for kernel module function trace<br /> <br /> The current LoongArch BPF trampoline implementation is incompatible<br /> with tracing functions in kernel modules. This causes several severe<br /> and user-visible problems:<br /> <br /> * The `bpf_selftests/module_attach` test fails consistently.<br /> * Kernel lockup when a BPF program is attached to a module function [1].<br /> * Critical kernel modules like WireGuard experience traffic disruption<br /> when their functions are traced with fentry [2].<br /> <br /> Given the severity and the potential for other unknown side-effects, it<br /> is safest to disable the feature entirely for now. This patch prevents<br /> the BPF subsystem from allowing trampoline attachments to kernel module<br /> functions on LoongArch.<br /> <br /> This is a temporary mitigation until the core issues in the trampoline<br /> code for kernel module handling can be identified and fixed.<br /> <br /> [root@fedora bpf]# ./test_progs -a module_attach -v<br /> bpf_testmod.ko is already unloaded.<br /> Loading bpf_testmod.ko...<br /> Successfully loaded bpf_testmod.ko.<br /> test_module_attach:PASS:skel_open 0 nsec<br /> test_module_attach:PASS:set_attach_target 0 nsec<br /> test_module_attach:PASS:set_attach_target_explicit 0 nsec<br /> test_module_attach:PASS:skel_load 0 nsec<br /> libbpf: prog &amp;#39;handle_fentry&amp;#39;: failed to attach: -ENOTSUPP<br /> libbpf: prog &amp;#39;handle_fentry&amp;#39;: failed to auto-attach: -ENOTSUPP<br /> test_module_attach:FAIL:skel_attach skeleton attach failed: -524<br /> Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED<br /> Successfully unloaded bpf_testmod.ko.<br /> <br /> [1]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C13FMT58oqQ@mail.gmail.com/<br /> [2]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcFaK93uoELPg@mail.gmail.com/

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: pegasus-notetaker - fix potential out-of-bounds access<br /> <br /> In the pegasus_notetaker driver, the pegasus_probe() function allocates<br /> the URB transfer buffer using the wMaxPacketSize value from<br /> the endpoint descriptor. An attacker can use a malicious USB descriptor<br /> to force the allocation of a very small buffer.<br /> <br /> Subsequently, if the device sends an interrupt packet with a specific<br /> pattern (e.g., where the first byte is 0x80 or 0x42),<br /> the pegasus_parse_packet() function parses the packet without checking<br /> the allocated buffer size. This leads to an out-of-bounds memory access.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme-multipath: fix lockdep WARN due to partition scan work<br /> <br /> Blktests test cases nvme/014, 057 and 058 fail occasionally due to a<br /> lockdep WARN. As reported in the Closes tag URL, the WARN indicates that<br /> a deadlock can happen due to the dependency among disk-&gt;open_mutex,<br /> kblockd workqueue completion and partition_scan_work completion.<br /> <br /> To avoid the lockdep WARN and the potential deadlock, cut the dependency<br /> by running the partition_scan_work not by kblockd workqueue but by<br /> nvme_wq.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksm: use range-walk function to jump over holes in scan_get_next_rmap_item<br /> <br /> Currently, scan_get_next_rmap_item() walks every page address in a VMA to<br /> locate mergeable pages. This becomes highly inefficient when scanning<br /> large virtual memory areas that contain mostly unmapped regions, causing<br /> ksmd to use large amount of cpu without deduplicating much pages.<br /> <br /> This patch replaces the per-address lookup with a range walk using<br /> walk_page_range(). The range walker allows KSM to skip over entire<br /> unmapped holes in a VMA, avoiding unnecessary lookups. This problem was<br /> previously discussed in [1].<br /> <br /> Consider the following test program which creates a 32 TiB mapping in the<br /> virtual address space but only populates a single page:<br /> <br /> #include <br /> #include <br /> #include <br /> <br /> /* 32 TiB */<br /> const size_t size = 32ul * 1024 * 1024 * 1024 * 1024;<br /> <br /> int main() {<br /> char *area = mmap(NULL, size, PROT_READ | PROT_WRITE,<br /> MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0);<br /> <br /> if (area == MAP_FAILED) {<br /> perror("mmap() failed\n");<br /> return -1;<br /> }<br /> <br /> /* Populate a single page such that we get an anon_vma. */<br /> *area = 0;<br /> <br /> /* Enable KSM. */<br /> madvise(area, size, MADV_MERGEABLE);<br /> pause();<br /> return 0;<br /> }<br /> <br /> $ ./ksm-sparse &amp;<br /> $ echo 1 &gt; /sys/kernel/mm/ksm/run <br /> <br /> Without this patch ksmd uses 100% of the cpu for a long time (more then 1<br /> hour in my test machine) scanning all the 32 TiB virtual address space<br /> that contain only one mapped page. This makes ksmd essentially deadlocked<br /> not able to deduplicate anything of value. With this patch ksmd walks<br /> only the one mapped page and skips the rest of the 32 TiB virtual address<br /> space, making the scan fast using little cpu.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched_ext: Fix unsafe locking in the scx_dump_state()<br /> <br /> For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted<br /> sleepable spinlock and not disable-irq, so the following scenarios occur:<br /> <br /> inconsistent {IN-HARDIRQ-W} -&gt; {HARDIRQ-ON-W} usage.<br /> irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> (&amp;rq-&gt;__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40<br /> {IN-HARDIRQ-W} state was registered at:<br /> lock_acquire+0x1e1/0x510<br /> _raw_spin_lock_nested+0x42/0x80<br /> raw_spin_rq_lock_nested+0x2b/0x40<br /> sched_tick+0xae/0x7b0<br /> update_process_times+0x14c/0x1b0<br /> tick_periodic+0x62/0x1f0<br /> tick_handle_periodic+0x48/0xf0<br /> timer_interrupt+0x55/0x80<br /> __handle_irq_event_percpu+0x20a/0x5c0<br /> handle_irq_event_percpu+0x18/0xc0<br /> handle_irq_event+0xb5/0x150<br /> handle_level_irq+0x220/0x460<br /> __common_interrupt+0xa2/0x1e0<br /> common_interrupt+0xb0/0xd0<br /> asm_common_interrupt+0x2b/0x40<br /> _raw_spin_unlock_irqrestore+0x45/0x80<br /> __setup_irq+0xc34/0x1a30<br /> request_threaded_irq+0x214/0x2f0<br /> hpet_time_init+0x3e/0x60<br /> x86_late_time_init+0x5b/0xb0<br /> start_kernel+0x308/0x410<br /> x86_64_start_reservations+0x1c/0x30<br /> x86_64_start_kernel+0x96/0xa0<br /> common_startup_64+0x13e/0x148<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> <br /> CPU0<br /> ----<br /> lock(&amp;rq-&gt;__lock);<br /> <br /> lock(&amp;rq-&gt;__lock);<br /> <br /> *** DEADLOCK ***<br /> <br /> stack backtrace:<br /> CPU: 0 UID: 0 PID: 27 Comm: irq_work/0<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x8c/0xd0<br /> dump_stack+0x14/0x20<br /> print_usage_bug+0x42e/0x690<br /> mark_lock.part.44+0x867/0xa70<br /> ? __pfx_mark_lock.part.44+0x10/0x10<br /> ? string_nocheck+0x19c/0x310<br /> ? number+0x739/0x9f0<br /> ? __pfx_string_nocheck+0x10/0x10<br /> ? __pfx_check_pointer+0x10/0x10<br /> ? kvm_sched_clock_read+0x15/0x30<br /> ? sched_clock_noinstr+0xd/0x20<br /> ? local_clock_noinstr+0x1c/0xe0<br /> __lock_acquire+0xc4b/0x62b0<br /> ? __pfx_format_decode+0x10/0x10<br /> ? __pfx_string+0x10/0x10<br /> ? __pfx___lock_acquire+0x10/0x10<br /> ? __pfx_vsnprintf+0x10/0x10<br /> lock_acquire+0x1e1/0x510<br /> ? raw_spin_rq_lock_nested+0x2b/0x40<br /> ? __pfx_lock_acquire+0x10/0x10<br /> ? dump_line+0x12e/0x270<br /> ? raw_spin_rq_lock_nested+0x20/0x40<br /> _raw_spin_lock_nested+0x42/0x80<br /> ? raw_spin_rq_lock_nested+0x2b/0x40<br /> raw_spin_rq_lock_nested+0x2b/0x40<br /> scx_dump_state+0x3b3/0x1270<br /> ? finish_task_switch+0x27e/0x840<br /> scx_ops_error_irq_workfn+0x67/0x80<br /> irq_work_single+0x113/0x260<br /> irq_work_run_list.part.3+0x44/0x70<br /> run_irq_workd+0x6b/0x90<br /> ? __pfx_run_irq_workd+0x10/0x10<br /> smpboot_thread_fn+0x529/0x870<br /> ? __pfx_smpboot_thread_fn+0x10/0x10<br /> kthread+0x305/0x3f0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x40/0x70<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> This commit therefore use rq_lock_irqsave/irqrestore() to replace<br /> rq_lock/unlock() in the scx_dump_state().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process<br /> <br /> Fix a potential deadlock caused by inconsistent spinlock usage<br /> between interrupt and process contexts in the userq fence driver.<br /> <br /> The issue occurs when amdgpu_userq_fence_driver_process() is called<br /> from both:<br /> - Interrupt context: gfx_v11_0_eop_irq() -&gt; amdgpu_userq_fence_driver_process()<br /> - Process context: amdgpu_eviction_fence_suspend_worker() -&gt;<br /> amdgpu_userq_fence_driver_force_completion() -&gt; amdgpu_userq_fence_driver_process()<br /> <br /> In interrupt context, the spinlock was acquired without disabling<br /> interrupts, leaving it in {IN-HARDIRQ-W} state. When the same lock<br /> is acquired in process context, the kernel detects inconsistent<br /> locking since the process context acquisition would enable interrupts<br /> while holding a lock previously acquired in interrupt context.<br /> <br /> Kernel log shows:<br /> [ 4039.310790] inconsistent {IN-HARDIRQ-W} -&gt; {HARDIRQ-ON-W} usage.<br /> [ 4039.310804] kworker/7:2/409 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> [ 4039.310818] ffff9284e1bed000 (&amp;fence_drv-&gt;fence_list_lock){?...}-{3:3},<br /> [ 4039.310993] {IN-HARDIRQ-W} state was registered at:<br /> [ 4039.311004] lock_acquire+0xc6/0x300<br /> [ 4039.311018] _raw_spin_lock+0x39/0x80<br /> [ 4039.311031] amdgpu_userq_fence_driver_process.part.0+0x30/0x180 [amdgpu]<br /> [ 4039.311146] amdgpu_userq_fence_driver_process+0x17/0x30 [amdgpu]<br /> [ 4039.311257] gfx_v11_0_eop_irq+0x132/0x170 [amdgpu]<br /> <br /> Fix by using spin_lock_irqsave()/spin_unlock_irqrestore() to properly<br /> manage interrupt state regardless of calling context.<br /> <br /> (cherry picked from commit ded3ad780cf97a04927773c4600823b84f7f3cc2)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pmdomain: arm: scmi: Fix genpd leak on provider registration failure<br /> <br /> If of_genpd_add_provider_onecell() fails during probe, the previously<br /> created generic power domains are not removed, leading to a memory leak<br /> and potential kernel crash later in genpd_debug_add().<br /> <br /> Add proper error handling to unwind the initialized domains before<br /> returning from probe to ensure all resources are correctly released on<br /> failure.<br /> <br /> Example crash trace observed without this fix:<br /> <br /> | Unable to handle kernel paging request at virtual address fffffffffffffc70<br /> | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT<br /> | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform<br /> | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> | pc : genpd_debug_add+0x2c/0x160<br /> | lr : genpd_debug_init+0x74/0x98<br /> | Call trace:<br /> | genpd_debug_add+0x2c/0x160 (P)<br /> | genpd_debug_init+0x74/0x98<br /> | do_one_initcall+0xd0/0x2d8<br /> | do_initcall_level+0xa0/0x140<br /> | do_initcalls+0x60/0xa8<br /> | do_basic_setup+0x28/0x40<br /> | kernel_init_freeable+0xe8/0x170<br /> | kernel_init+0x2c/0x140<br /> | ret_from_fork+0x10/0x20

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver<br /> <br /> After restructuring and splitting the HDMI codec driver code, each<br /> HDMI codec driver contains the own build_controls and build_pcms ops.<br /> A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both<br /> build_controls and build_pcms are swapped. Unfortunately both<br /> callbacks have the very same form, and the compiler didn&amp;#39;t complain<br /> it, either. This resulted in a NULL dereference because the PCM<br /> instance hasn&amp;#39;t been initialized at calling the build_controls<br /> callback.<br /> <br /> Fix it by passing the proper entries.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_ct: add seqadj extension for natted connections<br /> <br /> Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.<br /> due to need to re-write packet payload (IP, port) on the ftp control<br /> connection. This can require changes to the TCP length and expected<br /> seq / ack_seq.<br /> <br /> The easiest way to reproduce this issue is with PASV mode.<br /> Example ruleset:<br /> table inet ftp_nat {<br /> ct helper ftp_helper {<br /> type "ftp" protocol tcp<br /> l3proto inet<br /> }<br /> <br /> chain prerouting {<br /> type filter hook prerouting priority 0; policy accept;<br /> tcp dport 21 ct state new ct helper set "ftp_helper"<br /> }<br /> }<br /> table ip nat {<br /> chain prerouting {<br /> type nat hook prerouting priority -100; policy accept;<br /> tcp dport 21 dnat ip prefix to ip daddr map {<br /> 192.168.100.1 : 192.168.13.2/32 }<br /> }<br /> <br /> chain postrouting {<br /> type nat hook postrouting priority 100 ; policy accept;<br /> tcp sport 21 snat ip prefix to ip saddr map {<br /> 192.168.13.2 : 192.168.100.1/32 }<br /> }<br /> }<br /> <br /> Note that the ftp helper gets assigned *after* the dnat setup.<br /> <br /> The inverse (nat after helper assign) is handled by an existing<br /> check in nf_nat_setup_info() and will not show the problem.<br /> <br /> Topoloy:<br /> <br /> +-------------------+ +----------------------------------+<br /> | FTP: 192.168.13.2 | | NAT: 192.168.13.3, 192.168.100.1 |<br /> +-------------------+ +----------------------------------+<br /> |<br /> +-----------------------+<br /> | Client: 192.168.100.2 |<br /> +-----------------------+<br /> <br /> ftp nat changes do not work as expected in this case:<br /> Connected to 192.168.100.1.<br /> [..]<br /> ftp&gt; epsv<br /> EPSV/EPRT on IPv4 off.<br /> ftp&gt; ls<br /> 227 Entering passive mode (192,168,100,1,209,129).<br /> 421 Service not available, remote server has closed connection.<br /> <br /> Kernel logs:<br /> Missing nfct_seqadj_ext_add() setup call<br /> WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41<br /> [..]<br /> __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]<br /> nf_nat_ftp+0x142/0x280 [nf_nat_ftp]<br /> help+0x4d1/0x880 [nf_conntrack_ftp]<br /> nf_confirm+0x122/0x2e0 [nf_conntrack]<br /> nf_hook_slow+0x3c/0xb0<br /> ..<br /> <br /> Fix this by adding the required extension when a conntrack helper is assigned<br /> to a connection that has a nat binding.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/guc: Synchronize Dead CT worker with unbind<br /> <br /> Cancel and wait for any Dead CT worker to complete before continuing<br /> with device unbinding. Else the worker will end up using resources freed<br /> by the undind operation.<br /> <br /> (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)