cve/published/2024/CVE-2024-49949.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49949: net: avoid potential underflow in qdisc_pkt_len_init() with UFO

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: avoid potential underflow in qdisc_pkt_len_init() with UFO

 After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
 requests coming from user") virtio_net_hdr_to_skb() had sanity check
 to detect malicious attempts from user space to cook a bad GSO packet.

 Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
 transport header in UFO") while fixing one issue, allowed user space
 to cook a GSO packet with the following characteristic :

 IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.

 When this packet arrives in qdisc_pkt_len_init(), we end up
 with hdr_len = 28 (IPv4 header + UDP header), matching skb->len

 Then the following sets gso_segs to 0 :

 gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
                         shinfo->gso_size);

 Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/

 qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;

 This leads to the following crash in fq_codel [1]

 qdisc_pkt_len_init() is best effort, we only want an estimation
 of the bytes sent on the wire, not crashing the kernel.

 This patch is fixing this particular issue, a following one
 adds more sanity checks for another potential bug.

 [1]
 [   70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
 [   70.724561] #PF: supervisor read access in kernel mode
 [   70.724561] #PF: error_code(0x0000) - not-present page
 [   70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
 [   70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
 [   70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
 [   70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
 [   70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
 [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
 All code
 ========
    0:	24 08                	and    $0x8,%al
    2:	49 c1 e1 06          	shl    $0x6,%r9
    6:	44 89 7c 24 18       	mov    %r15d,0x18(%rsp)
    b:	45 31 ed             	xor    %r13d,%r13d
    e:	45 31 c0             	xor    %r8d,%r8d
   11:	31 ff                	xor    %edi,%edi
   13:	89 44 24 14          	mov    %eax,0x14(%rsp)
   17:	4c 03 8b 90 01 00 00 	add    0x190(%rbx),%r9
   1e:	eb 04                	jmp    0x24
   20:	39 ca                	cmp    %ecx,%edx
   22:	73 37                	jae    0x5b
   24:	4d 8b 39             	mov    (%r9),%r15
   27:	83 c7 01             	add    $0x1,%edi
   2a:*	49 8b 17             	mov    (%r15),%rdx		<-- trapping instruction
   2d:	49 89 11             	mov    %rdx,(%r9)
   30:	41 8b 57 28          	mov    0x28(%r15),%edx
   34:	45 8b 5f 34          	mov    0x34(%r15),%r11d
   38:	49 c7 07 00 00 00 00 	movq   $0x0,(%r15)
   3f:	49                   	rex.WB

 Code starting with the faulting instruction
 ===========================================
    0:	49 8b 17             	mov    (%r15),%rdx
    3:	49 89 11             	mov    %rdx,(%r9)
    6:	41 8b 57 28          	mov    0x28(%r15),%edx
    a:	45 8b 5f 34          	mov    0x34(%r15),%r11d
    e:	49 c7 07 00 00 00 00 	movq   $0x0,(%r15)
   15:	49                   	rex.WB
 [   70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
 [   70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
 [   70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
 [   70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
 [   70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
 [   70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
 [   70.724561] FS:  000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
 [   70.724561] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [   70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0
 [   70.724561] Call Trace:
 [   70.724561]  <TASK>
 [   70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
 [   70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715)
 [   70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
 [   70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
 [   70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
 [   70.724561] dev_qdisc_enqueue (net/core/dev.c:3784)
 [   70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2))
 [   70.724561] ? irqentry_enter (kernel/entry/common.c:237)
 [   70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2))
 [   70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4))
 [   70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)
 [   70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1))
 [   70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
 [   70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
 [   70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1))
 [   70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
 [   70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
 [   70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
 [   70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
 [   70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
 [   70.724561] RIP: 0033:0x41ae09

 The Linux kernel CVE team has assigned CVE-2024-49949 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.218 with commit 960b360ca7463921c1a6b72e7066a706d6406223 and fixed in 4.19.323 with commit d70ca7598943572d5e384227bd268acb5109bf72
 	Issue introduced in 5.4.162 with commit fb2dbc124a7f800cd0e4f901a1bbb769a017104c and fixed in 5.4.285 with commit 1598d70ad9c7d0a4d9d54b82094e9f45908fda6d
 	Issue introduced in 5.10.82 with commit 8e6bae950da9dc2d2c6c18b1c6b206dc00dc8772 and fixed in 5.10.227 with commit ba26060a29d3ca1bfc737aa79f7125128f35147c
 	Issue introduced in 5.15.5 with commit 0f810d06b507aa40fef8d1ac0a88e6d0590dbfc3 and fixed in 5.15.168 with commit 939c88cbdc668dadd8cfa7a35d9066331239041c
 	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.1.113 with commit d6114993e0a89fde84a60a60a8329a571580b174
 	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.6.55 with commit 25ab0b87dbd89cecef8a9c60a02bb97832e471d1
 	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.10.14 with commit f959cce8a2a04ce776aa8b78e83ce339e0d7fbac
 	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.11.3 with commit 81fd007dcd47c34471766249853e4d4bce8eea4b
 	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.12 with commit c20029db28399ecc50e556964eaba75c43b1e2f1
 	Issue introduced in 4.14.256 with commit 2128303bff700c857739a0af8cc39c1a41840650

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49949
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/core/dev.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72
 	https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d
 	https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c
 	https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c
 	https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174
 	https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1
 	https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac
 	https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b
 	https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49949: net: avoid potential underflow in qdisc_pkt_len_init() with UFO

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: avoid potential underflow in qdisc_pkt_len_init() with UFO

	After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
	requests coming from user") virtio_net_hdr_to_skb() had sanity check
	to detect malicious attempts from user space to cook a bad GSO packet.

	Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
	transport header in UFO") while fixing one issue, allowed user space
	to cook a GSO packet with the following characteristic :

	IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.

	When this packet arrives in qdisc_pkt_len_init(), we end up
	with hdr_len = 28 (IPv4 header + UDP header), matching skb->len

	Then the following sets gso_segs to 0 :

	gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
	shinfo->gso_size);

	Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/

	qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;

	This leads to the following crash in fq_codel [1]

	qdisc_pkt_len_init() is best effort, we only want an estimation
	of the bytes sent on the wire, not crashing the kernel.

	This patch is fixing this particular issue, a following one
	adds more sanity checks for another potential bug.

	[1]
	[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
	[ 70.724561] #PF: supervisor read access in kernel mode
	[ 70.724561] #PF: error_code(0x0000) - not-present page
	[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
	[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
	[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
	[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
	[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
	[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
	All code
	========
	0: 24 08 and $0x8,%al
	2: 49 c1 e1 06 shl $0x6,%r9
	6: 44 89 7c 24 18 mov %r15d,0x18(%rsp)
	b: 45 31 ed xor %r13d,%r13d
	e: 45 31 c0 xor %r8d,%r8d
	11: 31 ff xor %edi,%edi
	13: 89 44 24 14 mov %eax,0x14(%rsp)
	17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9
	1e: eb 04 jmp 0x24
	20: 39 ca cmp %ecx,%edx
	22: 73 37 jae 0x5b
	24: 4d 8b 39 mov (%r9),%r15
	27: 83 c7 01 add $0x1,%edi
	2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction
	2d: 49 89 11 mov %rdx,(%r9)
	30: 41 8b 57 28 mov 0x28(%r15),%edx
	34: 45 8b 5f 34 mov 0x34(%r15),%r11d
	38: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
	3f: 49 rex.WB

	Code starting with the faulting instruction
	===========================================
	0: 49 8b 17 mov (%r15),%rdx
	3: 49 89 11 mov %rdx,(%r9)
	6: 41 8b 57 28 mov 0x28(%r15),%edx
	a: 45 8b 5f 34 mov 0x34(%r15),%r11d
	e: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
	15: 49 rex.WB
	[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
	[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
	[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
	[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
	[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
	[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
	[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
	[ 70.724561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0
	[ 70.724561] Call Trace:
	[ 70.724561] <TASK>
	[ 70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
	[ 70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715)
	[ 70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
	[ 70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
	[ 70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
	[ 70.724561] dev_qdisc_enqueue (net/core/dev.c:3784)
	[ 70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2))
	[ 70.724561] ? irqentry_enter (kernel/entry/common.c:237)
	[ 70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2))
	[ 70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4))
	[ 70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)
	[ 70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1))
	[ 70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
	[ 70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
	[ 70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1))
	[ 70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
	[ 70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
	[ 70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
	[ 70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
	[ 70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
	[ 70.724561] RIP: 0033:0x41ae09

	The Linux kernel CVE team has assigned CVE-2024-49949 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.218 with commit 960b360ca7463921c1a6b72e7066a706d6406223 and fixed in 4.19.323 with commit d70ca7598943572d5e384227bd268acb5109bf72
	Issue introduced in 5.4.162 with commit fb2dbc124a7f800cd0e4f901a1bbb769a017104c and fixed in 5.4.285 with commit 1598d70ad9c7d0a4d9d54b82094e9f45908fda6d
	Issue introduced in 5.10.82 with commit 8e6bae950da9dc2d2c6c18b1c6b206dc00dc8772 and fixed in 5.10.227 with commit ba26060a29d3ca1bfc737aa79f7125128f35147c
	Issue introduced in 5.15.5 with commit 0f810d06b507aa40fef8d1ac0a88e6d0590dbfc3 and fixed in 5.15.168 with commit 939c88cbdc668dadd8cfa7a35d9066331239041c
	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.1.113 with commit d6114993e0a89fde84a60a60a8329a571580b174
	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.6.55 with commit 25ab0b87dbd89cecef8a9c60a02bb97832e471d1
	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.10.14 with commit f959cce8a2a04ce776aa8b78e83ce339e0d7fbac
	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.11.3 with commit 81fd007dcd47c34471766249853e4d4bce8eea4b
	Issue introduced in 5.16 with commit cf9acc90c80ecbee00334aa85d92f4e74014bcff and fixed in 6.12 with commit c20029db28399ecc50e556964eaba75c43b1e2f1
	Issue introduced in 4.14.256 with commit 2128303bff700c857739a0af8cc39c1a41840650

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49949
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/core/dev.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72
	https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d
	https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c
	https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c
	https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174
	https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1
	https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac
	https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b
	https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1