#VU92426 Out-of-bounds read in Linux kernel
Vulnerability identifier: #VU92426
Vulnerability risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to out-of-bounds read error within the remove_tests() function in tools/testing/selftests/net/mptcp/mptcp_join.sh, within the __ksft_status_merge(), loopy_wait(), cleanup_ns() and setup_ns() functions in tools/testing/selftests/net/lib.sh, within the main() function in tools/testing/selftests/futex/functional/futex_requeue_pi.c, within the $() function in tools/testing/selftests/futex/functional/makefile, within the find_dot_func() function in tools/testing/selftests/ftrace/test.d/kprobe/kprobe_eventname.tc, within the fail() function in tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc, within the bpf_prog() function in tools/testing/selftests/bpf/progs/test_sk_storage_tracing.c, within the $() function in tools/testing/selftests/alsa/makefile, within the get_did() function in tools/power/cpupower/utils/helpers/amd.c, within the define_strarray() function in tools/perf/builtin-trace.c, within the record__read_lost_samples() function in tools/perf/builtin-record.c, within the probe_uprobe_multi_link() function in tools/lib/bpf/features.c, within the tomoyo_check_profile() function in security/tomoyo/common.c, within the read_symbols() function in scripts/mod/modpost.c, within the kallsyms_step() function in scripts/link-vmlinux.sh, within the _menu_finalize() function in scripts/kconfig/menu.c, within the main() function in scripts/kconfig/gconf.c, within the expr_eliminate_yn() function in scripts/kconfig/expr.c, within the conf_read() function in scripts/kconfig/confdata.c, within the ${class}${atomicname}() function in scripts/atomic/kerneldoc/sub_and_test, within the xsk_is_bound() function in net/xdp/xsk.c, within the cfg80211_get_station() function in net/wireless/util.c, within the wiphy_resume() function in net/wireless/sysfs.c, within the cfg80211_scan_6ghz() and cfg80211_6ghz_power_type_valid() functions in net/wireless/scan.c, within the pmsr_parse_ftm() function in net/wireless/pmsr.c, within the cfg80211_wiphy_work() function in net/wireless/core.c, within the sk_diag_dump_icons(), sk_diag_show_rqlen(), sk_diag_fill() and unix_diag_dump() functions in net/unix/diag.c, within the unix_may_send(), unix_dgram_peer_wake_me(), unix_write_space(), unix_dgram_disconnected(), unix_release_sock(), unix_listen(), unix_create1(), unix_peer(), unix_stream_connect(), unix_state_lock_nested(), copy_peercred(), unix_accept(), unix_dgram_sendmsg(), unix_stream_sendmsg(), unix_seqpacket_sendmsg(), unix_seqpacket_recvmsg(), manage_oob(), unix_stream_read_generic(), unix_inq_len(), unix_compat_ioctl(), unix_poll() and unix_dgram_poll() functions in net/unix/af_unix.c, within the gss_read_proxy_verf() function in net/sunrpc/auth_gss/svcauth_gss.c, within the gss_wrap_req_priv() function in net/sunrpc/auth_gss/auth_gss.c, within the smc_adjust_sock_bufsizes() function in net/smc/af_smc.c, within the taprio_parse_mqprio_opt() function in net/sched/sch_taprio.c, within the multiq_tune() function in net/sched/sch_multiq.c, within the __spin_lock_unlocked() function in net/sched/sch_generic.c, within the nft_payload_inner_init() function in net/netfilter/nft_payload.c, within the nft_meta_inner_init() function in net/netfilter/nft_meta.c, within the list_set_kadd(), list_set_kdel(), list_set_utest(), list_set_uadd(), list_set_udel() and list_set_destroy() functions in net/netfilter/ipset/ip_set_list_set.c, within the call_rcu(), ip_set_destroy() and ip_set_net_init() functions in net/netfilter/ipset/ip_set_core.c, within the ncsi_rsp_handler_gc() function in net/ncsi/ncsi-rsp.c, within the ncsi_suspend_channel(), ncsi_probe_channel(), ncsi_register_dev() and ncsi_start_dev() functions in net/ncsi/ncsi-manage.c, within the mptcp_set_state() and mptcp_connect() functions in net/mptcp/protocol.c, within the mptcp_pm_nl_add_addr_received() and mptcp_pm_nl_rm_addr_or_subflow() functions in net/mptcp/pm_netlink.c, within the ieee80211_sta_get_rates() function in net/mac80211/util.c, within the ieee80211_sta_ps_deliver_wakeup() function in net/mac80211/sta_info.c, within the __ieee80211_start_scan() function in net/mac80211/scan.c, within the ieee80211_parse_extension_element() function in net/mac80211/parse.c, within the mesh_path_discard_frame() function in net/mac80211/mesh_pathtbl.c, within the ieee80211_mesh_init_sdata() function in net/mac80211/mesh.c, within the ieee80211_reset_erp_info() and ieee80211_tasklet_handler() functions in net/mac80211/main.c, within the ieee80211_he_spr_ie_to_bss_conf() function in net/mac80211/he.c, within the ieee80211_set_mcast_rate() and __ieee80211_channel_switch() functions in net/mac80211/cfg.c, within the tcp_v6_syn_recv_sock() function in net/ipv6/tcp_ipv6.c, within the seg6_input_core() and seg6_output_core() functions in net/ipv6/seg6_iptunnel.c, within the rpl_output() and rpl_input() functions in net/ipv6/rpl_iptunnel.c, within the rt6_get_pcpu_route() and ipv6_sysctl_rtcache_flush() functions in net/ipv6/route.c, within the ip6_route_me_harder() function in net/ipv6/netfilter.c, within the __fib6_drop_pcpu_from() function in net/ipv6/ip6_fib.c, within the ila_output() function in net/ipv6/ila/ila_lwt.c, within the tcp_rtx_probe0_timed_out() function in net/ipv4/tcp_timer.c, within the tcp_inbound_ao_hash() function in net/ipv4/tcp_ao.c, within the !!() and tcp_set_state() functions in net/ipv4/tcp.c, within the recv() and ip_fib_init() functions in net/ipv4/fib_frontend.c, within the devinet_init() function in net/ipv4/devinet.c, within the tsinfo_prepare_data() function in net/ethtool/tsinfo.c, within the ethtool_get_phy_stats_ethtool() function in net/ethtool/ioctl.c, within the rtnl_mdb_del(), rtnetlink_rcv_msg() and rtnetlink_init() functions in net/core/rtnetlink.c, within the dst_cache_per_cpu_dst_set() and dst_cache_per_cpu_get() functions in net/core/dst_cache.c, within the set_rps_cpu() function in net/core/dev.c, within the br_mst_get_state(), br_mst_set_state() and br_mst_vlan_sync_state() functions in net/bridge/br_mst.c, within the __bpf_prog_test_run_raw_tp() function in net/bpf/test_run.c, within the l2cap_connect() and l2cap_conn_param_update_req() functions in net/bluetooth/l2cap_core.c, within the hci_setup_ext_adv_instance_sync() function in net/bluetooth/hci_sync.c, within the ax25_dev_free() function in net/ax25/ax25_dev.c, within the ax25_accept() function in net/ax25/af_ax25.c, within the count_vm_event() function in mm/vmscan.c, within the is_vmalloc_or_module_addr() function in mm/vmalloc.c, within the kvrealloc_noprof(), __vmalloc_array_noprof() and export_symbol() functions in mm/util.c, within the alloc_slab_obj_exts() function in mm/slub.c, within the count_swpout_vm_event() function in mm/page_io.c, within the find_suitable_fallback(), reserve_highatomic_pageblock() and unreserve_highatomic_pageblock() functions in mm/page_alloc.c, within the mempool_create_node_noprof() function in mm/mempool.c, within the __mod_objcg_mlstate() function in mm/memcontrol.c, within the memblock_set_node() function in mm/memblock.c, within the atomic_long_init(), replace_page(), ksm_do_scan(), wait_while_offlining(), ksm_attr_ro() and general_profit_show() functions in mm/ksm.c, within the kmsan_internal_set_shadow_origin() function in mm/kmsan/core.c, within the __unmap_hugepage_range() function in mm/hugetlb.c, within the __attr_ro() function in mm/huge_memory.c, within the filemap_alloc_folio_noprof() function in mm/filemap.c, within the test_rht_exit() function in lib/test_rhashtable.c, within the bpf_uprobe_multi_entry_ip() and bpf_kprobe_multi_kfuncs_init() functions in kernel/trace/bpf_trace.c, within the tick_setup_periodic() and tick_setup_device() functions in kernel/time/tick-common.c, within the perf_event_release_kernel() and put_event() functions in kernel/events/core.c, within the btf_id() function in kernel/bpf/verifier.c, within the bpf_obj_get(), bpf_link_defer_dealloc_mult_rcu_gp() and bpf_link_free() functions in kernel/bpf/syscall.c, within the dev_map_redirect_multi() function in kernel/bpf/devmap.c, within the io_rsrc_ref_quiesce() function in io_uring/rsrc.c, within the io_register_iowq_max_workers() function in io_uring/register.c, within the io_unregister_napi() and __io_napi_adjust_timeout() functions in io_uring/napi.c, within the io_init_req() function in io_uring/io_uring.c, within the io_wq_enqueue() function in io_uring/io-wq.c, within the xfs_log_sb() function in fs/xfs/libxfs/xfs_sb.c, within the __ksmbd_inode_close() function in fs/smb/server/vfs_cache.c, within the ksmbd_vfs_fqar_lseek() and ksmbd_vfs_remove_sd_xattrs() functions in fs/smb/server/vfs.c, within the smb2_get_name(), smb2_set_ea(), smb2_remove_smb_xattrs() and smb2_open() functions in fs/smb/server/smb2pdu.c, within the smb2_find_smb_tcon() function in fs/smb/client/smb2transport.c, within the smb2_readv_callback() and smb2_writev_callback() functions in fs/smb/client/smb2pdu.c, within the proc_pid_ksm_stat() function in fs/proc/base.c, within the nilfs_segctor_prepare_write() function in fs/nilfs2/segment.c, within the nilfs_empty_dir() function in fs/nilfs2/dir.c, within the nfs_symlink_filler() function in fs/nfs/symlink.c, within the nfs_pageio_cond_complete() function in fs/nfs/pagelist.c, within the test_fs_location_for_trunking(), _nfs4_discover_trunking() and nfs4_set_security_label() functions in fs/nfs/nfs4proc.c, within the nfs_lookup_revalidate_done(), nfs_lookup_revalidate_dentry(), nfs_do_lookup_revalidate(), __nfs_lookup_revalidate(), nfs_lookup_revalidate(), nfs_atomic_open_v23(), nfs_unlink(), nfs_unblock_rename() and nfs_rename() functions in fs/nfs/dir.c, within the ea_get() function in fs/jfs/xattr.c, within the iomap_adjust_read_range(), iomap_write_end(), iomap_write_iter(), iomap_unshare_iter() and iomap_zero_iter() functions in fs/iomap/buffered-io.c, within the find_next_fd() function in fs/file.c, within the debugfs_parse_param() function in fs/debugfs/inode.c, within the cachefiles_req_put(), cachefiles_ondemand_fd_llseek(), cachefiles_ondemand_fd_ioctl(), cachefiles_ondemand_copen(), cachefiles_ondemand_restore(), cachefiles_ondemand_get_fd(), cachefiles_ondemand_select_req(), cachefiles_ondemand_daemon_read(), cachefiles_ondemand_send_req() and cachefiles_ondemand_init_obj_info() functions in fs/cachefiles/ondemand.c, within the cachefiles_daemon_open() and cachefiles_flush_reqs() functions in fs/cachefiles/daemon.c, within the btrfs_log_prealloc_extents() function in fs/btrfs/tree-log.c, within the btrfs_finish_ordered_extent() function in fs/btrfs/ordered-data.c, within the btrfs_sync_file() function in fs/btrfs/file.c, within the grab_extent_buffer(), check_eb_alignment(), filemap_add_folio(), __free_page(), alloc_extent_buffer() and folio_size() functions in fs/btrfs/extent_io.c, within the btrfs_destroy_delayed_refs() function in fs/btrfs/disk-io.c, within the __bch2_fs_free() and bch2_fs_alloc() functions in fs/bcachefs/super.c, within the bch2_sb_to_text() function in fs/bcachefs/super-io.c, within the offsetof() function in fs/bcachefs/movinggc.c, within the bch2_move_data_btree() and rereplicate_pred() functions in fs/bcachefs/move.c, within the bch2_nocow_write() and rcu_read_lock() functions in fs/bcachefs/io_write.c, within the offsetof() and read_from_stale_dirty_pointer() functions in fs/bcachefs/io_read.c, within the check_subdir_count(), check_dirent_target() and check_dirent_to_subvol() functions in fs/bcachefs/fsck.c, within the __bch2_new_inode() and div_s64() functions in fs/bcachefs/fs.c, within the bch2_ioc_goingdown(), inode_inum() and bch2_ioctl_subvolume_create() functions in fs/bcachefs/fs-ioctl.c, within the bch2_bkey_pick_read_device(), bch2_extent_normalize() and bch2_extent_ptr_to_text() functions in fs/bcachefs/extents.c, within the mark_stripe_bucket(), ec_block_endio() and ec_block_io() functions in fs/bcachefs/ec.c, within the bch2_bkey_durability() function in fs/bcachefs/data_update.c, within the bch2_update_cached_sectors_list(), bch2_btree_node_update_key_early(), bch2_trigger_pointer(), bch2_mark_metadata_bucket() and bch2_dev_buckets_resize() functions in fs/bcachefs/buckets.c, within the found_btree_node_is_readable() function in fs/bcachefs/btree_node_scan.c, within the break_cycle() function in fs/bcachefs/btree_locking.c, within the bch2_btree_key_cache_cmp_fn(), bch2_btree_key_cache_scan(), bch2_btree_key_cache_count() and bch2_fs_btree_key_cache_init() functions in fs/bcachefs/btree_key_cache.c, within the bch2_btree_path_verify(), bch2_btree_iter_verify() and bch2_fs_btree_iter_exit() functions in fs/bcachefs/btree_iter.c, within the btree_node_read_endio(), btree_node_read_all_replicas(), bch2_btree_node_read() and atomic64_add() functions in fs/bcachefs/btree_io.c, within the bch2_alloc_write_key() and bch2_gc_alloc_start() functions in fs/bcachefs/btree_gc.c, within the bch2_btree_cache_cmp_fn() function in fs/bcachefs/btree_cache.c, within the bch2_trigger_alloc() function in fs/bcachefs/alloc_background.c, within the vfio_device_release(), export_symbol_gpl() and vfio_init_device() functions in drivers/vfio/vfio_main.c, within the vfio_pci_core_write(), vfio_pci_memory_unlock_and_restore(), vfio_pci_core_mmap(), vfio_pci_core_init_dev(), vfio_pci_core_release_dev() and vfio_pci_dev_set_hot_reset() functions in drivers/vfio/pci/vfio_pci_core.c, within the vfio_device_open_file() function in drivers/vfio/group.c, within the vfio_device_fops_cdev_open() function in drivers/vfio/device_cdev.c, within the ucsi_exec_command() function in drivers/usb/typec/ucsi/ucsi.c, within the tcpm_register_source_caps() and _tcpm_pd_hard_reset() functions in drivers/usb/typec/tcpm/tcpm.c, within the short_pack() and alauda_check_media() functions in drivers/usb/storage/alauda.c, within the xhci_invalidate_cancelled_tds(), xhci_handle_cmd_set_deq() and process_bulk_intr_td() functions in drivers/usb/host/xhci-ring.c, within the xhci_pci_quirks() function in drivers/usb/host/xhci-pci.c, within the __usb_hcd_giveback_urb() function in drivers/usb/core/hcd.c, within the wdm_int_callback() function in drivers/usb/class/cdc-wdm.c, within the ci_ulpi_init() function in drivers/usb/chipidea/ulpi.c, within the ci_hdrc_probe() function in drivers/usb/chipidea/core.c, within the obj-$() function in drivers/usb/makefile, within the ufshcd_clock_scaling_prepare() and ufshcd_clock_scaling_unprepare() functions in drivers/ufs/core/ufshcd.c, within the ufshcd_mcq_abort() function in drivers/ufs/core/ufs-mcq.c, within the serial_port_runtime_suspend() function in drivers/tty/serial/serial_port.c, within the uart_write() function in drivers/tty/serial/serial_core.c, within the obj-$() function in drivers/tty/serial/makefile, within the serial_pxa_probe() function in drivers/tty/serial/8250/8250_pxa.c, within the dw8250_setup_port() function in drivers/tty/serial/8250/8250_dwlib.c, within the dw_uart_quirk_skip_set_rate bit() and dw8250_prepare_rx_dma() functions in drivers/tty/serial/8250/8250_dw.c, within the __receive_buf() function in drivers/tty/n_tty.c, within the margining_port_init() function in drivers/thunderbolt/debugfs.c, within the thermal_zone_set_trip_temp() function in drivers/thermal/thermal_trip.c, within the thermal_debug_tz_trip_up() and tze_seq_show() functions in drivers/thermal/thermal_debugfs.c, within the thermal_governor_trip_crossed(), __thermal_zone_device_update(), thermal_zone_device_update() and __thermal_cooling_device_register() functions in drivers/thermal/thermal_core.c, within the thermal_zone_trip_update() function in drivers/thermal/gov_step_wise.c, within the debugfs_trace_show() and vchiq_debugfs_remove_instance() functions in drivers/staging/vc04_services/interface/vchiq_arm/vchiq_debugfs.c, within the vchiq_probe() function in drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c, within the sr_reset() function in drivers/scsi/sr_ioctl.c, within the sd_validate_opt_xfer_size() function in drivers/scsi/sd.c, within the sas_is_tlr_enabled() function in drivers/scsi/scsi_transport_sas.c, within the scsi_get_vpd_size() and scsi_cdl_check() functions in drivers/scsi/scsi.c, within the qedf_elsct_send(), qedf_ctx_soft_reset(), memset(), __qedf_remove() and qedf_stag_change_work() functions in drivers/scsi/qedf/qedf_main.c, within the scsih_pci_mmio_enabled() function in drivers/scsi/mpt3sas/mpt3sas_scsih.c, within the sas_ncq_prio_supported_show() and sas_ncq_prio_enable_store() functions in drivers/scsi/mpt3sas/mpt3sas_ctl.c, within the mpt3sas_base_attach() and _base_check_ioc_facts_changes() functions in drivers/scsi/mpt3sas/mpt3sas_base.c, within the mpi3mr_sas_port_add() function in drivers/scsi/mpi3mr/mpi3mr_transport.c, within the persistent_id_show() function in drivers/scsi/mpi3mr/mpi3mr_app.c, within the print_alua_state() and alua_tur() functions in drivers/scsi/device_handler/scsi_dh_alua.c, within the mi300_addr_cfg(), addr_hash_row_xor genmask(), get_addr_hash_mi300() and convert_dram_to_norm_addr_mi300() functions in drivers/ras/amd/atl/umc.c, within the df4_determine_df_rev() function in drivers/ras/amd/atl/system.c, within the ptp_set_pinfunc() function in drivers/ptp/ptp_chardev.c, within the dev_is_pnp() function in drivers/pnp/driver.c, within the property_entry_u32(), property_entry_bool() and ts_parse_props() functions in drivers/platform/x86/touchscreen_dmi.c, within the pr_fmt(), define_mutex(), find_tokens(), build_tokens_sysfs() and free_group() functions in drivers/platform/x86/dell/dell-smbios-base.c, within the hsmp_plat_dev_register() and hsmp_plt_init() functions in drivers/platform/x86/amd/hsmp.c, within the pci_device_add() function in drivers/pci/probe.c, within the pcibios_reset_secondary_bus() function in drivers/pci/pci.c, within the pci_cfg_access_lock() and pci_cfg_access_unlock() functions in drivers/pci/access.c, within the amiga_parallel_remove() function in drivers/parport/parport_amiga.c, within the parse_interrupts() and parse_interrupt_map() functions in drivers/of/property.c, within the kunit_test_suites() function in drivers/of/of_test.c, within the of_irq_parse_imap_parent() and of_irq_parse_raw() functions in drivers/of/irq.c, within the nvmet_passthru_execute_cmd_work() function in drivers/nvme/target/passthru.c, within the nvmet_execute_admin_connect() and nvmet_execute_io_connect() functions in drivers/nvme/target/fabrics-cmd.c, within the pr_debug() and nvmet_execute_auth_receive() functions in drivers/nvme/target/fabrics-cmd-auth.c, within the nvmet_req_init() function in drivers/nvme/target/core.c, within the nvme_sc_to_pr_err() function in drivers/nvme/host/pr.c, within the nvme_alloc_user_request(), nvme_map_user_request(), nvme_submit_user_cmd(), nvme_uring_task_cb() and nvme_uring_cmd_end_io() functions in drivers/nvme/host/ioctl.c, within the nvmf_reg_read32(), nvmf_reg_read64() and nvmf_reg_write32() functions in drivers/nvme/host/fabrics.c, within the nvme_cleanup_cmd() and nvme_remove_invalid_namespaces() functions in drivers/nvme/host/core.c, within the ipc_devlink_create_region() function in drivers/net/wwan/iosm/iosm_ipc_devlink.c, within the rtl_op_config() function in drivers/net/wireless/realtek/rtlwifi/core.c, within the wilc_wlan_handle_txq() function in drivers/net/wireless/microchip/wilc1000/wlan.c, within the wilc_wlan_set_bssid(), wilc_set_mac_addr(), wilc_mac_xmit(), wilc_frmw_to_host(), wilc_wfi_mgmt_rx(), wilc_netdev_cleanup(), wilc_get_available_idx() and wilc_netdev_ifc_init() functions in drivers/net/wireless/microchip/wilc1000/netdev.c, within the wilc_network_info_received(), wilc_gnrl_async_info_received() and wilc_scan_complete_received() functions in drivers/net/wireless/microchip/wilc1000/hif.c, within the set_channel(), set_wiphy_params(), add_virtual_intf(), del_virtual_intf(), wilc_set_wakeup(), set_tx_power(), wlan_init_locks() and wlan_deinit_locks() functions in drivers/net/wireless/microchip/wilc1000/cfg80211.c, within the mt7615_set_rekey_data() function in drivers/net/wireless/mediatek/mt76/mt7615/main.c, within the iwl_mvm_fw_baid_op_cmd() function in drivers/net/wireless/intel/iwlwifi/mvm/sta.c, within the iwl_mvm_scan_umac_dwell(), iwl_mvm_scan_umac_dwell_v11(), iwl_mvm_umac_scan_fill_6g_chan_list() and iwl_mvm_umac_scan_abort() functions in drivers/net/wireless/intel/iwlwifi/mvm/scan.c, within the iwl_mvm_rx_monitor_no_data() function in drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c, within the iwl_mvm_mld_cfg_sta() and iwl_mvm_mld_update_sta_baids() functions in drivers/net/wireless/intel/iwlwifi/mvm/mld-sta.c, within the iwl_mvm_mld_mac_add_interface() function in drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c, within the iwl_mvm_cleanup_iterator(), iwl_mvm_restart_cleanup() and iwl_mvm_sync_rx_queues_internal() functions in drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c, within the iwl_mvm_mac_ctxt_set_tim() function in drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c, within the iwl_mvm_mfu_assert_dump_notif() and iwl_mvm_sar_select_profile() functions in drivers/net/wireless/intel/iwlwifi/mvm/fw.c, within the _iwl_dbgfs_inject_beacon_ie() function in drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c, within the iwl_mvm_wowlan_gtk_type_iter() and iwl_mvm_setup_connection_keep() functions in drivers/net/wireless/intel/iwlwifi/mvm/d3.c, within the iwl_drv_start() function in drivers/net/wireless/intel/iwlwifi/iwl-drv.c, within the ath11k_pcic_ext_irq_config() function in drivers/net/wireless/ath/ath11k/pcic.c, within the ath11k_mac_op_assign_vif_chanctx() and ath11k_mac_op_sta_state() functions in drivers/net/wireless/ath/ath11k/mac.c, within the sizeof() function in drivers/net/wireless/ath/ath11k/core.c, within the vxlan_snoop() and vxlan_set_mac() functions in drivers/net/vxlan/vxlan_core.c, within the vmxnet3_rq_destroy_all_rxdataring() function in drivers/net/vmxnet3/vmxnet3_drv.c, within the virtnet_send_command_reply(), virtnet_send_rx_notf_coal_cmds() and virtnet_rx_dim_work() functions in drivers/net/virtio_net.c, within the sfp_sm_module() function in drivers/net/phy/sfp.c, within the ksz8061_config_init(), ksz9477_config_init() and kszphy_resume() functions in drivers/net/phy/micrel.c, within the nsim_get_iflink() function in drivers/net/netdevsim/netdev.c, within the geneve_xmit_skb() and geneve6_xmit_skb() functions in drivers/net/geneve.c, within the tc_setup_cbs() function in drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c, within the qcom_ethqos_probe() function in drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c, within the ionic_run_xdp() function in drivers/net/ethernet/pensando/ionic/ionic_txrx.c, within the ionic_qcq_enable() function in drivers/net/ethernet/pensando/ionic/ionic_lif.c, within the mlx5_function_teardown() function in drivers/net/ethernet/mellanox/mlx5/core/main.c, within the mlx5_vsc_gw_lock() function in drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c, within the mlx5_lag_create_port_sel_table() function in drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c, within the mlx5_health_wait_pci_up() function in drivers/net/ethernet/mellanox/mlx5/core/health.c, within the mlx5_cmd_fast_teardown_hca() function in drivers/net/ethernet/mellanox/mlx5/core/fw.c, within the mlx5e_tunnel_features_check() and mlx5e_features_check() functions in drivers/net/ethernet/mellanox/mlx5/core/en_main.c, within the mtk_init_fq_dma(), mtk_tx_alloc(), mtk_tx_clean(), mtk_rx_alloc(), mtk_dma_free(), sizeof() and mtk_dma_size() functions in drivers/net/ethernet/mediatek/mtk_eth_soc.c, within the npc_mcam_alloc_entries() function in drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c, within the igc_up() and igc_probe() functions in drivers/net/ethernet/intel/igc/igc_main.c, within the igc_ethtool_get_eee() function in drivers/net/ethernet/intel/igc/igc_ethtool.c, within the ice_xsk_pool_disable(), ice_xsk_pool_enable() and ice_realloc_rx_xdp_bufs() functions in drivers/net/ethernet/intel/ice/ice_xsk.c, within the ice_read_nvm_module(), ice_get_pfa_module_tlv(), ice_determine_active_flash_banks() and ice_init_nvm() functions in drivers/net/ethernet/intel/ice/ice_nvm.c, within the ice_vsi_assign_bpf_prog(), ice_prepare_xdp_rings(), ice_destroy_xdp_rings() and ice_xdp_setup_prog() functions in drivers/net/ethernet/intel/ice/ice_main.c, within the ice_vsi_alloc_arrays(), ice_vsi_free_arrays(), ice_vsi_cfg_def() and ice_vsi_decfg() functions in drivers/net/ethernet/intel/ice/ice_lib.c, within the ice_vsi_map_rings_to_vectors() function in drivers/net/ethernet/intel/ice/ice_base.c, within the hclge_push_link_status(), hclge_update_link_status(), hclge_uninit_need_wait() and hclge_uninit_client_instance() functions in drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c, within the hns3_alloc_ring_buffers() and hns3_init_all_ring() functions in drivers/net/ethernet/hisilicon/hns3/hns3_enet.c, within the gve_prep_tso() function in drivers/net/ethernet/google/gve/gve_tx_dqo.c, within the gve_rx_skb_hash() and gve_rx_poll_dqo() functions in drivers/net/ethernet/google/gve/gve_rx_dqo.c, within the lio_vf_rep_copy_packet() function in drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c, within the bnxt_hwrm_fwd_resp() and bnxt_vf_set_link() functions in drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c, within the __hwrm_send() function in drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c, within the qca8k_parse_port_leds() and qca8k_setup_led_ctrl() functions in drivers/net/dsa/qca/qca8k-leds.c, within the vsc_get_sensor_name() function in drivers/misc/mei/vsc-fw-loader.c, within the mei_vsc_remove() function in drivers/misc/mei/platform-vsc.c, within the mei_me_pci_resume() function in drivers/misc/mei/pci-me.c, within the mei_write() function in drivers/misc/mei/main.c, within the gp_aux_bus_probe(), auxiliary_device_uninit() and kfree() functions in drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c, within the mgb4_remove() function in drivers/media/pci/mgb4/mgb4_core.c, within the mei_csi_probe() function in drivers/media/pci/intel/ivsc/mei_csi.c, within the export_symbol_ns_gpl() and ipu6_pci_remove() functions in drivers/media/pci/intel/ipu6/ipu6.c, within the isys_notifier_bound(), isys_remove() and isys_probe() functions in drivers/media/pci/intel/ipu6/ipu6-isys.c, within the ipu6_isys_stream_start() function in drivers/media/pci/intel/ipu6/ipu6-isys-queue.c, within the led_classdev_register_ext() function in drivers/leds/led-class.c, within the define_per_cpu() and plic_probe() functions in drivers/irqchip/irq-sifive-plic.c, within the irqchip_declare() and riscv_intc_acpi_init() functions in drivers/irqchip/irq-riscv-intc.c, within the its_vlpi_map(), its_vlpi_unmap() and its_irq_set_vcpu_affinity() functions in drivers/irqchip/irq-gic-v3-its.c, within the iommu_dma_init_domain() function in drivers/iommu/dma-iommu.c, within the amd_iommu_iopf_init() and amd_iommu_page_response() functions in drivers/iommu/amd/ppr.c, within the do_attach(), detach_device() and amd_iommu_attach_device() functions in drivers/iommu/amd/iommu.c, within the free_pci_segments() and amd_iommu_reenable() functions in drivers/iommu/amd/init.c, within the silead_ts_request_input_dev(), silead_ts_read_data(), silead_ts_init() and silead_ts_read_props() functions in drivers/input/touchscreen/silead.c, within the mlx90635_probe() function in drivers/iio/temperature/mlx90635.c, within the bmp580_read_temp() function in drivers/iio/pressure/bmp280-core.c, within the iio_read_channel_processed_scale() function in drivers/iio/inkern.c, within the inv_mpu6050_probe_trigger() function in drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c, within the inv_mpu6050_read_fifo() function in drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c, within the inv_icm42600_gyro_update_scan_mode() function in drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c, within the inv_icm42600_irq_init() function in drivers/iio/imu/inv_icm42600/inv_icm42600_core.c, within the inv_icm42600_buffer_update_watermark(), inv_icm42600_buffer_fifo_parse() and inv_icm42600_buffer_init() functions in drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c, within the inv_icm42600_accel_update_scan_mode() function in drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c, within the bmi323_trigger_handler() function in drivers/iio/imu/bmi323/bmi323_core.c, within the ad5592r_read_raw() function in drivers/iio/dac/ad5592r-base.c, within the export_symbol_ns_gpl() function in drivers/iio/common/inv_sensors/inv_sensors_timestamp.c, within the __ad9467_get_scale() function in drivers/iio/adc/ad9467.c, within the array_size(), ad7173_append_status(), ad7173_write_raw(), bit() and ad7173_fw_parse_channel_config() functions in drivers/iio/adc/ad7173.c, within the synquacer_i2c_probe() function in drivers/i2c/busses/i2c-synquacer.c, within the i2c_dw_configure_slave() function in drivers/i2c/busses/i2c-designware-slave.c, within the at91_unreg_slave() function in drivers/i2c/busses/i2c-at91-slave.c, within the loader_write_message(), loader_xfer_cmd(), release_dma_bufs() and ishtp_loader_work() functions in drivers/hid/intel-ish-hid/ishtp/loader.c, within the elan_i2c_hid_power_up(), elan_i2c_hid_power_down() and i2c_hid_of_elan_probe() functions in drivers/hid/i2c-hid/i2c-hid-of-elan.c, within the shield_haptics_create() function in drivers/hid/hid-nvidia-shield.c, within the nintendo_hid_probe() function in drivers/hid/hid-nintendo.c, within the module_description() function in drivers/hid/hid-logitech-hidpp.c, within the logi_dj_recv_switch_to_dj_mode() function in drivers/hid/hid-logitech-dj.c, within the hid_i2c_device() and hidinput_configure_usage() functions in drivers/hid/hid-input.c, within the implement() function in drivers/hid/hid-core.c, within the asus_report_fixup() function in drivers/hid/hid-asus.c, within the emit_store_imm_ggtt(), __emit_job_gen12_simple() and __emit_job_gen12_video() functions in drivers/gpu/drm/xe/xe_ring_ops.c, within the xe_guc_pc_stop() function in drivers/gpu/drm/xe/xe_guc_pc.c, within the pf_reset_vf_lmtt(), pf_update_vf_lmtt(), pf_release_vf_config_lmem(), pf_provision_vf_lmem() and pf_reset_config_sched() functions in drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c, within the gt_idle_sysfs_fini() and xe_gt_idle_enable_c6() functions in drivers/gpu/drm/xe/xe_gt_idle.c, within the vmw_connector_to_stdu(), vmw_stdu_crtc_atomic_disable() and vmw_stdu_connector_destroy() functions in drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c, within the vmw_du_cursor_plane_has_changed(), vmw_kms_write_svga() and vmw_connector_mode_valid() functions in drivers/gpu/drm/vmwgfx/vmwgfx_kms.c, within the vmw_gmrid_man_get_node() function in drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c, within the vmw_setup_pci_resources() and vmw_driver_load() functions in drivers/gpu/drm/vmwgfx/vmwgfx_drv.c, within the shmob_drm_remove() and of_match_ptr() functions in drivers/gpu/drm/renesas/shmobile/shmob_drm_drv.c, within the st7789v_probe() function in drivers/gpu/drm/panel/panel-sitronix-st7789v.c, within the nouveau_display_hpd_resume(), nouveau_display_fini() and nouveau_display_create() functions in drivers/gpu/drm/nouveau/nouveau_display.c, within the bioslog() function in drivers/gpu/drm/nouveau/nouveau_bios.c, within the nv50_display_fini() function in drivers/gpu/drm/nouveau/dispnv50/disp.c, within the nv04_display_fini() function in drivers/gpu/drm/nouveau/dispnv04/disp.c, within the mtk_drm_remove() function in drivers/gpu/drm/mediatek/mtk_drm_drv.c, within the hdmi_get_modes() function in drivers/gpu/drm/exynos/exynos_hdmi.c, within the vidi_get_modes() function in drivers/gpu/drm/exynos/exynos_drm_vidi.c, within the pm_ptr() function in drivers/gpu/drm/exynos/exynos_dp.c, within the dmi_match() function in drivers/gpu/drm/drm_panel_orientation_quirks.c, within the export_symbol() function in drivers/gpu/drm/bridge/panel.c, within the komeda_component_get_avail_scaler() function in drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c, within the komeda_register_show(), komeda_debugfs_init(), komeda_dev_create() and komeda_dev_destroy() functions in drivers/gpu/drm/arm/display/komeda/komeda_dev.c, within the smu_v13_0_4_system_features_control() function in drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c, within the amdgpu_bo_create() function in drivers/gpu/drm/amd/amdgpu/amdgpu_object.c, within the amdgpu_gem_object_create() function in drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c, within the tqmx86_gpii_falling bit(), tqmx86_gpio_set(), tqmx86_gpio_get_direction(), tqmx86_gpio_irq_unmask(), tqmx86_gpio_irq_set_type(), tqmx86_gpio_irq_handler() and tqmx86_gpio_probe() functions in drivers/gpio/gpio-tqmx86.c, within the module_amba_driver() function in drivers/gpio/gpio-pl061.c, within the pcf857x_exit() function in drivers/gpio/gpio-pcf857x.c, within the mc33880_exit() function in drivers/gpio/gpio-mc33880.c, within the module_i2c_driver() function in drivers/gpio/gpio-gw-pld.c, within the __alias(), virt_efi_set_variable(), virt_efi_query_variable_info() and virt_efi_get_next_high_mono_count() functions in drivers/firmware/efi/runtime-wrappers.c, within the exit_boot_func() function in drivers/firmware/efi/libstub/loongarch.c, within the efi_pstore_read_func(), efi_pstore_read(), efi_pstore_write() and efi_pstore_erase() functions in drivers/firmware/efi/efi-pstore.c, within the transmit_complete_callback(), __fw_send_request(), declare_completion(), fw_send_phy_config(), free_response_callback(), fw_send_response(), fw_core_handle_request() and fw_core_handle_response() functions in drivers/firewire/core-transaction.c, within the fw_core_handle_bus_reset() function in drivers/firewire/core-topology.c, within the outbound_phy_packet_callback() and ioctl_send_phy_packet() functions in drivers/firewire/core-cdev.c, within the reset_bus() and br_work() functions in drivers/firewire/core-card.c, within the errcmd_enable_error_reporting() function in drivers/edac/igen6_edac.c, within the __amd64_read_pci_cfg_dword(), __amd64_write_pci_cfg_dword() and gpu_get_node_map() functions in drivers/edac/amd64_edac.c, within the devm_cxl_add_region() and __create_region() functions in drivers/cxl/core/region.c, within the intel_pstate_update_policies(), store_no_turbo(), atom_get_val() and core_get_val() functions in drivers/cpufreq/intel_pstate.c, within the amd_pstate_set_boost() function in drivers/cpufreq/amd-pstate.c, within the __prci_register_clocks() function in drivers/clk/sifive/sifive-prci.c, within the pr_err() function in drivers/clk/clkdev.c, within the tpm_tis_remove() function in drivers/char/tpm/tpm_tis_core.c, within the null_validate_conf() function in drivers/block/null_blk/main.c, within the was_interrupted(), nbd_send_cmd(), set_bit(), trace_nbd_payload_sent() and nbd_handle_cmd() functions in drivers/block/nbd.c, within the lo_read_simple() and lo_fallocate() functions in drivers/block/loop.c, within the uevent_show(), devm_attr_group_remove() and devm_device_add_group() functions in drivers/base/core.c, within the pata_macio_qc_prep() function in drivers/ata/pata_macio.c, within the ata_scsiop_inq_std() function in drivers/ata/libata-scsi.c, within the acpi_device_override_status() function in drivers/acpi/x86/utils.c, within the acpi_thermal_get_polling_frequency() function in drivers/acpi/thermal.c, within the acpi_sbs_callback() function in drivers/acpi/sbs.c, within the acpi_ec_space_handler() and ec_install_handlers() functions in drivers/acpi/ec.c, within the einj_exit() function in drivers/acpi/apei/einj-core.c, within the acpi_execute_reg_methods() function in drivers/acpi/acpica/evxfregn.c, within the acpi_ev_reg_run() function in drivers/acpi/acpica/evregion.c, within the acpi_ac_notify() and acpi_ac_resume() functions in drivers/acpi/ac.c, within the read_sed_opal_key() function in block/sed-opal.c, within the disk_destroy_zone_wplugs_hash_table() function in block/blk-zoned.c, within the blk_flush_complete_seq() and flush_end_io() functions in block/blk-flush.c, within the bio_integrity_free() function in block/bio-integrity.c, within the numa_clear_kernel_node_hotplug() and numa_init() functions in arch/x86/mm/numa.c, within the array_index_mask_nospec() and sym_code_end() functions in arch/x86/lib/getuser.s, within the module_param() and kvm_arch_vcpu_create() functions in arch/x86/kvm/x86.c, within the handle_exception_nmi() function in arch/x86/kvm/vmx/vmx.c, within the prepare_vmcs02_constant_state() and nested_vmx_l0_wants_exit() functions in arch/x86/kvm/vmx/nested.c, within the module_param(), svm_copy_lbrs(), svm_enable_lbrv(), svm_disable_lbrv(), svm_get_msr_feature(), svm_set_msr(), svm_enable_nmi_window() and svm_hardware_setup() functions in arch/x86/kvm/svm/svm.c, within the __sev_launch_update_vmsa(), sev_hardware_setup() and sev_es_init_vmcb() functions in arch/x86/kvm/svm/sev.c, within the tdp_mmu_zap_spte_atomic() function in arch/x86/kvm/mmu/tdp_mmu.c, within the is_cpuid_pse36(), get_walk(), kvm_faultin_pfn() and export_symbol_gpl() functions in arch/x86/kvm/mmu/mmu.c, within the __kvm_wait_lapic_expire(), apic_timer_fn() and kvm_create_lapic() functions in arch/x86/kvm/lapic.c, within the machine_kexec_cleanup() and machine_kexec() functions in arch/x86/kernel/machine_kexec_64.c, within the amd_smn_read() function in arch/x86/kernel/amd_nb.c, within the vmlinux-objs-$() function in arch/x86/boot/compressed/makefile, within the nt_final(), ehdr_init(), get_mem_chunk_cnt(), loads_init(), notes_init(), get_elfcorehdr_size() and elfcorehdr_alloc() functions in arch/s390/kernel/crash_dump.c, within the align() function in arch/s390/boot/vmlinux.lds.s, within the _pa() function in arch/s390/boot/vmem.c, within the fixup_vmlinux_info() and startup_kernel() functions in arch/s390/boot/startup.c, within the setup_bootmem() function in arch/riscv/mm/init.c, within the handle_page_fault() function in arch/riscv/mm/fault.c, within the kvm_riscv_vcpu_set_reg_isa_ext() function in arch/riscv/kvm/vcpu_onereg.c, within the aia_imsic_ppn() function in arch/riscv/kvm/aia_device.c, within the ptr_page_align_down(), __flush_cache_page(), flush_icache_pages(), pte_needs_flush(), flush_dcache_folio(), purge_kernel_dcache_page_asm(), copy_user_highpage(), __flush_tlb_range(), flush_cache_range(), flush_anon_page() and invalidate_kernel_vmap_range() functions in arch/parisc/kernel/cache.c, within the absolute() function in arch/loongarch/kernel/vmlinux.lds.s, within the fdt_smp_setup() and smp_prepare_boot_cpu() functions in arch/loongarch/kernel/smp.c, within the fdt_setup() and platform_init() functions in arch/loongarch/kernel/setup.c, within the contpte_clear_young_dirty_ptes() function in arch/arm64/mm/contpte.c, within the kvm_arm_init_sve() function in arch/arm64/kvm/reset.c, within the limit_nv_id_reg() function in arch/arm64/kvm/nested.c, within the __activate_traps() and kvm_hyp_handle_eret() functions in arch/arm64/kvm/hyp/vhe/switch.c, within the __activate_traps() and kvm_handle_pvm_sys64() functions in arch/arm64/kvm/hyp/nvhe/switch.c, within the divide_memory_pool(), recreate_hyp_mappings() and __pkvm_init_finalise() functions in arch/arm64/kvm/hyp/nvhe/setup.c, within the kvm_get_vttbr(), pvm_init_traps_aa64pfr0() and pkvm_hyp_vm_table_init() functions in arch/arm64/kvm/hyp/nvhe/pkvm.c, within the define_per_cpu(), sync_hyp_vcpu(), handle___kvm_vcpu_run() and handle_trap() functions in arch/arm64/kvm/hyp/nvhe/hyp-main.c, within the sym_func_start() function in arch/arm64/kvm/hyp/fpsimd.s, within the kvm_condition_valid32() function in arch/arm64/kvm/hyp/aarch32.c, within the set_core_reg() function in arch/arm64/kvm/guest.c, within the kvm_arch_vcpu_load_fp() and kvm_arch_vcpu_put_fp() functions in arch/arm64/kvm/fpsimd.c, within the kvm_emulate_nested_eret() function in arch/arm64/kvm/emulate-nested.c, within the nvhe_percpu_order(), teardown_subsystems(), kvm_hyp_init_protection(), init_hyp_mode() and kvm_arm_init() functions in arch/arm64/kvm/arm.c, within the run_all_insn_set_hw_mode() function in arch/arm64/kernel/armv8_deprecated.c, within the prepare_ftrace_return() function in arch/arm/kernel/ftrace.c, within the select_speed() function in documentation/cdrom/cdrom-standard.rst. A local user can execute arbitrary code.
Mitigation
Install update from vendor's repository.
Vulnerable software versions
Linux kernel:
External links
http://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-testing&id=0c9acb1af77a3cb8707e43f45b72c95266903cee
http://lore.kernel.org/lkml/c30fc539-68a8-65d7-226c-6f8e6fd8bdfb@suse.com/
http://security.netapp.com/advisory/ntap-20200103-0001/
http://usn.ubuntu.com/4258-1/
http://usn.ubuntu.com/4284-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
