Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: core: Fix a regression triggered by scsi_host_busy()<br /> <br /> Commit 995412e23bb2 ("blk-mq: Replace tags-&gt;lock with SRCU for tag<br /> iterators") introduced the following regression:<br /> <br /> Call trace:<br /> __srcu_read_lock+0x30/0x80 (P)<br /> blk_mq_tagset_busy_iter+0x44/0x300<br /> scsi_host_busy+0x38/0x70<br /> ufshcd_print_host_state+0x34/0x1bc<br /> ufshcd_link_startup.constprop.0+0xe4/0x2e0<br /> ufshcd_init+0x944/0xf80<br /> ufshcd_pltfrm_init+0x504/0x820<br /> ufs_rockchip_probe+0x2c/0x88<br /> platform_probe+0x5c/0xa4<br /> really_probe+0xc0/0x38c<br /> __driver_probe_device+0x7c/0x150<br /> driver_probe_device+0x40/0x120<br /> __driver_attach+0xc8/0x1e0<br /> bus_for_each_dev+0x7c/0xdc<br /> driver_attach+0x24/0x30<br /> bus_add_driver+0x110/0x230<br /> driver_register+0x68/0x130<br /> __platform_driver_register+0x20/0x2c<br /> ufs_rockchip_pltform_init+0x1c/0x28<br /> do_one_initcall+0x60/0x1e0<br /> kernel_init_freeable+0x248/0x2c4<br /> kernel_init+0x20/0x140<br /> ret_from_fork+0x10/0x20<br /> <br /> Fix this regression by making scsi_host_busy() check whether the SCSI<br /> host tag set has already been initialized. tag_set-&gt;ops is set by<br /> scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This<br /> fix is based on the assumption that scsi_host_busy() and<br /> scsi_mq_setup_tags() calls are serialized. This is the case in the UFS<br /> driver.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib/test_kho: check if KHO is enabled<br /> <br /> We must check whether KHO is enabled prior to issuing KHO commands,<br /> otherwise KHO internal data structures are not initialized.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksm: use range-walk function to jump over holes in scan_get_next_rmap_item<br /> <br /> Currently, scan_get_next_rmap_item() walks every page address in a VMA to<br /> locate mergeable pages. This becomes highly inefficient when scanning<br /> large virtual memory areas that contain mostly unmapped regions, causing<br /> ksmd to use large amount of cpu without deduplicating much pages.<br /> <br /> This patch replaces the per-address lookup with a range walk using<br /> walk_page_range(). The range walker allows KSM to skip over entire<br /> unmapped holes in a VMA, avoiding unnecessary lookups. This problem was<br /> previously discussed in [1].<br /> <br /> Consider the following test program which creates a 32 TiB mapping in the<br /> virtual address space but only populates a single page:<br /> <br /> #include <br /> #include <br /> #include <br /> <br /> /* 32 TiB */<br /> const size_t size = 32ul * 1024 * 1024 * 1024 * 1024;<br /> <br /> int main() {<br /> char *area = mmap(NULL, size, PROT_READ | PROT_WRITE,<br /> MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0);<br /> <br /> if (area == MAP_FAILED) {<br /> perror("mmap() failed\n");<br /> return -1;<br /> }<br /> <br /> /* Populate a single page such that we get an anon_vma. */<br /> *area = 0;<br /> <br /> /* Enable KSM. */<br /> madvise(area, size, MADV_MERGEABLE);<br /> pause();<br /> return 0;<br /> }<br /> <br /> $ ./ksm-sparse &amp;<br /> $ echo 1 &gt; /sys/kernel/mm/ksm/run <br /> <br /> Without this patch ksmd uses 100% of the cpu for a long time (more then 1<br /> hour in my test machine) scanning all the 32 TiB virtual address space<br /> that contain only one mapped page. This makes ksmd essentially deadlocked<br /> not able to deduplicate anything of value. With this patch ksmd walks<br /> only the one mapped page and skips the rest of the 32 TiB virtual address<br /> space, making the scan fast using little cpu.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: Fix uninitialized &amp;#39;offp&amp;#39; in statmount_string()<br /> <br /> In statmount_string(), most flags assign an output offset pointer (offp)<br /> which is later updated with the string offset. However, the<br /> STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the<br /> struct fields instead of using offp. This leaves offp uninitialized,<br /> leading to a possible uninitialized dereference when *offp is updated.<br /> <br /> Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code<br /> path consistent.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: fix possible vport_config NULL pointer deref in remove<br /> <br /> Attempting to remove the driver will cause a crash in cases where<br /> the vport failed to initialize. Following trace is from an instance where<br /> the driver failed during an attempt to create a VF:<br /> [ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated<br /> [ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)<br /> [ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028<br /> ...<br /> [ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]<br /> ...<br /> [ 1723.364973] Call Trace:<br /> [ 1723.365475] <br /> [ 1723.365972] pci_device_remove+0x42/0xb0<br /> [ 1723.366481] device_release_driver_internal+0x1a9/0x210<br /> [ 1723.366987] pci_stop_bus_device+0x6d/0x90<br /> [ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20<br /> [ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120<br /> [ 1723.368309] sriov_disable+0x34/0xe0<br /> [ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf]<br /> [ 1723.368982] sriov_numvfs_store+0xda/0x1c0<br /> <br /> Avoid the NULL pointer dereference by adding NULL pointer check for<br /> vport_config[i], before freeing user_config.q_coalesce.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> timers: Fix NULL function pointer race in timer_shutdown_sync()<br /> <br /> There is a race condition between timer_shutdown_sync() and timer<br /> expiration that can lead to hitting a WARN_ON in expire_timers().<br /> <br /> The issue occurs when timer_shutdown_sync() clears the timer function<br /> to NULL while the timer is still running on another CPU. The race<br /> scenario looks like this:<br /> <br /> CPU0 CPU1<br /> <br /> lock_timer_base()<br /> expire_timers()<br /> base-&gt;running_timer = timer;<br /> unlock_timer_base()<br /> [call_timer_fn enter]<br /> mod_timer()<br /> ...<br /> timer_shutdown_sync()<br /> lock_timer_base()<br /> // For now, will not detach the timer but only clear its function to NULL<br /> if (base-&gt;running_timer != timer)<br /> ret = detach_if_pending(timer, base, true);<br /> if (shutdown)<br /> timer-&gt;function = NULL;<br /> unlock_timer_base()<br /> [call_timer_fn exit]<br /> lock_timer_base()<br /> base-&gt;running_timer = NULL;<br /> unlock_timer_base()<br /> ...<br /> // Now timer is pending while its function set to NULL.<br /> // next timer trigger<br /> <br /> expire_timers()<br /> WARN_ON_ONCE(!fn) // hit<br /> ...<br /> lock_timer_base()<br /> // Now timer will detach<br /> if (base-&gt;running_timer != timer)<br /> ret = detach_if_pending(timer, base, true);<br /> if (shutdown)<br /> timer-&gt;function = NULL;<br /> unlock_timer_base()<br /> <br /> The problem is that timer_shutdown_sync() clears the timer function<br /> regardless of whether the timer is currently running. This can leave a<br /> pending timer with a NULL function pointer, which triggers the<br /> WARN_ON_ONCE(!fn) check in expire_timers().<br /> <br /> Fix this by only clearing the timer function when actually detaching the<br /> timer. If the timer is running, leave the function pointer intact, which is<br /> safe because the timer will be properly detached when it finishes running.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix PTP cleanup on driver removal in error path<br /> <br /> Improve the cleanup on releasing PTP resources in error path.<br /> The error case might happen either at the driver probe and PTP<br /> feature initialization or on PTP restart (errors in reset handling, NVM<br /> update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf<br /> function) and &amp;#39;ps_lock&amp;#39; mutex deinitialization were missed.<br /> Additionally, ptp clock was not unregistered in the latter case.<br /> <br /> Keep PTP state as &amp;#39;uninitialized&amp;#39; on init to distinguish between error<br /> scenarios and to avoid resource release duplication at driver removal.<br /> <br /> The consequence of missing ice_ptp_cleanup_pf call is the following call<br /> trace dumped when ice_adapter object is freed (port list is not empty,<br /> as it is required at this stage):<br /> <br /> [ T93022] ------------[ cut here ]------------<br /> [ T93022] WARNING: CPU: 10 PID: 93022 at<br /> ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice]<br /> ...<br /> [ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice]<br /> ...<br /> [ T93022] Call Trace:<br /> [ T93022] <br /> [ T93022] ? ice_adapter_put+0xef/0x100 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> [ T93022] ? __warn.cold+0xb0/0x10e<br /> [ T93022] ? ice_adapter_put+0xef/0x100 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> [ T93022] ? report_bug+0xd8/0x150<br /> [ T93022] ? handle_bug+0xe9/0x110<br /> [ T93022] ? exc_invalid_op+0x17/0x70<br /> [ T93022] ? asm_exc_invalid_op+0x1a/0x20<br /> [ T93022] ? ice_adapter_put+0xef/0x100 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> [ T93022] pci_device_remove+0x42/0xb0<br /> [ T93022] device_release_driver_internal+0x19f/0x200<br /> [ T93022] driver_detach+0x48/0x90<br /> [ T93022] bus_remove_driver+0x70/0xf0<br /> [ T93022] pci_unregister_driver+0x42/0xb0<br /> [ T93022] ice_module_exit+0x10/0xdb0 [ice<br /> 33d2647ad4f6d866d41eefff1806df37c68aef0c]<br /> ...<br /> [ T93022] ---[ end trace 0000000000000000 ]---<br /> [ T93022] ice: module unloaded

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: BPF: Disable trampoline for kernel module function trace<br /> <br /> The current LoongArch BPF trampoline implementation is incompatible<br /> with tracing functions in kernel modules. This causes several severe<br /> and user-visible problems:<br /> <br /> * The `bpf_selftests/module_attach` test fails consistently.<br /> * Kernel lockup when a BPF program is attached to a module function [1].<br /> * Critical kernel modules like WireGuard experience traffic disruption<br /> when their functions are traced with fentry [2].<br /> <br /> Given the severity and the potential for other unknown side-effects, it<br /> is safest to disable the feature entirely for now. This patch prevents<br /> the BPF subsystem from allowing trampoline attachments to kernel module<br /> functions on LoongArch.<br /> <br /> This is a temporary mitigation until the core issues in the trampoline<br /> code for kernel module handling can be identified and fixed.<br /> <br /> [root@fedora bpf]# ./test_progs -a module_attach -v<br /> bpf_testmod.ko is already unloaded.<br /> Loading bpf_testmod.ko...<br /> Successfully loaded bpf_testmod.ko.<br /> test_module_attach:PASS:skel_open 0 nsec<br /> test_module_attach:PASS:set_attach_target 0 nsec<br /> test_module_attach:PASS:set_attach_target_explicit 0 nsec<br /> test_module_attach:PASS:skel_load 0 nsec<br /> libbpf: prog &amp;#39;handle_fentry&amp;#39;: failed to attach: -ENOTSUPP<br /> libbpf: prog &amp;#39;handle_fentry&amp;#39;: failed to auto-attach: -ENOTSUPP<br /> test_module_attach:FAIL:skel_attach skeleton attach failed: -524<br /> Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED<br /> Successfully unloaded bpf_testmod.ko.<br /> <br /> [1]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C13FMT58oqQ@mail.gmail.com/<br /> [2]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcFaK93uoELPg@mail.gmail.com/

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: pegasus-notetaker - fix potential out-of-bounds access<br /> <br /> In the pegasus_notetaker driver, the pegasus_probe() function allocates<br /> the URB transfer buffer using the wMaxPacketSize value from<br /> the endpoint descriptor. An attacker can use a malicious USB descriptor<br /> to force the allocation of a very small buffer.<br /> <br /> Subsequently, if the device sends an interrupt packet with a specific<br /> pattern (e.g., where the first byte is 0x80 or 0x42),<br /> the pegasus_parse_packet() function parses the packet without checking<br /> the allocated buffer size. This leads to an out-of-bounds memory access.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme-multipath: fix lockdep WARN due to partition scan work<br /> <br /> Blktests test cases nvme/014, 057 and 058 fail occasionally due to a<br /> lockdep WARN. As reported in the Closes tag URL, the WARN indicates that<br /> a deadlock can happen due to the dependency among disk-&gt;open_mutex,<br /> kblockd workqueue completion and partition_scan_work completion.<br /> <br /> To avoid the lockdep WARN and the potential deadlock, cut the dependency<br /> by running the partition_scan_work not by kblockd workqueue but by<br /> nvme_wq.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched_ext: Fix unsafe locking in the scx_dump_state()<br /> <br /> For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted<br /> sleepable spinlock and not disable-irq, so the following scenarios occur:<br /> <br /> inconsistent {IN-HARDIRQ-W} -&gt; {HARDIRQ-ON-W} usage.<br /> irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> (&amp;rq-&gt;__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40<br /> {IN-HARDIRQ-W} state was registered at:<br /> lock_acquire+0x1e1/0x510<br /> _raw_spin_lock_nested+0x42/0x80<br /> raw_spin_rq_lock_nested+0x2b/0x40<br /> sched_tick+0xae/0x7b0<br /> update_process_times+0x14c/0x1b0<br /> tick_periodic+0x62/0x1f0<br /> tick_handle_periodic+0x48/0xf0<br /> timer_interrupt+0x55/0x80<br /> __handle_irq_event_percpu+0x20a/0x5c0<br /> handle_irq_event_percpu+0x18/0xc0<br /> handle_irq_event+0xb5/0x150<br /> handle_level_irq+0x220/0x460<br /> __common_interrupt+0xa2/0x1e0<br /> common_interrupt+0xb0/0xd0<br /> asm_common_interrupt+0x2b/0x40<br /> _raw_spin_unlock_irqrestore+0x45/0x80<br /> __setup_irq+0xc34/0x1a30<br /> request_threaded_irq+0x214/0x2f0<br /> hpet_time_init+0x3e/0x60<br /> x86_late_time_init+0x5b/0xb0<br /> start_kernel+0x308/0x410<br /> x86_64_start_reservations+0x1c/0x30<br /> x86_64_start_kernel+0x96/0xa0<br /> common_startup_64+0x13e/0x148<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> <br /> CPU0<br /> ----<br /> lock(&amp;rq-&gt;__lock);<br /> <br /> lock(&amp;rq-&gt;__lock);<br /> <br /> *** DEADLOCK ***<br /> <br /> stack backtrace:<br /> CPU: 0 UID: 0 PID: 27 Comm: irq_work/0<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x8c/0xd0<br /> dump_stack+0x14/0x20<br /> print_usage_bug+0x42e/0x690<br /> mark_lock.part.44+0x867/0xa70<br /> ? __pfx_mark_lock.part.44+0x10/0x10<br /> ? string_nocheck+0x19c/0x310<br /> ? number+0x739/0x9f0<br /> ? __pfx_string_nocheck+0x10/0x10<br /> ? __pfx_check_pointer+0x10/0x10<br /> ? kvm_sched_clock_read+0x15/0x30<br /> ? sched_clock_noinstr+0xd/0x20<br /> ? local_clock_noinstr+0x1c/0xe0<br /> __lock_acquire+0xc4b/0x62b0<br /> ? __pfx_format_decode+0x10/0x10<br /> ? __pfx_string+0x10/0x10<br /> ? __pfx___lock_acquire+0x10/0x10<br /> ? __pfx_vsnprintf+0x10/0x10<br /> lock_acquire+0x1e1/0x510<br /> ? raw_spin_rq_lock_nested+0x2b/0x40<br /> ? __pfx_lock_acquire+0x10/0x10<br /> ? dump_line+0x12e/0x270<br /> ? raw_spin_rq_lock_nested+0x20/0x40<br /> _raw_spin_lock_nested+0x42/0x80<br /> ? raw_spin_rq_lock_nested+0x2b/0x40<br /> raw_spin_rq_lock_nested+0x2b/0x40<br /> scx_dump_state+0x3b3/0x1270<br /> ? finish_task_switch+0x27e/0x840<br /> scx_ops_error_irq_workfn+0x67/0x80<br /> irq_work_single+0x113/0x260<br /> irq_work_run_list.part.3+0x44/0x70<br /> run_irq_workd+0x6b/0x90<br /> ? __pfx_run_irq_workd+0x10/0x10<br /> smpboot_thread_fn+0x529/0x870<br /> ? __pfx_smpboot_thread_fn+0x10/0x10<br /> kthread+0x305/0x3f0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x40/0x70<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> This commit therefore use rq_lock_irqsave/irqrestore() to replace<br /> rq_lock/unlock() in the scx_dump_state().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process<br /> <br /> Fix a potential deadlock caused by inconsistent spinlock usage<br /> between interrupt and process contexts in the userq fence driver.<br /> <br /> The issue occurs when amdgpu_userq_fence_driver_process() is called<br /> from both:<br /> - Interrupt context: gfx_v11_0_eop_irq() -&gt; amdgpu_userq_fence_driver_process()<br /> - Process context: amdgpu_eviction_fence_suspend_worker() -&gt;<br /> amdgpu_userq_fence_driver_force_completion() -&gt; amdgpu_userq_fence_driver_process()<br /> <br /> In interrupt context, the spinlock was acquired without disabling<br /> interrupts, leaving it in {IN-HARDIRQ-W} state. When the same lock<br /> is acquired in process context, the kernel detects inconsistent<br /> locking since the process context acquisition would enable interrupts<br /> while holding a lock previously acquired in interrupt context.<br /> <br /> Kernel log shows:<br /> [ 4039.310790] inconsistent {IN-HARDIRQ-W} -&gt; {HARDIRQ-ON-W} usage.<br /> [ 4039.310804] kworker/7:2/409 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> [ 4039.310818] ffff9284e1bed000 (&amp;fence_drv-&gt;fence_list_lock){?...}-{3:3},<br /> [ 4039.310993] {IN-HARDIRQ-W} state was registered at:<br /> [ 4039.311004] lock_acquire+0xc6/0x300<br /> [ 4039.311018] _raw_spin_lock+0x39/0x80<br /> [ 4039.311031] amdgpu_userq_fence_driver_process.part.0+0x30/0x180 [amdgpu]<br /> [ 4039.311146] amdgpu_userq_fence_driver_process+0x17/0x30 [amdgpu]<br /> [ 4039.311257] gfx_v11_0_eop_irq+0x132/0x170 [amdgpu]<br /> <br /> Fix by using spin_lock_irqsave()/spin_unlock_irqrestore() to properly<br /> manage interrupt state regardless of calling context.<br /> <br /> (cherry picked from commit ded3ad780cf97a04927773c4600823b84f7f3cc2)