Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
wifi: mt76: fix deadlock in remain-on-channel

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: fix deadlock in remain-on-channel mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel() while already holding dev->mutex. Since mt76_set_channel() also acquires dev->mutex, this results in a deadlock. Use __mt76_set_channel() instead of mt76_set_channel(). Add cancel_delayed_work_sync() for mac_work before acquiring the mutex in mt76_remain_on_channel() to prevent a secondary deadlock with the mac_work workqueue.

Affected products

Linux
  • <5fc8c5d45e44575dda9fcabdc2aac4ad97baf0cd
  • =<6.18.*
  • =<7.0.*
  • <7a89c245d203aa0ed5ff2d68ac05b48b2ef9fa3f
  • <6.14
  • =<*
  • ==6.14
  • <6939b97ddad3cf3dfbb3b5a0a12ef79cb886747e
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ipc/shm: serialize orphan cleanup with shm_nattch updates

In the Linux kernel, the following vulnerability has been resolved: ipc/shm: serialize orphan cleanup with shm_nattch updates shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that does not serialize all fields tested by shm_may_destroy(). In particular, shm_nattch is updated while holding shm_perm.lock, and attach paths can do that without holding the rwsem. Do not decide that an orphaned segment is unused before taking the object lock. Move the shm_may_destroy() check under shm_perm.lock, matching the other destroy paths, and unlock the segment when it no longer qualifies for removal.

Affected products

Linux
  • <1f0d01e35dbb228084d5187212e32c91a30dcbeb
  • <92cda2593cf2ed25b0e9d78e5e6d8303bba1a064
  • <3.1
  • =<5.15.*
  • =<6.18.*
  • <030bbc857bd51d4b25a90d931d3f8775ef22823a
  • <b5107b4ce3ad45fcf369ee2058c8910620f4b5a8
  • =<6.12.*
  • =<7.0.*
  • <6560be3f6a5bb84f006f184f0c966747bb58e1a3
  • <db752ebfdaf2c7f27cd9690ef48b616af068319c
  • ==3.1
  • =<*
  • <2e5c6f4fd4001562781e99bbfc7f1f0127187542
  • <b1e9aef48e4d8a0c1b54fb913077b0824ed7d650
  • =<6.1.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling

In the Linux kernel, the following vulnerability has been resolved: fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in send_sigio() and send_sigurg() when a process group receives a signal. When FASYNC is configured for a process group (PIDTYPE_PGID), both functions use read_lock(&tasklist_lock) to traverse the task list. However, they are frequently called from softirq context: - send_sigio() via input_inject_event -> kill_fasync - send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ) The deadlock is caused by the rwlock writer fairness mechanism: 1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait(). 2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in fork() or exit() and spins, which blocks all new readers. 3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception). 4. The softirq calls send_sigurg() and attempts to acquire read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting. Since PID hashing and do_each_pid_task() traversals are already RCU-protected, the read_lock on tasklist_lock is no longer strictly required for safe traversal. Fix this by replacing tasklist_lock with rcu_read_lock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets. Lockdep splat: ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [...] Chain exists of: &dev->event_lock --> &f_owner->lock --> tasklist_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(&dev->event_lock); lock(&f_owner->lock); <Interrupt> lock(&dev->event_lock); *** DEADLOCK ***

Affected products

Linux
  • =<6.18.*
  • =<7.1.*
  • <7.0.13
  • <36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed
  • =<7.0.*
  • <32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33
  • <897d6a7247739fb1528f98c575df4f2e5de7f994
  • <6.18.36
  • =<6.1.*
  • <1bee417678f1135e35b25a37734db46aa94258d2
  • <6.6.143
  • <5.10.259
  • <6.12.94
  • <54626335ea4174ab2d9a183b511d825f6765e47b
  • <b5fa9e32fb6718f70c986ee14dd5d01b4846f331
  • <bfcc8e8d8a495bb34cae9e620adfb75fb13a3954
  • <5.15.210
  • <20a93e397abe850c49b6fa0e8cc827b5f634a8f5
  • =<5.15.*
  • <7.1.1
  • <6.1.176
  • =<6.12.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy

In the Linux kernel, the following vulnerability has been resolved: powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy powerpc uses pt_frag_refcount as a reference counter for tracking it's pte and pmd page table fragments. For PTE table, in case of Hash with 64K pagesize, we have 16 fragments of 4K size in one 64K page. Patch series [1] "mm: free retracted page table by RCU" added pte_free_defer() to defer the freeing of PTE tables when retract_page_tables() is called for madvise MADV_COLLAPSE on shmem range. [1]: https://lore.kernel.org/all/7cd843a9-aa80-14f-5eb2-33427363c20@google.com/ pte_free_defer() sets the active flag on the corresponding fragment's folio & calls pte_fragment_free(), which reduces the pt_frag_refcount. When pt_frag_refcount reaches 0 (no active fragment using the folio), it checks if the folio active flag is set, if set, it calls call_rcu to free the folio, it the active flag is unset then it calls pte_free_now(). Now, this can lead to following problem in a corner case... [ 265.351553][ T183] BUG: Bad page state in process a.out pfn:20d62 [ 265.353555][ T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62 [ 265.355457][ T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff) [ 265.358719][ T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000 [ 265.360177][ T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000 [ 265.361438][ T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 265.362572][ T183] Modules linked in: [ 265.364622][ T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY [ 265.364785][ T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries [ 265.364908][ T183] Call Trace: [ 265.364955][ T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable) [ 265.365202][ T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8 [ 265.365384][ T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08 [ 265.365554][ T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310 [ 265.365729][ T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218 [ 265.365912][ T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820 [ 265.366080][ T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300 [ 265.366244][ T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508 [ 265.366421][ T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148 [ 265.366602][ T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178 [ 265.366780][ T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0 [ 265.366958][ T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec The bad page state error occurs when such a folio gets freed (with active flag set), from do_exit() path in parallel. ... this can happen when the pte fragment was allocated from this folio, but when all the fragments get freed, the pte_frag_refcount still had some unused fragments. Now, if this process exits, with such folio as it's cached pte_frag in mm->context, then during pte_frag_destroy(), we simply call pagetable_dtor() and pagetable_free(), meaning it doesn't clear the active flag. This, can lead to the above bug. Since we are anyway in do_exit() path, then if the refcount is 0, then I guess it should be ok to simply clear the folio active flag before calling pagetable_dtor() & pagetable_free().

Affected products

Linux
  • <6.6
  • =<6.18.*
  • =<7.0.*
  • ==6.6
  • <fda4d71651f71c44b35829d13f3c8bf920032f77
  • =<*
  • <a32db6fca3c74b4eb8bae5470f0680deb4cbac6f
  • <c8b710655012a2993a9567873fb71a8a51f8459c
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
dm cache metadata: fix memory leak on metadata abort retry

In the Linux kernel, the following vulnerability has been resolved: dm cache metadata: fix memory leak on metadata abort retry When failing to acquire the root_lock in dm_cache_metadata_abort because the block_manager is read-only, the temporary block_manager created outside the root_lock is not properly released, causing a memory leak. Reproduce steps: This can be reproduced by reloading a new table while the metadata is read-only. While the second call to dm_cache_metadata_abort is caused by lack of support for table preload in dm-cache, mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata object across inactive and active DM tables"), it exposes the memory leak in dm_cache_metadata_abort when the function is called multiple times. Specifically, dm-cache fails to sync the new cache object's mode during preresume, creating the reproducer condition. This issue could also occur through concurrent metadata_operation_failed calls due to races in cache mode updates, but the table preload scenario below provides a reliable reproducer. 1. Create a cache device with some faulty trailing metadata blocks dmsetup create cmeta <<EOF 0 200 linear /dev/sdc 0 200 7992 error EOF dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0" 2. Suspend and resume the cache to start a new metadata transaction and trigger metadata io errors on the next metadata commit. dmsetup suspend cache dmsetup resume cache 3. Write to the cache device to update metadata fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \ --randrepeat=0 --direct=1 --size 64k 4. Preload the same table dmsetup reload cache --table "$(dmsetup table cache)" 5. Resume the new table. This triggers the memory leak. dmsetup suspend cache dmsetup resume cache kmemleak logs: <snip> unreferenced object 0xffff8880080c2010 (size 16): comm "dmsetup", pid 132, jiffies 4294982580 hex dump (first 16 bytes): 00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ... backtrace (crc 3118f31c): kmemleak_alloc+0x28/0x40 __kmalloc_cache_noprof+0x3d9/0x510 dm_block_manager_create+0x51/0x140 dm_cache_metadata_abort+0x85/0x320 metadata_operation_failed+0x103/0x1e0 cache_preresume+0xacd/0xe70 dm_table_resume_targets+0xd3/0x320 __dm_resume+0x1b/0xf0 dm_resume+0x127/0x170 <snip>

Affected products

Linux
  • =<6.18.*
  • ==f472bfc95d9c9653172dbdad39219b32fabf9b92
  • <5.15.209
  • =<7.0.*
  • <4311ca59a1891d33c4c8b7946f98c34f167fe833
  • <6b97cc7a42905755c56bbddc33aa8b792205caee
  • <5.10.258
  • <15c30997dca681f90dbf2d45ee629c1828bf0c0d
  • =<6.1.*
  • <14f60e957f34f95a626caec76a8fae88cf4c397f
  • <6.1
  • <4.20
  • ==6.2
  • ==6e237cacda8b4e976849e7bff9fe7dff0e968586
  • <6.1.175
  • ==3972ae47d0ee9b5b434af5d0cca6cdfd1e239d4f
  • <322a3b70368d49e39591fe9fc6c07d262128b05f
  • <b0bd35535bdb6f58505f3a30ee5793986943997a
  • <044ca491d4086dc5bf233e9fcb71db52df32f633
  • <4.15
  • <5.5
  • ==bdd4e106929ac943f3226d8f03754b480701e97b
  • <4.10
  • <6.2
  • ==9958f5ffc44530b650fb4cc9038a4d167fa4f5c1
  • =<5.15.*
  • =<*
  • =<5.10.*
  • =<6.12.*
  • <d1a79620c419a0af1911f99c873014b30740e303
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net/rds: zero per-item info buffer before handing it to visitors

In the Linux kernel, the following vulnerability has been resolved: net/rds: zero per-item info buffer before handing it to visitors rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item_len bytes back to user space via rds_info_copy() regardless of how much of the buffer the visitor actually wrote. rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only write a subset of their output struct when the underlying rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size, cache_allocs) and the 2-byte alignment hole between sl and cache_allocs remain as whatever stack contents preceded the visitor call and are then memcpy_to_user()'d out to user space. struct rds_info_rdma_connection and struct rds6_info_rdma_connection are the only rds_info_* structs in include/uapi/linux/rds.h that are not marked __attribute__((packed)), so they have a real alignment hole. The other info visitors (rds_conn_info_visitor, rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug. Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y: a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rds_connection in the global hash in RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers: 0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2 8..39 00 ... gids (memset-zeroed) 40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr) 48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max) 56..59 01 00 08 00 rdma_mr_size (garbage) 60..61 00 00 tos, sl 62..63 00 00 alignment padding 64..67 18 00 00 00 cache_allocs (garbage) Fix by zeroing the per-item buffer in both rds_for_each_conn_info() and rds_walk_conn_path_info() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug. No functional change for visitors that fully populate their output. Changes in v2: - retarget at the net tree (subject prefix "[PATCH net v2]", net/rds: prefix in the title) - pick up Reviewed-by tags from Sharath Srinivasan and Allison Henderson

Affected products

Linux
  • =<5.15.*
  • =<6.18.*
  • <81651e9d7dea1c048d2952f57632a042931d7b43
  • <c7cb9eed8215a790f052f49cdccf577720d2bb62
  • =<6.12.*
  • ==2.6.30
  • <912ba2e5704fdb8bc5decda96dfc1a57838f0099
  • <5e67cc262afb384e835c3327e9d954eeaedc6a87
  • <0797b2e6901827694aa9c34c4c72118c8c97fba1
  • <b6ba93a7b71ed443c9843eb12d27ed86f1e52694
  • <91ce1bb6e4194dc2321748f68145359dcf86e350
  • <2.6.30
  • =<7.0.*
  • =<*
  • =<6.1.*
  • =<5.10.*
  • <c88eb7e8d8397a8c1db59c425332c5a30b2a1682
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
erofs: unify lcn as u64 for 32-bit platforms

In the Linux kernel, the following vulnerability has been resolved: erofs: unify lcn as u64 for 32-bit platforms As sashiko reported [1], `lcn` was typed as `unsigned long` (or `unsigned int` sometimes), which is only 32 bits wide on 32-bit platforms, which causes `(lcn << lclusterbits)` to be truncated at 4 GiB. In order to consolidate the logic, just use `u64` consistently around the codebase. [1] https://sashiko.dev/r/20260420034612.1899973-1-hsiangkao%40linux.alibaba.com

Affected products

Linux
  • <2d8c7edcb661812249469f4a5b62e9339118846f
  • <858e4d98a86adf34584767388deb6c9b217f70c5
  • =<6.18.*
  • =<6.12.*
  • =<7.0.*
  • <5.3
  • <582b0bf201157632cb5474c885989a6ebda46521
  • =<*
  • <4fc9b12e43a3f19a01a8fb61f7961be79de20253
  • ==5.3
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: nft_ct: fix missing expect put in obj eval

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix missing expect put in obj eval nft_ct_expect_obj_eval() allocates an expectation and may call nf_ct_expect_related(), but never drops its local reference. Add nf_ct_expect_put(exp) before return to balance allocation.

Affected products

Linux
  • =<6.1.*
  • =<5.15.*
  • =<6.18.*
  • <1dced0725e2fae3ac3416274db20a7ff5a46931d
  • =<6.12.*
  • <26ab32ec73941871c97562ee1f39587950dc3b68
  • <19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4
  • =<7.0.*
  • <ecca618e1e339494911090474ed87742c0f73976
  • <5.3
  • <2aef1b13d5c0285f340512c6c07eb858fd018fd8
  • =<*
  • <7b96242ceedfe249f158419f3254bcee04173ffe
  • =<6.6.*
  • <84c422cea5a45fe56be839f25880f21fd33940cd
  • ==5.3
  • =<5.10.*
  • <cdb9a25dd3416d427e8b2753210f8baf44207577
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bus: fsl-mc: use generic driver_override infrastructure

In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Affected products

Linux
  • <6c8dfb0362732bf1e4829867a2a5239fedc592d0
  • =<6.18.*
  • ==5.10
  • =<7.0.*
  • <4911b836f35c034c36f102db4ecbe339b38e7d1d
  • =<*
  • <5.10
  • =<6.12.*
  • <8139ce66b52a4a5638bfb445b037c07d4abeb08e
  • <60bfb563a399c4597dc80588a1109758a8908b97
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: bcmgenet: fix off-by-one in bcmgenet_put_txcb

In the Linux kernel, the following vulnerability has been resolved: net: bcmgenet: fix off-by-one in bcmgenet_put_txcb The write_ptr points to the next open tx_cb. We want to return the tx_cb that gets rewinded, so we must rewind the pointer first then return the tx_cb that it points to. That way the txcb can be correctly cleaned up.

Affected products

Linux
  • <14e9f86564fff7bcf7f45c1b69080e837b31d185
  • <2a74590170427a3ca7cc4bb8690cdd559129c29c
  • =<6.18.*
  • =<7.0.*
  • <57f3f53d2c9c5a9e133596e2f7bc1c50688a6d38
  • <85f34ec320d3881badfd4edc5fee5cd5012bb54d
  • =<6.1.*
  • <29394f722f620281f2ee9a47f947734e53d72c90
  • ==3bdf77194ea822390b405639b77659071fd2c2e9
  • <fb9a3c1f547d0ff024dbfe7b6f327626ddf0a3de
  • <4cab761fc51c65aef741fcece4a18f3554edbc09
  • <4.13
  • =<5.15.*
  • <3.17
  • <72df896e31ddd06fcc5a789f025ad7a62a18bc9b
  • =<*
  • ==4.13
  • =<6.12.*
  • =<5.10.*
  • =<6.6.*